From d0cfa7bbb362a620ec13e30b2d6803ae06c10059 Mon Sep 17 00:00:00 2001
From: Guillaume Ross <guillaume@fleetdm.com>
Date: Fri, 21 Oct 2022 09:49:11 -0400
Subject: [PATCH] Add MacAdmins extension tables to schema (#8377)

* Adding tables from the macadmins extension pack

Part 1!

* Adding the 2nd set of macadmins extension tables

Will review in another commit tomorrow before submitting PR

* Fixing typos and example queries
---
 schema/tables/file_lines.yml             | 22 +++++++
 schema/tables/filevault_users.yml        | 24 +++++++
 schema/tables/google_chrome_profiles.yml | 32 +++++++++
 schema/tables/macos_profiles.yml         | 46 +++++++++++++
 schema/tables/mdm.yml                    | 66 +++++++++++++++++++
 schema/tables/munki_info.yml             | 50 +++++++++++++++
 schema/tables/munki_installs.yml         | 30 +++++++++
 schema/tables/puppet_facts.yml           | 26 ++++++++
 schema/tables/puppet_info.yml            | 82 ++++++++++++++++++++++++
 schema/tables/puppet_logs.yml            | 39 +++++++++++
 schema/tables/puppet_state.yml           | 66 +++++++++++++++++++
 schema/tables/unified_log.yml            | 59 +++++++++++++++++
 12 files changed, 542 insertions(+)
 create mode 100644 schema/tables/file_lines.yml
 create mode 100644 schema/tables/filevault_users.yml
 create mode 100644 schema/tables/google_chrome_profiles.yml
 create mode 100644 schema/tables/macos_profiles.yml
 create mode 100644 schema/tables/mdm.yml
 create mode 100644 schema/tables/munki_info.yml
 create mode 100644 schema/tables/munki_installs.yml
 create mode 100644 schema/tables/puppet_facts.yml
 create mode 100644 schema/tables/puppet_info.yml
 create mode 100644 schema/tables/puppet_logs.yml
 create mode 100644 schema/tables/puppet_state.yml
 create mode 100644 schema/tables/unified_log.yml

diff --git a/schema/tables/file_lines.yml b/schema/tables/file_lines.yml
new file mode 100644
index 0000000000..e82a663d15
--- /dev/null
+++ b/schema/tables/file_lines.yml
@@ -0,0 +1,22 @@
+name: file_lines
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
+description: Allows reading an arbitrary file.
+platforms: darwin, windows, linux
+evented: false
+examples: >-
+  Output the content of `/etc/hosts` line by line. 
+  
+  ```
+  
+  SELECT * FROM file_lines WHERE path='/etc/hosts';
+  
+  ```
+columns:
+  - name: path
+    description: Path of the file to read.
+    required: true
+    type: text
+  - name: line
+    description: Output of the file, line by line.
+    required: false
+    type: text
\ No newline at end of file
diff --git a/schema/tables/filevault_users.yml b/schema/tables/filevault_users.yml
new file mode 100644
index 0000000000..ab5ce44339
--- /dev/null
+++ b/schema/tables/filevault_users.yml
@@ -0,0 +1,24 @@
+name: filevault_users
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
+description: Information on the users able to unlock the current boot volume if protected with FileVault.
+platforms: darwin
+evented: false
+examples: >-
+  List the usernames able to unlock and boot a computer protected by FileVault, joined to
+  [users.username](http://fleetdm.com/tables/users) to obtain the description of the operating
+  system account that owns it.
+
+  ```
+  
+  SELECT fu.username, u.description FROM filevault_users fu JOIN users u ON fu.uuid=u.uuid;
+  
+  ```
+columns:
+  - name: username
+    description: Username of the FileVault user.
+    required: false
+    type: text
+  - name: uuid
+    description: UUID of the FileVault user, which can be joined to [users.uuid](http://fleetdm.com/tables/users).
+    required: false
+    type: text
\ No newline at end of file
diff --git a/schema/tables/google_chrome_profiles.yml b/schema/tables/google_chrome_profiles.yml
new file mode 100644
index 0000000000..049bda759a
--- /dev/null
+++ b/schema/tables/google_chrome_profiles.yml
@@ -0,0 +1,32 @@
+name: google_chrome_profiles
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
+description: Profiles configured in Google Chrome.
