General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

AUE_EXECVE

Eric Metzger

Modified on: Wed, 16 Oct, 2019 at 5:19 PM

{
  "_event_score": 10,
  "attributes": {
    "device": 0,
    "file_access_mode": 33261,
    "file_system_id": 16777220,
    "node_id": 4817,
    "owner_group_id": 0,
    "owner_group_name": "wheel",
    "owner_user_id": 0,
    "owner_user_name": "root"
  },
  "exec_args": {
    "args": {
      "1": "/usr/libexec/od_user_homes",
      "2": ".Trashes"
    },
    "args_compiled": "/usr/libexec/od_user_homes,.Trashes"
  },
  "exec_chain_child": {
    "parent_path": "/usr/libexec/automountd",
    "parent_pid": 25113,
    "parent_uuid": "2EA50C03-B7D8-42C8-B3E2-4C69A2B5D3EB"
  },
  "exec_env": {
    "env": {
      "ARCH": "macintosh",
      "CPU": "i386",
      "MALWAREBYTES_GROUP": "1ddbfe4b-cd4c-40fc-9c6e-2570cb96bc1d",
      "PATH": "/usr/bin:/bin:/usr/sbin:/sbin",
      "XPC_FLAGS": "0x0",
      "XPC_SERVICE_NAME": "0"
    },
    "env_compiled": "XPC_SERVICE_NAME=0,MALWAREBYTES_GROUP=1ddbfe4b-cd4c-40fc-9c6e-2570cb96bc1d,PATH=/usr/bin:/bin:/usr/sbin:/sbin,XPC_FLAGS=0x0,ARCH=macintosh,CPU=i386"
  },
  "header": {
    "event_id": 23,
    "event_modifier": 0,
    "event_name": "AUE_EXECVE",
    "time_milliseconds_offset": 223,
    "time_seconds_epoch": 1571164212,
    "version": 11
  },
  "host_info": {
    "host_name": "Dan_macbook_pro",
    "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF",
    "osversion": "Version 10.15 (Build 19A582a)",
    "primary_mac_address": "38:f9:e8:15:5a:82",
    "serial_number": "C03XY889JHG3"
  },
  "identity": {
    "cd_hash": "707d307023c55cc510e33fc000cd2b4e0ac3fa48",
    "signer_id": "com.apple.automountd",
    "signer_id_truncated": 0,
    "signer_type": 1,
    "team_id": "",
    "team_id_truncated": 0
  },
  "path": [
    "/usr/libexec/od_user_homes",
    "/usr/libexec/od_user_homes"
  ],
  "return": {
    "description": "success",
    "error": 0,
    "return_value": 0
  },
  "subject": {
    "audit_id": 4294967295,
    "audit_user_name": "-1",
    "effective_group_id": 0,
    "effective_group_name": "wheel",
    "effective_user_id": 0,
    "effective_user_name": "root",
    "group_id": 0,
    "group_name": "wheel",
    "process_hash": "4E6A40369544B0B87A7BF97AEF4DB7436092AC38",
    "process_id": 25601,
    "process_name": "/usr/libexec/od_user_homes",
    "session_id": 100000,
    "terminal_id": {
      "addr": [
        0
      ],
      "ip_address": "0.0.0.0",
      "port": 0,
      "type": 0
    },
    "user_id": 0,
    "user_name": "root"
  }
}