Structure

es_process_t

A type that describes a process, as delivered by an Endpoint Security message.

Declaration

typedef struct {
    ...
} es_process_t;

Overview

For process events, this type also indicates the newly-executing process.

You can extract values such as the process identifier (PID), user identifier (UID), and group identifier (GID) from the audit_token field by using functions defined in libbsm.h.

Topics

Inspecting the Source Process

audit_token

A token for use with Basic Security Mode (BSM) auditing functions.

executable

The file containing the executed process.

is_es_client

A Boolean value that indicates whether the process connects to the Endpoint Security subsystem.

is_platform_binary

A Boolean value that indicates whether the process is a platform binary.

Inspecting Process IDs

ppid

The parent process identifier.

original_ppid

The original parent process ID.

group_id

The process group identifier.

session_id

The identifier of the session that contains the process group.

Inspecting Code Signing Properties

codesigning_flags

The flags used to sign the process.

cdhash

The code directory hash value.

signing_id

The identifier used to sign the process.

team_id

The team identifier used to sign the process.

See Also

Identifying the Source Process

process

The process that performed the action defined in a message.