[master task] SQL tables requests and roadmap

[theopolis]

This issue is tracking requested virtual tables. If you would like to suggest a new table or discuss the need for a new table please comment on this issue. If you would like to implement one of the tables or need a focused discussion please open a separate issue dedicated to that virtual table.

This issue tracks requested/planned additions to the available SQL tables in osquery. If you would like to suggest/discuss a new SQL table please comment on this issue. If you would like to implement one of the tables or need a focused discussion please open a separate issue dedicated to that table.

Shared (cross-platform) tables:

• Exported NFS shares (linux, OS X)
• Binary "strings" for a specific path
• MDNS settings/cache
• FDE status (fdesetup/Filevault on OS X) Issue: [#911] Implement FDE status #913, PR: [#911] Implement FDE status #913
• Network settings (forwarding/promisc/nameservers)
• Browser plugins/extensions
• Unpacked / developer-mode chrome extensions
• osquery-IO utilization
• sleuth kit timeline
• log files (apache logs, system logs, etc)
• shared memory (linux, OS X (zpages))
• process memory maps (linux, OS X)
• group membership
• general systems information (Collect hostname: system_info virtual table #1447)
• timezone in time table (NTP server/timezone not included in time table #1547)
• configured printers (Darwin - printers... #1566)
• static or DHCP indicator for interface_addresses (More interface details: static or DHCP #1575)
• file_regex table for applying greps across selected file targets (Simple regular expression-based greping via query predicate #1692)
• ssdeep support in hashing table (Add support for ssdeep column in the hash table #1775)
• User entries in the sudoers file (Table for sudo users #2024)

OS X Tables:

• Crashed process reports
• Package install history (/Library/Receipts/InstallHistory.plist) (Package install history #1922)
• Wifi saved info and details (/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist)
• xattr "wherefrom" for downloaded items in select directories OS X Where From #653
• EAPO Client module (/Library/Preferences/SystemConfiguration/com.apple.network.eapolclient.configuration.plist)
• Managed client information panes
• packet/pf/bp firewall (Add table for currently loaded pf firewall rules on Darwin #1521)
• defaults read table with path to plist trigger
• blessed boot directory/file using nvram settings (available as kernel_info)
• Block devices (parity with Linux)
• macho signature (joinable, like file/hash) add signing entity on kernel_extensions on OS X #800
• more signature (and signer) details for machos and related signed blobs #(Possibly include code sign information into the applications table for OS X #1770)
• authorization DB config
• macports packages
• kernel_extension_plugins and FileSystem-based extensions
• interface_details service order & primary interface indicator (Darwin(+ others?) - interface details doesn't include primary net interface #1568)
• Gatekeeper entitlements status (Darwin - Gatekeeper entitlements status #2042)

Linux Tables:

• iptables
• /boot directory/configuration
• TPM information
• bonds New table idea: bond configuration #1173
• Fedora's DNF (yum replacement) Add support for the DNF package manager #1515

Deep systems/esoteric tables:

• EFI platform metadata (OS X: OS X EFI ROM metadata table #1317)
• Bootloader metadata, GUID-PT/paths, etc.
• EFI/UEFI variables
• EDID information
• Supported/attached bus information
• DMI/SMBIOS data
• ACPI tables
• BIOS Extensions
• SMC information
• memory regions (linux, OS X)
• memory locking MSRs

Existing table additions:

Tables that exist, but need hi-priority columns.

• rpm_packages: add package signatures
• processes/file: on OS X display binary signature
• Add support for reading fish history in shell_history table (Add support for reading fish history in shell_history table #1417)
• add "focused" attribute to application_usage on OS X (Application_usage add 'focused' attribute #1315)
• add kext signature to kernel_extensions table on OS X (Kext table doesn't include if extension is actually loaded or signed(and by who) #1462)

Existing table modifications (column depredations/aliases)

• on_disk in the processes table should be path_exists or binary_exists (on_disk should probably get renamed to file_exists #1661)

Kernel-introspection-enabled tables:

Tables that use the OS X kernel extension or the not-yet-developed Linux kernel module. In some cases the BSD audit framework can suffice.

• Process start/stop
• Select system calls tables
• Socket opens

Low-priority recommendations:

• High-IO/performance processes/executables

Anti-pattern tables:

These are tables that are not appropriate for osquery as it exists today. This does not mean these tables are forever blacklisted, but they require considerable discussion or are more appropriate as modules or extensions and not as part of the core tables.

• Browser (chrome, firefox, safari) history (Browser History virtual table #22, Chrome Browser history #1691) this is very private information

[theopolis]

List of OS X configuration reporters (and their table mapping or priority):

Reporter	Exists/Priority	Methods/Issue
SPAirPort
SPApplications	apps
SPAudio
SPBluetooth
SPCamera	pci_devices	driver = "CMRA"
SPCardReader	usb_devices	Product decoding in usb_devices is wrong
SPComponent	low	lists media-decoders
SPConfigurationProfile	high
SPDeveloperTools	n/a
SPDiagnostics	???
SPDisabledApplications	???
SPDiscBurning	???
SPDisplays	low
SPEthernet	network_interfaces?
SPExtensions	kernel_extensions	includes more details
SPFibreChannel	???
SPFireWire	???
SPFirewall	alf
SPFont	n/a
SPFrameworks	n/a
SPHardwareRAID	n/a
SPInstallHistory	package_receipts
SPLogs	not sure
SPManagedClient	high
SPMemory	low
SPNetworkLocation	n/a
SPNetwork	network_interfaces
SPNetworkVolume	mounts
SPOS	???
SPPCI	pci_devices
SPParallelATA	block_devices
SPParallelSCSI	block_devices
SPPlatform	???
SPPower	low
SPPrefPane	med
SPPrinters	low
SPPrintersSoftware	med
SPSAS	???
SPI	???
SPSerialATA	block_devices*	"content" string missing, uses Vol UUID
SPStartupItem	startup_items
SPStorage	block_devices
SPSync	???
SPThunderbolt	pci_devices	not sure if TB devices are listed
SPUSB	usb_devices
SPUniversalAccess	med
SPWWAN	???

[ghost]

Thank you for reporting this issue and appreciate your patience. We've notified the core team for an update on this issue. We're looking for a response within the next 30 days or the issue may be closed.

[mike-myers-tob]

FYI, for #1521 in the above list (a pf table), we developed this functionality in an extension. But ours works for Linux and Windows too (referencing the corresponding native firewalls in each). https://github.com/trailofbits/osquery-extensions/tree/master/firewall

[fmanco]

This issue is old and doesn't look to be up-to-date so I'm going to close. If you care about a feature in here open a Feature Request. Those are going to be tagged with the wishlist label which makes them easier to find and track.