Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 114

Add MacAdmins extension tables to schema (#8377)

Browse source 
* Adding tables from the macadmins extension pack

Part 1!

* Adding the 2nd set of macadmins extension tables

Will review in another commit tomorrow before submitting PR

* Fixing typos and example queries
This commit is contained in:
Guillaume Ross 2022-10-21 09:49:11 -04:00 committed by GitHub
parent 5393d4ec96
commit d0cfa7bbb3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 542 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
schema/tables/file_lines.yml Normal file
View file

@ -0,0 +1,22 @@
name: file_lines
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: Allows reading an arbitrary file.
platforms: darwin, windows, linux
evented: false
examples: >-
Output the content of `/etc/hosts` line by line.
```
SELECT * FROM file_lines WHERE path='/etc/hosts';
```
columns:
- name: path
description: Path of the file to read.
required: true
type: text
- name: line
description: Output of the file, line by line.
required: false
type: text

24
schema/tables/filevault_users.yml Normal file
View file

@ -0,0 +1,24 @@
name: filevault_users
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: Information on the users able to unlock the current boot volume if protected with FileVault.
platforms: darwin
evented: false
examples: >-
List the usernames able to unlock and boot a computer protected by FileVault, joined to
[users.username](http://fleetdm.com/tables/users) to obtain the description of the operating
system account that owns it.
```
SELECT fu.username, u.description FROM filevault_users fu JOIN users u ON fu.uuid=u.uuid;
```
columns:
- name: username
description: Username of the FileVault user.
required: false
type: text
- name: uuid
description: UUID of the FileVault user, which can be joined to [users.uuid](http://fleetdm.com/tables/users).
required: false
type: text

32
schema/tables/google_chrome_profiles.yml Normal file
View file

@ -0,0 +1,32 @@
name: google_chrome_profiles
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: Profiles configured in Google Chrome.
platforms: darwin, windows, linux
evented: false
examples: >-
List the Google Chrome accounts logged in to with `fleetdm.com` email addresses, joined to the
[users](https://fleetdm.com/tables/users) table, to see the description of the operating system
account that owns it.
```
SELECT gp.email, gp.username, u.description FROM google_chrome_profiles gp JOIN users u ON gp.username=u.username WHERE gp.email LIKE '%fleetdm.com';
```
columns:
- name: email
description: Email address linked to the Google account this profile uses, if any.
required: false
type: text
- name: ephemeral
description: Boolean indicating if the profile is ephemeral or not.
required: false
type: boolean
- name: name
description: Name of the Chrome profile.
required: false
type: text
- name: username
description: Operating system level username of the account where this profile is located.
required: false
type: text

46
schema/tables/macos_profiles.yml Normal file
View file

@ -0,0 +1,46 @@
name: macos_profiles
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: High level information on installed profiles enrollment.
platforms: darwin
evented: false
examples: >-
Identify all profiles that are not *verified*.
```
SELECT display_name, install_date FROM macos_profiles WHERE verification_state!='verified';
```
columns:
- name: description
description: The description of the profile.
required: false
type: text
- name: display_name
description: The display name of the profile.
required: false
type: text
- name: identifier
description: The identifier of the profile.
required: false
type: text
- name: install_date
description: Date and time at which the profile was installed.
required: false
type: text
- name: organization
description: The profile's organization value.
required: false
type: text
- name: type
description: The type of profile.
required: false
type: text
- name: uuid
description: The [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the profile.
required: false
type: text
- name: verification_state
description: The verification state of the profile.
required: false
type: text

66
schema/tables/mdm.yml Normal file
View file

@ -0,0 +1,66 @@
name: mdm
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).<p> Code based on work by [Kolide](https://github.com/kolide/launcher). <p> Due to changes in macOS 12.3, the output of `profiles show -type enrollment` can only be generated once a day. If you are running this command with another tool, you should set the `PROFILES_SHOW_ENROLLMENT_CACHE_PATH` environment variable to the path you are caching this. The cache file should be `json` with the keys `dep_capable` and `rate_limited present`, both booleans representing whether the device is capable of DEP enrollment and whether the response from `profiles show -type enrollment` is being rate limited or not.
description: Information on the device's MDM enrollment.
platforms: darwin
evented: false
examples: >-
Identify Macs that are DEP capable but have not been enrolled to MDM.
```
SELECT * FROM mdm WHERE dep_capable='true' AND enrolled='false';
```
columns:
- name: access_rights
description: The access rights of the payload. The resulting number is the total of every [AccessRight](https://developer.apple.com/documentation/devicemanagement/mdm) added up.
required: false
type: integer
- name: checkin_url
description: The URL the Mac checks in with, which should point to your MDM server.
required: false
type: text
- name: dep_capable
description: Indicates if the computer is DEP capable or not, even if it is not currently enrolled into MDM.
required: false
type: text
- name: enrolled
description: Indicates if the computer is enrolled into MDM.
required: false
type: text
- name: has_scep_payload
description: Indicates if the computer has a certificate used by the MDM server to authenticate it.
required: false
type: text
- name: identity_certificate_uuid
description: The [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the [SCEP](https://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol) certificate.
required: false
type: text
- name: install_date
description: The date on which the MDM payload was installed on the Mac.
required: false
type: text
- name: installed_from_dep
description: Indicates if the MDM payload was installed via DEP or not.
required: false
type: text
- name: payload_identifier
description: The identifier of the MDM payload.
required: false
type: text
- name: server_url
description: The URL of the MDM server used by this computer.
required: false
type: text
- name: sign_message
description: Indicates if messages sent and received from the MDM server must be signed.
required: false
type: text
- name: topic
description: The topic MDM listens to for push notifications.
required: false
type: text
- name: user_approved
description: Indicates if this MDM payload was approved by the user.
required: false
type: text

