diff --git a/schema/tables/authdb.yml b/schema/tables/authdb.yml index 1785b333d3..59731deb0b 100644 --- a/schema/tables/authdb.yml +++ b/schema/tables/authdb.yml @@ -2,6 +2,7 @@ name: authdb platforms: - darwin description: Returns JSON output for the `authorizationdb read ` command. +evented: false columns: - name: right_name type: text @@ -13,5 +14,50 @@ columns: required: false description: >- The JSON output parsed from the plist output of the `authorizationdb read ` command. -notes: This table is not a core osquery table. It is included as part of Fleet's agent ([fleetd](https://fleetdm.com/docs/get-started/anatomy#fleetd)). -evented: false +example: >- + + ``` + SELECT * FROM authdb WHERE right_name='system.login.console'; + ``` + +notes: > + + This table is not a core osquery table. It is included as part of Fleet's agent ([fleetd](https://fleetdm.com/docs/get-started/anatomy#fleetd)). + + + The authorizationdb is a SQLite database that can be dumped out with the following Terminal command: + + + ``` + + sudo /usr/bin/sqlite3 /var/db/auth.db .dump + + ``` + + + The following command generates a .plist showing the attributes of the authorizationdb configuration: + + + ``` + + security authorizationdb read system.login.console + + ``` + + + The “right_name” string `system.login.console` is used in the mandatory WHERE clause for this table: + + + ``` + + SELECT * FROM authdb WHERE right_name='system.login.console'; + + ``` + + - [Apple documentation](https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/02authconcepts/authconcepts.html) + + - A [general purpose authorizationdb article](https://theevilbit.github.io/posts/macos_authorization/) + + - Armin Briegel (Scripting OS X) on the [macOS root user and the authorizationdb](https://scriptingosx.com/2018/05/demystifying-root-on-macos-part-4-the-authorization-database/) + + - Elliot Jordan on using the authorizationdb in his tool [Escrow Buddy](https://www.elliotjordan.com/posts/macos-authdb-mechs/)