+platforms: darwin, windows, linux
+evented: false
+examples: >-
+  List the Google Chrome accounts logged in to with `fleetdm.com` email addresses, joined to the
+  [users](https://fleetdm.com/tables/users) table, to see the description of the operating system
+  account that owns it.
+
+  ```
+  
+  SELECT gp.email, gp.username, u.description FROM google_chrome_profiles gp JOIN users u ON gp.username=u.username WHERE gp.email LIKE '%fleetdm.com';
+  
+  ```
+columns:
+  - name: email
+    description: Email address linked to the Google account this profile uses, if any.
+    required: false
+    type: text
+  - name: ephemeral
+    description: Boolean indicating if the profile is ephemeral or not.
+    required: false
+    type: boolean
+  - name: name
+    description: Name of the Chrome profile.
+    required: false
+    type: text
+  - name: username
+    description: Operating system level username of the account where this profile is located.
+    required: false
+    type: text
\ No newline at end of file
diff --git a/schema/tables/macos_profiles.yml b/schema/tables/macos_profiles.yml
new file mode 100644
index 0000000000..2ad5c704f4
--- /dev/null
+++ b/schema/tables/macos_profiles.yml
@@ -0,0 +1,46 @@
+name: macos_profiles
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
+description: High level information on installed profiles enrollment.
+platforms: darwin
+evented: false
+examples: >-
+  Identify all profiles that are not *verified*.
+  
+  ```
+  
+  SELECT display_name, install_date FROM macos_profiles WHERE verification_state!='verified';  
+  
+  ```
+columns:
+  - name: description
+    description: The description of the profile.
+    required: false
+    type: text
+  - name: display_name
+    description: The display name of the profile.
+    required: false
+    type: text
+  - name: identifier
+    description: The identifier of the profile. 
+    required: false
+    type: text
+  - name: install_date
+    description: Date and time at which the profile was installed.
+    required: false
+    type: text
+  - name: organization
+    description: The profile's organization value.
+    required: false
+    type: text
+  - name: type
+    description: The type of profile.
+    required: false
+    type: text
+  - name: uuid
+    description: The [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the profile.
+    required: false
+    type: text
+  - name: verification_state
+    description: The verification state of the profile.
+    required: false
+    type: text
diff --git a/schema/tables/mdm.yml b/schema/tables/mdm.yml
new file mode 100644
index 0000000000..fe818d8648
--- /dev/null
+++ b/schema/tables/mdm.yml
@@ -0,0 +1,66 @@
+name: mdm
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).<p> Code based on work by [Kolide](https://github.com/kolide/launcher). <p> Due to changes in macOS 12.3, the output of `profiles show -type enrollment` can only be generated once a day. If you are running this command with another tool, you should set the `PROFILES_SHOW_ENROLLMENT_CACHE_PATH` environment variable to the path you are caching this. The cache file should be `json` with the keys `dep_capable` and `rate_limited present`, both booleans representing whether the device is capable of DEP enrollment and whether the response from `profiles show -type enrollment` is being rate limited or not.
+description: Information on the device's MDM enrollment.
+platforms: darwin
+evented: false
+examples: >-
+  Identify Macs that are DEP capable but have not been enrolled to MDM.
+
+  ```
+  
+  SELECT * FROM mdm WHERE dep_capable='true' AND enrolled='false';
+  
+  ```
+columns:
+  - name: access_rights
+    description: The access rights of the payload. The resulting number is the total of every [AccessRight](https://developer.apple.com/documentation/devicemanagement/mdm) added up.
+    required: false
+    type: integer
+  - name: checkin_url
+    description: The URL the Mac checks in with, which should point to your MDM server.
+    required: false
+    type: text
+  - name: dep_capable
+    description: Indicates if the computer is DEP capable or not, even if it is not currently enrolled into MDM.
+    required: false
+    type: text
+  - name: enrolled
+    description: Indicates if the computer is enrolled into MDM.
+    required: false
+    type: text
+  - name: has_scep_payload
+    description: Indicates if the computer has a certificate used by the MDM server to authenticate it.
