From 3a5037f798af73bbd43d581e6fa134c31c397b7f Mon Sep 17 00:00:00 2001
From: Zach Wasserman <zach@fleetdm.com>
Date: Sat, 11 Dec 2021 16:25:08 -0800
Subject: [PATCH] Update query for users listing (#3324)

- Filter undesired entries.
- LEFT JOIN to include users missing groups.

#2488
---
 changes/update-users                    | 1 +
 server/service/osquery_utils/queries.go | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 changes/update-users

diff --git a/changes/update-users b/changes/update-users
new file mode 100644
index 0000000000..25ba108500
--- /dev/null
+++ b/changes/update-users
@@ -0,0 +1 @@
+* Remove host users without login shells, and include host users missing groups.
diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go
index 5257df1def..b348efeb93 100644
--- a/server/service/osquery_utils/queries.go
+++ b/server/service/osquery_utils/queries.go
@@ -517,7 +517,7 @@ FROM python_packages;
 }
 
 var usersQuery = DetailQuery{
-	Query: `SELECT uid, username, type, groupname, shell FROM users u JOIN groups g ON g.gid=u.gid;`,
+	Query: `SELECT uid, username, type, groupname, shell FROM users u LEFT JOIN groups g ON g.gid=u.gid WHERE type <> 'special' AND shell NOT LIKE '%/false' AND shell NOT LIKE '%/nologin' AND shell NOT LIKE '%/shutdown' AND shell NOT LIKE '%/halt' AND username NOT LIKE '%$' AND username NOT LIKE '\_%' ESCAPE '\' AND NOT (username = 'sync' AND shell ='/bin/sync')`,
 	IngestFunc: func(logger log.Logger, host *fleet.Host, rows []map[string]string) error {
 		var users []fleet.HostUser
 		for _, row := range rows {