fleet/schema/tables/authdb.yml

name: authdb
platforms:
  - darwin
description: The macOS authorizationdb is used by Mac admins to give their users or themselves granular permissions on the Macs they manage. The `authdb` osquery table returns JSON output for the `authorizationdb read <right_name>` command.
evented: false
columns:
  - name: right_name
    type: text
    required: true
    description: >-
      The right_name to query in the `authorizationdb read <right_name>` command.      
  - name: json_result
    type: text
    required: false
    description: >-
      The JSON output parsed from the plist output of the `authorizationdb read <right_name>` command.       
example: >-

  ```
  SELECT * FROM authdb WHERE right_name='system.login.console';
  ```

notes: >
  
  This table is not a core osquery table. It is included as part of Fleet's agent ([fleetd](https://fleetdm.com/docs/get-started/anatomy#fleetd)).
  

  The authorizationdb is a SQLite database that can be dumped out with the following Terminal command:


  ```

  sudo /usr/bin/sqlite3 /var/db/auth.db .dump

  ```


  The following command generates a .plist showing the attributes of the authorizationdb configuration:


  ```

  security authorizationdb read system.login.console

  ```


  The “right_name” string `system.login.console` is used in the mandatory WHERE clause for this table:


  ```

  SELECT * FROM authdb WHERE right_name='system.login.console';

  ```

  - [Apple documentation](https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/02authconcepts/authconcepts.html)

  - A [general purpose authorizationdb article](https://theevilbit.github.io/posts/macos_authorization/)

  - Armin Briegel (Scripting OS X) on the [macOS root user and the authorizationdb](https://scriptingosx.com/2018/05/demystifying-root-on-macos-part-4-the-authorization-database/)

  - Elliot Jordan on using the authorizationdb in his tool [Escrow Buddy](https://www.elliotjordan.com/posts/macos-authdb-mechs/)