+    required: false
+    type: text
+  - name: identity_certificate_uuid
+    description: The [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the [SCEP](https://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol) certificate.
+    required: false
+    type: text
+  - name: install_date
+    description: The date on which the MDM payload was installed on the Mac.
+    required: false
+    type: text
+  - name: installed_from_dep
+    description: Indicates if the MDM payload was installed via DEP or not.
+    required: false
+    type: text
+  - name: payload_identifier
+    description: The identifier of the MDM payload.
+    required: false
+    type: text
+  - name: server_url
+    description: The URL of the MDM server used by this computer. 
+    required: false
+    type: text
+  - name: sign_message
+    description: Indicates if messages sent and received from the MDM server must be signed.
+    required: false
+    type: text
+  - name: topic
+    description: The topic MDM listens to for push notifications. 
+    required: false
+    type: text
+  - name: user_approved
+    description: Indicates if this MDM payload was approved by the user.
+    required: false
+    type: text
\ No newline at end of file
diff --git a/schema/tables/munki_info.yml b/schema/tables/munki_info.yml
new file mode 100644
index 0000000000..722a1e9fac
--- /dev/null
+++ b/schema/tables/munki_info.yml
@@ -0,0 +1,50 @@
+name: munki_info
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).<p> Code based on work by [Kolide](https://github.com/kolide/launcher).
+description: Information from the last [Munki](https://github.com/munki/munki) run.
+platforms: darwin
+evented: false
+examples: >-
+  Output errors, warnings and problematic installations from Munki.
+
+  ```
+  
+  SELECT errors, warnings, problem_installs FROM munki_info ;
+  
+  ```
+columns:
+  - name: console_user
+    description: The username of the user currently logged into the console of the Mac.
+    required: false
+    type: text
+  - name: end_time
+    description: The date and time at which the latest Munki run ended.
+    required: false
+    type: text
+  - name: errors
+    description: If Munki encountered any error during the last run, they will be returned in this column.
+    required: false
+    type: text
+  - name: manifest_name
+    description: The internal manifest name
+    required: false
+    type: text
+  - name: problem_installs
+    description: A list of installs that did not succeed, if any.
+    required: false
+    type: text
+  - name: start_time
+    description: The date and time at which the latest Munki run started.
+    required: false
+    type: text
+  - name: success
+    description: Shows if the Munki run was a success (true), or not (false).
+    required: false
+    type: text
+  - name: version
+    description: The version of Munki used during the last run.
+    required: false
+    type: text
+  - name: warnings
+    description: If Munki encountered any error during the last run, they will be returned in this column.
+    required: false
+    type: text
\ No newline at end of file
diff --git a/schema/tables/munki_installs.yml b/schema/tables/munki_installs.yml
new file mode 100644
index 0000000000..d8b7020772
--- /dev/null
+++ b/schema/tables/munki_installs.yml
@@ -0,0 +1,30 @@
+name: munki_installs
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).<p> Code based on work by [Kolide](https://github.com/kolide/launcher).
+description: Software packages and other items [Munki](https://github.com/munki/munki) is managing.
+platforms: darwin
+evented: false
+examples: >-
+  See the version of software that has been deployed by Munki.
+
+  ```
+  
+  SELECT name, installed_version FROM munki_installs WHERE installed='true';
+  
+  ```
+columns:
+  - name: end_time
+    description: The end time of the last Munki run.
+    required: false
+    type: text
+  - name: installed
+    description: Shows if Munki installed an item (true) or if it is simply available but not installed (false).
+    required: false
+    type: text
+  - name: installed_version
+    description: The version number of installed items.
+    required: false
+    type: text
+  - name: name
+    description: The name of items managed by Munki.
+    required: false
+    type: text
diff --git a/schema/tables/puppet_facts.yml b/schema/tables/puppet_facts.yml
new file mode 100644
index 0000000000..684f578796
--- /dev/null
+++ b/schema/tables/puppet_facts.yml
@@ -0,0 +1,26 @@
+name: puppet_facts
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
+description: Facts about [Puppet](https://puppet.com/). Puppet facts are *key:value* pairs.
