forked from osquery/osquery
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathgroups.table
executable file
·26 lines (25 loc) · 1023 Bytes
/
groups.table
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
table_name("groups")
description("Local system groups.")
schema([
Column("gid", BIGINT, "Unsigned int64 group ID", index=True),
Column("gid_signed", BIGINT, "A signed int64 version of gid"),
Column("groupname", TEXT, "Canonical local group name"),
])
extended_schema(WINDOWS, [
Column("group_sid", TEXT, "Unique group ID", index=True),
Column("comment", TEXT, "Remarks or comments associated with the group"),
])
extended_schema(DARWIN, [
Column("is_hidden", INTEGER, "IsHidden attribute set in OpenDirectory"),
])
extended_schema(LINUX, [
Column("pid_with_namespace", INTEGER, "Pids that contain a namespace", additional=True, hidden=True),
])
implementation("groups@genGroups")
examples([
"select * from groups where gid = 0",
# Group/user_groups is not JOIN optimized
#"select g.groupname, ug.uid from groups g, user_groups ug where g.gid = ug.gid",
# The relative group ID, or RID, is used by osquery as the "gid"
# For Windows, "gid" and "gid_signed" will always be the same.
])