mirror of
https://github.com/fleetdm/fleet
synced 2026-05-22 08:28:52 +00:00
f9c0b2444b
Missing comma between u.username, u.uid causes the query to fail with
this error (Note the query is only applicable to Mac OS):
```
osquery> SELECT u.username u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
Error: near ".": syntax error
```
Output after fixing the missing , (removed part of the output):
```
osquery> SELECT u.username, u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
+--------------+------------+------------------------+--------------------+------------------------+
| username | uid | password_last_set_time | failed_login_count | failed_login_timestamp |
+--------------+------------+------------------------+--------------------+------------------------+
| nobody | 4294967294 | | | |
| root | 0 | | | |
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
23 lines
1.8 KiB
YAML
23 lines
1.8 KiB
YAML
name: account_policy_data
|
|
description: Additional macOS user account data from the AccountPolicy section of [OpenDirectory](https://en.wikipedia.org/wiki/Apple_Open_Directory), the identity provider used by Apple.
|
|
columns:
|
|
- name: uid
|
|
description: "[User ID](https://superuser.com/a/1108201)"
|
|
type: BIGINT
|
|
required: false
|
|
notes: |-
|
|
- The values in this OpenDirectory table are related to account creation. In the past, it was fairly common to use OpenDirectory to have a home folder (`~`) on a server, and then log in and get that folder wherever they are. (These days, this use case is more uncommon.)
|
|
- To determine who is logged in to the Mac, or for example, to check the record name versus the computer's "short name", consider using the data in [the DSCL table](https://fleetdm.com/tables/dscl).
|
|
- Many installers incorporate scripts due to actions that are handled by pre or post-scripts vs installer package payloads. These script actions aren't tracked in the "bill of materials" (.bom) file. So, don't blindly trust the "bill of materials" (.bom) file as the source of truth on what has or hasn't been installed.
|
|
examples: |-
|
|
Query the creation date of user accounts. You could also query the date of the last failed login attempt or password change.
|
|
|
|
```
|
|
SELECT strftime('%Y-%m-%d %H:%M:%S',creation_time,'unixepoch') AS creationdate FROM account_policy_data;
|
|
```
|
|
|
|
See each user's last password set date and number of failed logins since last successful login to detect any intrusion attempts.
|
|
|
|
```
|
|
SELECT u.username, u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
|
|
```
|