+platforms: darwin, windows, linux
+evented: false
+examples: >-
+  List all Puppet facts.
+
+  ```
+  
+  SELECT * FROM puppet_facts;
+  
+  ```
+columns:
+  - name: node
+    description: Node, or block of Puppet code.
+    required: false
+    type: text
+  - name: fact
+    description: Key.
+    required: false
+    type: text
+  - name: value
+    description: Value.
+    required: false
+    type: text
diff --git a/schema/tables/puppet_info.yml b/schema/tables/puppet_info.yml
new file mode 100644
index 0000000000..1baa84d89a
--- /dev/null
+++ b/schema/tables/puppet_info.yml
@@ -0,0 +1,82 @@
+name: puppet_info
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
+description: Information on the last [Puppet](https://puppet.com/) run. This table uses data from the `last_run_report` that Puppet creates.
+platforms: darwin, windows, linux
+evented: false
+examples: >-
+  List all the information available about the last Puppet run.
+
+  ```
+  
+  SELECT * FROM puppet_info;
+  
+  ```
+columns:
+  - name: cached_catalog_status
+    description: The status of Puppet catalogs cached on the system.
+    required: false
+    type: text
+  - name: catalog_uuid
+    description: The [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the catalog downloaded by Puppet.
+    required: false
+    type: text
+  - name: code_id
+    description: The `code_id` links the catalog with the compile-time version of file resources using the `puppet:///` URI.
+    required: false
+    type: text
+  - name: configuration_version
+    description: The version of the Puppet configuration.
+    required: false
+    type: text
+  - name: corrective_change
+    description: A corrective change is triggered when Puppet detects a discrepency between the current state and the expected state of a value.
+    required: false
+    type: text
+  - name: environment
+    description: The environment name.
+    required: false
+    type: text
+  - name: host
+    description: The host on which Puppet is used.
+    required: false
+    type: text
+  - name: kind
+    description: Kind of Puppet run.
+    required: false
+    type: text
+  - name: master_used
+    description: The Puppet server used.
+    required: false
+    type: text
+  - name: noop
+    description: Indicates if Puppet was run in [noop](https://puppet.com/docs/puppet/latest/metaparameter.html#noop) mode.
+    required: false
+    type: text
+  - name: noop_prending
+    description: Items pending from a [noop](https://puppet.com/docs/puppet/latest/metaparameter.html#noop) run.
+    required: false
+    type: text
+  - name: puppet_version
+    description: The version of Puppet used during the last run.
+    required: false
+    type: text
+  - name: report_format
+    description: The format the Puppet report was exported as.
+    required: false
+    type: text
+  - name: status
+    description: The status of Puppet on this system.
+    required: false
+    type: text
+  - name: time
+    description: The time of the last Puppet run.
+    required: false
+    type: text
+  - name: transaction_completed
+    description: Indicates if the transaction completed or not.
+    required: false
+    type: text
+  - name: transaction_uuid
+    description: The [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the transaction.
+    required: false
+    type: text
\ No newline at end of file
diff --git a/schema/tables/puppet_logs.yml b/schema/tables/puppet_logs.yml
new file mode 100644
index 0000000000..29e8305f25
--- /dev/null
+++ b/schema/tables/puppet_logs.yml
@@ -0,0 +1,39 @@
+name: puppet_logs
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
+description: Outputs [Puppet](https://puppet.com/) logs from the last run. 
+platforms: darwin, windows, linux
+evented: false
+examples: >-
+  List Puppet logs that are of a level of anything but informational.
+
+  ```
+  
+  SELECT * FROM puppet_logs WHERE level!='info';
+  
+  ```
+columns:
+  - name: level
+    description: The level of the log item (info, error, etc).
+    required: false
+    type: text
+  - name: message
+    description: The log message content.
+    required: false
+    type: text
+  - name: source
+    description: The source of the log item.
+    required: false
+    type: text
+  - name: time
+    description: The time at which this item was logged.
+    required: false
+    type: text
+  - name: file
+    description: The file from which osquery read this log.
+    required: false
+    type: text
+  - name: line
+    description: The line from which this log item was read.