50
schema/tables/munki_info.yml Normal file
View file

@ -0,0 +1,50 @@
name: munki_info
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).<p> Code based on work by [Kolide](https://github.com/kolide/launcher).
description: Information from the last [Munki](https://github.com/munki/munki) run.
platforms: darwin
evented: false
examples: >-
Output errors, warnings and problematic installations from Munki.
```
SELECT errors, warnings, problem_installs FROM munki_info ;
```
columns:
- name: console_user
description: The username of the user currently logged into the console of the Mac.
required: false
type: text
- name: end_time
description: The date and time at which the latest Munki run ended.
required: false
type: text
- name: errors
description: If Munki encountered any error during the last run, they will be returned in this column.
required: false
type: text
- name: manifest_name
description: The internal manifest name
required: false
type: text
- name: problem_installs
description: A list of installs that did not succeed, if any.
required: false
type: text
- name: start_time
description: The date and time at which the latest Munki run started.
required: false
type: text
- name: success
description: Shows if the Munki run was a success (true), or not (false).
required: false
type: text
- name: version
description: The version of Munki used during the last run.
required: false
type: text
- name: warnings
description: If Munki encountered any error during the last run, they will be returned in this column.
required: false
type: text

30
schema/tables/munki_installs.yml Normal file
View file

@ -0,0 +1,30 @@
name: munki_installs
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).<p> Code based on work by [Kolide](https://github.com/kolide/launcher).
description: Software packages and other items [Munki](https://github.com/munki/munki) is managing.
platforms: darwin
evented: false
examples: >-
See the version of software that has been deployed by Munki.
```
SELECT name, installed_version FROM munki_installs WHERE installed='true';
```
columns:
- name: end_time
description: The end time of the last Munki run.
required: false
type: text
- name: installed
description: Shows if Munki installed an item (true) or if it is simply available but not installed (false).
required: false
type: text
- name: installed_version
description: The version number of installed items.
required: false
type: text
- name: name
description: The name of items managed by Munki.
required: false
type: text

26
schema/tables/puppet_facts.yml Normal file
View file

@ -0,0 +1,26 @@
name: puppet_facts
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: Facts about [Puppet](https://puppet.com/). Puppet facts are *key:value* pairs.
platforms: darwin, windows, linux
evented: false
examples: >-
List all Puppet facts.
```
SELECT * FROM puppet_facts;
```
columns:
- name: node
description: Node, or block of Puppet code.
required: false
type: text
- name: fact
description: Key.
required: false
type: text
- name: value
description: Value.
required: false
type: text

82
schema/tables/puppet_info.yml Normal file
View file

@ -0,0 +1,82 @@
name: puppet_info
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: Information on the last [Puppet](https://puppet.com/) run. This table uses data from the `last_run_report` that Puppet creates.
platforms: darwin, windows, linux
evented: false
examples: >-
List all the information available about the last Puppet run.
```
SELECT * FROM puppet_info;
```
columns:
- name: cached_catalog_status
description: The status of Puppet catalogs cached on the system.
required: false
type: text
- name: catalog_uuid
description: The [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the catalog downloaded by Puppet.
required: false
type: text
- name: code_id
description: The `code_id` links the catalog with the compile-time version of file resources using the `puppet:///` URI.
required: false
type: text
- name: configuration_version
description: The version of the Puppet configuration.
required: false
type: text
- name: corrective_change
description: A corrective change is triggered when Puppet detects a discrepency between the current state and the expected state of a value.
required: false
type: text
- name: environment
description: The environment name.
required: false
type: text
- name: host
description: The host on which Puppet is used.
required: false
type: text
- name: kind
description: Kind of Puppet run.
required: false
type: text
- name: master_used
description: The Puppet server used.
required: false
type: text
- name: noop
description: Indicates if Puppet was run in [noop](https://puppet.com/docs/puppet/latest/metaparameter.html#noop) mode.
required: false
type: text
- name: noop_prending
description: Items pending from a [noop](https://puppet.com/docs/puppet/latest/metaparameter.html#noop) run.
required: false
type: text
- name: puppet_version
description: The version of Puppet used during the last run.
required: false
type: text
- name: report_format
description: The format the Puppet report was exported as.
required: false
type: text
- name: status
description: The status of Puppet on this system.
required: false
type: text
- name: time
description: The time of the last Puppet run.
required: false
type: text
- name: transaction_completed
description: Indicates if the transaction completed or not.
required: false
type: text
- name: transaction_uuid
description: The [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the transaction.
required: false
type: text

