Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

Update schema overrides to clarify which tables require joining against users (#18045)

Browse source 
For #16784.

These tables require joining against `users`:
+ `chrome_extension_content_scripts`
+ `chrome_extensions`
+ `firefox_addons`
+ `vscode_extensions`
+ `browser_plugins`
+ `crashes`
+ `preferences`
+ `safari_extensions`
+ `ssh_configs`
+ `user_ssh_keys`
+ `authorized_keys`
+ `known_hosts`
+ `shell_history`

---------

Co-authored-by: Eric <eashaw@sailsjs.com>
This commit is contained in:
Rachael Shaw 2024-04-05 11:11:18 -05:00 committed by GitHub
parent 51c59e59b8
commit 55df14a23e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 85 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
schema/tables/authorized_keys.yml
View file

@ -1,15 +1,13 @@
name: authorized_keys
examples: >-
List the SSH keys allowed to connect to this host.
```
SELECT key FROM authorized_keys;
SELECT * FROM users CROSS JOIN authorized_keys USING (uid);
```
columns:
- name: pid_with_namespace
platforms:
- linux
- name: uid
requires_user_context: true
notes: Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)

4
schema/tables/browser_plugins.yml
View file

@ -7,6 +7,8 @@ examples: >-
```
SELECT bp.name, bp.identifier, bp.version FROM browser_plugins bp JOIN users u on bp.uid = u.uid ;
SELECT * FROM users CROSS JOIN browser_plugins USING (uid);
```
notes: Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)

8
schema/tables/chrome_extension_content_scripts.yml
View file

@ -1,4 +1,10 @@
name: chrome_extension_content_scripts
columns:
- name: uid
requires_user_context: true
examples: >-
```
SELECT * FROM users CROSS JOIN chrome_extension_content_scripts USING (uid);
```
notes: Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)

13
schema/tables/chrome_extensions.yml
View file

@ -6,6 +6,12 @@ platforms:
- chrome
description: Installed extensions (plugins) for [Chromium-based](https://en.wikipedia.org/wiki/Chromium_(web_browser)) browsers, including [Google Chrome](https://en.wikipedia.org/wiki/Google_Chrome), [Edge](https://en.wikipedia.org/wiki/Microsoft_Edge), [Brave](https://en.wikipedia.org/wiki/Brave_(web_browser)), [Opera](https://en.wikipedia.org/wiki/Opera_(web_browser)), and [Yandex](https://en.wikipedia.org/wiki/Yandex_Browser).
examples: >-
```
SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
```
List Chrome extensions by user and profile which have full access to HTTPS
browsing.
@ -14,9 +20,12 @@ examples: >-
SELECT u.username, ce.name, ce.description, ce.version, ce.profile, ce.permissions FROM users u CROSS JOIN chrome_extensions ce USING (uid) WHERE ce.permissions LIKE '%%https://*/*%%';
```
notes: |
Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
On ChromeOS, this table requires the [fleetd Chrome extension](https://fleetdm.com/docs/using-fleet/chromeos).
columns:
- name: uid
requires_user_context: true
platforms:
- darwin
- windows
@ -106,5 +115,3 @@ columns:
- darwin
- windows
- linux
notes: |
- On ChromeOS, this table requires the [fleetd Chrome extension](https://fleetdm.com/docs/using-fleet/chromeos).

7
schema/tables/crashes.yml
View file

@ -1,13 +1,10 @@
name: crashes
examples: >-
See software responsible for crashes. This can be useful to detect what the
most problematic software in your environment is.
```
SELECT crash_path, identifier, responsible, exception_type FROM crashes;
SELECT * FROM users CROSS JOIN crashes USING (uid);
```
notes: Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
columns:
- name: uid
requires_user_context: true

8
schema/tables/firefox_addons.yml
View file

@ -1,6 +1,12 @@
name: firefox_addons
description: Firefox browser [add-ons](https://addons.mozilla.org/en-US/firefox/) (plugins).
examples: >-
```
SELECT * FROM users CROSS JOIN firefox_addons USING (uid);
```
See Firefox extensions by user as well as information about their creator and
automatic update status.
@ -9,6 +15,6 @@ examples: >-
SELECT u.username, f.identifier, f.creator, f.description, f.version, f.autoupdate FROM users u CROSS JOIN firefox_addons f USING (uid) WHERE f.active='1';
```
notes: Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
columns:
- name: uid
requires_user_context: true

10
schema/tables/known_hosts.yml
View file

@ -1,4 +1,12 @@
name: known_hosts
columns:
- name: uid
requires_user_context: true
examples: >-
```
SELECT * FROM users CROSS JOIN known_hosts USING (uid);
```
notes: >-
- Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)

8
schema/tables/preferences.yml
View file

@ -1,15 +1,15 @@
name: preferences
examples: >-
This table reads a huge amount of preferences, including on third-party apps.
This query will show how many users are enrolled to TouchID.
```
SELECT * FROM preferences WHERE subkey='dailyEvents/2/enrolledUserCount';
SELECT * FROM users CROSS JOIN preferences USING (username);
```
notes: >-
- Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
- The `value` column will be empty for keys that contain binary data.
columns:
- name: username
requires_user_context: true

8
schema/tables/safari_extensions.yml
View file

@ -2,6 +2,12 @@ name: safari_extensions
description: Installed Safari browser extensions (plugins).
columns:
- name: uid
requires_user_context: true
examples: >-
```
SELECT * FROM users CROSS JOIN safari_extensions USING (uid);
```
notes: >-
- Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
- Includes installed extensions for all system users.

11
schema/tables/shell_history.yml
View file

@ -1,5 +1,11 @@
name: shell_history
examples: >-
```
SELECT * FROM users CROSS JOIN shell_history USING (uid);
```
See command line executions and related timestamps. Useful for threat hunting
when a device is suspected of being compromised.
@ -10,4 +16,7 @@ examples: >-
```
columns:
- name: uid
requires_user_context: true
notes: >-
- Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)

8
schema/tables/ssh_configs.yml
View file

@ -1,5 +1,11 @@
name: ssh_configs
examples: >-
```
SELECT * FROM users CROSS JOIN ssh_configs USING (uid);
```
Identify SSH clients configured to send their locales to the server.
```
@ -9,4 +15,4 @@ examples: >-
```
columns:
- name: uid
requires_user_context: true
notes: Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)

8
schema/tables/user_ssh_keys.yml
View file

@ -1,5 +1,11 @@
name: user_ssh_keys
examples: >-
```
SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);
```
Identify SSH keys stored in clear text in user directories
```
@ -12,4 +18,4 @@ columns:
platforms:
- linux
- name: uid
requires_user_context: true
notes: Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)

9
schema/tables/vscode_extensions.yml
View file

@ -1,6 +1,13 @@
name: vscode_extensions
description: Installed extensions for [Visual Studio (VS) Code](https://code.visualstudio.com/).
examples: >-
```
SELECT * FROM users CROSS JOIN vscode_extensions USING (uid);
```
List the name, publisher, and version of the Visual Studio (VS) Code extensions installed on hosts.
```
@ -8,7 +15,7 @@ examples: >-
SELECT extension.name, extension.publisher, extension.version FROM users JOIN vscode_extensions extension USING (uid);
```
notes: Querying this table requires joining against the `users` table.
notes: Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
columns:
- name: name
description: Extension Name