The Process Details window shows numerous details for a single process.
Basic Statistics displayes a number of core activities and basic information about the process. These fields include:
Audit Explorer uses its own internal identifier for each process called the session ID. A process's Process ID is only unique for that moment of time. At a later time a new process may be assigned the same Process ID. Because we need to uniquely identify each process, Audit Explorer uses its own internal identifier, the session ID.
This field identifies the process's Process ID.
This field identifies the programs the process ran. Most processes run a single program, but in UNIX systems, sometimes a process runs one program for a while and then another. For example, in the figure above, the process first ran the sudo program and then the cp program.
This field identifies the arguments supplied to the programs that were executed. This information can tell you a great deal about what the program was requested to do.
This field identifies the User Identifiers that this process ran under. When possible, we also identify the user name associated with the User ID. Over time the process can change its User ID (e.g., when escalating privileges).
This field identifies the Effective User Identifiers that this process ran under. When possible, we also identify the user name associated with the ID. Over time the process can change its EUID.
If the process performed some action that requires the user authenticate themselves, this field identifies the user name tried and whether the authentication was successful or not (SUCC or FAIL).
This field identifies the timestamps of the first audit record associated with this process.
This field identifies the duration of the process in seconds. Many processes live less than a second, so it isn't uncommon to see a zero for this field.
This field identifies the number of records for this process.
In general, all processes except the first one are created by other processes. This field identifies the list of ancestor processes that eventually gave rise to this process. The earliest ancestor is at the top, and the most recent ancestor (the parent process) is at the bottom.
The earliest process will often be identified as "(unknown)" because it was running before the auditing system started. Furthermore, if an audit trail file is rotated while the system is up, each processes that is running at that time will be listed as unknown because the audit trail does not contain the information about what program the process is running.
If a process creates child processes, these processes are listed here.
If a process opens a regular file for reading (R_), writing (_W), or both (RW), that file is shown here along with how it was accessed. Other operations include delete (which technically is an unlink) and rename. For a rename operation, two lines are shown: the original file name and the new file name.
Generally a program opens a large number of standard files, most of which are uninteresting and clutter the the display. By default, most of these file opens are hidden, but you can go into the Preferences panel for the application to change the settings to reveal these other file access.
If a process initiates an outbound connection, the remote server's IP address and port are shown here. Each connection will be shown on a single line. By default, subsequent connections to the same address and port are not shown again, but this behavior can be changed through the Preferences window.
If a process accepts an inbound connection, the remote server's IP address and port are shown here.