macadmins-extension
Usage
For testing, you can load the extension with osqueryi.
By default, osquery does not want to load extensions not owned by root. You can either change the ownership of macadmins_extension.ext to root, or run osquery with the --allow_unsafe flag.
osqueryi --extension /path/to/macadmins_extension.extFor production deployment, you should refer to the osquery documentation.
Tables
| Table | Description | Platforms | Notes |
|---|---|---|---|
filevault_users |
Information on the users able to unlock the current boot volume when encrypted with Filevault | macOS | |
google_chrome_profiles |
Profiles configured in Goolge Chrome. | Linux / macOS / Windows | |
mdm |
Information on the device's MDM enrollment | macOS | Code based on work by Kolide |
munki_info |
Information from the last Munki run | macOS | Code based on work by Kolide |
munki_installs |
Items Munki is managing | macOS | Code based on work by Kolide |
puppet_info |
Information on the last Puppet run | Linux / macOS / Windows | |
puppet_logs |
Logs from the last Puppet run | Linux / macOS / Windows | |
puppet_state |
State of every resource Puppet is managing | Linux / macOS / Windows | |
unified_log |
Results from macOS' Unified Log | macOS | Use the constraints predicate and last to limit the number of results you pull, or this will not be very performant at all (select * from unified_log where last="1h" and predicate='processImagePath contains "mdmclient"';) |