+    required: false
+    type: text
+  
\ No newline at end of file
diff --git a/schema/tables/puppet_state.yml b/schema/tables/puppet_state.yml
new file mode 100644
index 0000000000..147ca46793
--- /dev/null
+++ b/schema/tables/puppet_state.yml
@@ -0,0 +1,66 @@
+name: puppet_state
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
+description: State of every resource [Puppet](https://puppet.com/) is managing. This table uses data from the `last_run_report` that Puppet creates.
+platforms: darwin, windows, linux
+evented: false
+examples: >-
+  List resources that failed or took over a minute to evaluate.
+
+  ```
+  
+  SELECT * FROM puppet_state WHERE failed='true' OR evaluation_time>'60';
+  
+  ```
+columns:
+  - name: title
+    description: The name of the resource.
+    required: false
+    type: text
+  - name: file
+    description: The file that contains the resource.
+    required: false
+    type: text
+  - name: line
+    description: The line on which the resource is specified.
+    required: false
+    type: text
+  - name: resource
+    description: The resource and its title as `Type[title]`.
+    required: false
+    type: text
+  - name: resource_type
+    description: The resource type.
+    required: false
+    type: text
+  - name: evaluation_time
+    description: The amount of seconds it took to evaluate the resource.
+    required: false
+    type: text
+  - name: failed
+    description: If Puppet failed to evaluate this resource, this column is `true`.
+    required: false
+    type: text
+  - name: changed
+    description: If `change_count` is above `0`, this is `true`.
+    required: false
+    type: text
+  - name: out_of_sync
+    description: If `out_of_sync_count` is above `0`, this is `true`.
+    required: false
+    type: text
+  - name: skipped
+    description: True if this resource was skipped.
+    required: false
+    type: text
+  - name: change_count
+    description: The count of changes to be performed.
+    required: false
+    type: text
+  - name: out_of_sync_count
+    description: The number of properties that are out of sync
+    required: false
+    type: text
+  - name: corrective_change
+    description: True if a change on the system caused unexpected changes between two Puppet runs.
+    required: false
+    type: text
\ No newline at end of file
diff --git a/schema/tables/unified_log.yml b/schema/tables/unified_log.yml
new file mode 100644
index 0000000000..f65144d4af
--- /dev/null
+++ b/schema/tables/unified_log.yml
@@ -0,0 +1,59 @@
+name: unified_log
+notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
+description: Allows querying macOS [unified logs](https://developer.apple.com/documentation/os/logging).
+platforms: darwin
+evented: false
+examples: >-
+  Select the latest 100 log items related to `LaunchServices` and convert the UNIX time to a human readable format,  and the signature table to verify its cryptographic signature.
+
+  ```
+  
+  SELECT u.category, u.level, u.message, u.pid, datetime(u.timestamp, 'unixepoch') AS human_time, p.path, s.signed, s.identifier, s.authority FROM unified_log u JOIN processes p ON u.pid = p.pid JOIN signature s ON p.path=s.path WHERE sender='LaunchServices' LIMIT 100;  
+  
+  ```
+columns:
+  - name: activity
+    description: The identifier of the log activity.
+    required: false
+    type: text
+  - name: category
+    description: The category of the log activity.
+    required: false
+    type: text
+  - name: level
+    description: The log level of this item, such as `default`, `info`, `fault`, etc.
+    required: false
+    type: text
+  - name: message
+    description: The log message.
+    required: false
+    type: text
+  - name: pid
+    description: Process ID of the process that generated this log item, which can be joined to multiple other tables including a *PID*.
+    required: false
+    type: bigint
+  - name: process
+    description: Name of the process that generated this log activity.
+    required: false
+    type: text
+  - name: sender
+    description: System that sent this activity.
+    required: false
+    type: text
+  - name: storage
+    description: TBD.
+    required: false
+    type: text
+  - name: subsystem
+    description: The subsystem responsible for this activity.
+    required: false
+    type: text
+  - name: tid
+    description: TBD.
+    required: false
+    type: bigint
+  - name: timestamp
+    description: Timestamp in [UNIX time format](https://en.wikipedia.org/wiki/Unix_time).
+    required: false
+    type: bigint
+  
\ No newline at end of file