39
schema/tables/puppet_logs.yml Normal file
View file

@ -0,0 +1,39 @@
name: puppet_logs
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: Outputs [Puppet](https://puppet.com/) logs from the last run.
platforms: darwin, windows, linux
evented: false
examples: >-
List Puppet logs that are of a level of anything but informational.
```
SELECT * FROM puppet_logs WHERE level!='info';
```
columns:
- name: level
description: The level of the log item (info, error, etc).
required: false
type: text
- name: message
description: The log message content.
required: false
type: text
- name: source
description: The source of the log item.
required: false
type: text
- name: time
description: The time at which this item was logged.
required: false
type: text
- name: file
description: The file from which osquery read this log.
required: false
type: text
- name: line
description: The line from which this log item was read.
required: false
type: text

66
schema/tables/puppet_state.yml Normal file
View file

@ -0,0 +1,66 @@
name: puppet_state
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: State of every resource [Puppet](https://puppet.com/) is managing. This table uses data from the `last_run_report` that Puppet creates.
platforms: darwin, windows, linux
evented: false
examples: >-
List resources that failed or took over a minute to evaluate.
```
SELECT * FROM puppet_state WHERE failed='true' OR evaluation_time>'60';
```
columns:
- name: title
description: The name of the resource.
required: false
type: text
- name: file
description: The file that contains the resource.
required: false
type: text
- name: line
description: The line on which the resource is specified.
required: false
type: text
- name: resource
description: The resource and its title as `Type[title]`.
required: false
type: text
- name: resource_type
description: The resource type.
required: false
type: text
- name: evaluation_time
description: The amount of seconds it took to evaluate the resource.
required: false
type: text
- name: failed
description: If Puppet failed to evaluate this resource, this column is `true`.
required: false
type: text
- name: changed
description: If `change_count` is above `0`, this is `true`.
required: false
type: text
- name: out_of_sync
description: If `out_of_sync_count` is above `0`, this is `true`.
required: false
type: text
- name: skipped
description: True if this resource was skipped.
required: false
type: text
- name: change_count
description: The count of changes to be performed.
required: false
type: text
- name: out_of_sync_count
description: The number of properties that are out of sync
required: false
type: text
- name: corrective_change
description: True if a change on the system caused unexpected changes between two Puppet runs.
required: false
type: text

59
schema/tables/unified_log.yml Normal file
View file

@ -0,0 +1,59 @@
name: unified_log
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: Allows querying macOS [unified logs](https://developer.apple.com/documentation/os/logging).
platforms: darwin
evented: false
examples: >-
Select the latest 100 log items related to `LaunchServices` and convert the UNIX time to a human readable format, and the signature table to verify its cryptographic signature.
```
SELECT u.category, u.level, u.message, u.pid, datetime(u.timestamp, 'unixepoch') AS human_time, p.path, s.signed, s.identifier, s.authority FROM unified_log u JOIN processes p ON u.pid = p.pid JOIN signature s ON p.path=s.path WHERE sender='LaunchServices' LIMIT 100;
```
columns:
- name: activity
description: The identifier of the log activity.
required: false
type: text
- name: category
description: The category of the log activity.
required: false
type: text
- name: level
description: The log level of this item, such as `default`, `info`, `fault`, etc.
required: false
type: text
- name: message
description: The log message.
required: false
type: text
- name: pid
description: Process ID of the process that generated this log item, which can be joined to multiple other tables including a *PID*.
required: false
type: bigint
- name: process
description: Name of the process that generated this log activity.
required: false
type: text
- name: sender
description: System that sent this activity.
required: false
type: text
- name: storage
description: TBD.
required: false
type: text
- name: subsystem
description: The subsystem responsible for this activity.
required: false
type: text
- name: tid
description: TBD.
required: false
type: bigint
- name: timestamp
description: Timestamp in [UNIX time format](https://en.wikipedia.org/wiki/Unix_time).
required: false
type: bigint