empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
af4c3f7061
fleet/schema
History
Artemis Tosini af4c3f7061
Add macOS CIS 5.3.1 (#10397) 
This adds a new check about whether all APFS volumes are encrypted. I
needed to add a new table, and I took that opportunity to add another so
that osquery has all information from `diskutil apfs list -plist`.

Note that it is somewhat unclear whether to use the `encryption` or
`filevault` field in the query. FileVault is about whether the volume is
encrypted with a password and Encryption is about whether it is
encrypted at all, since all modern macs have hardware-backed disk
encryption.
2023-03-10 12:29:14 -05:00
..
tables Add macOS CIS 5.3.1 (#10397) 2023-03-10 12:29:14 -05:00
fleet_schema.json Add notes re: OUI and wireshark OUI lookup for arp_cache (#8272) 2022-10-18 18:28:49 +00:00
osquery_fleet_schema.json Add macOS CIS 5.3.1 (#10397) 2023-03-10 12:29:14 -05:00
README.md Update schema folder readme (#9502) 2023-01-25 14:29:03 -06:00

README.md

Hello! Welcome to Fleet's osquery tables documentation.

This folder contains additional documentation that we add on top of the existing documentation for osquery to make the documentation of each table more useful for Fleet users.

Fleet's schema tables live in the tables/ folder. Each osquery table with Fleet overrides has a corresponding YAML file that will override information in the osquery schema documentation.

The existing documentation data lives in the osquery repo at: https://github.com/osquery/osquery-site/tree/source/src/data/osquery_schema_versions.

You can open PRs against a table's YAML file in the tables/ folder or the osquery schema file. Just note that the data in a table's YAML file overwrites the osquery data whenever there is a conflict.

When adding a new YAML override to Fleet's osquery schema you can use this template:

name: # (required) string - The name of the table.
description: >- # (required) string - The description for this table. Note: this field supports markdown
	# Add description here
examples: >- # (optional) string - An example query for this table. Note: This field supports markdown
	# Add examples here
notes: >- # (optional) string - Notes about this table. Note: This field supports markdown.
	# Add notes here
columns: # (required) array - An array of columns in this table
  - name: # (required) string - The name of the column
    description: # (required) string - The column's description
    type: # (required) string - the column's data type
    required: # (required) boolean - whether or not this column is required to query this table.

Alternatively, if you want to add documentation about an osquery table for which we don't have a YAML override, you can find the table's page on the Fleet website and click the "edit page" button. Clicking this button will take you to the GitHub web editor with the template pre-filled. After you add information about the table and its columns, you can open a new pull request to add the new YAML file to Fleet's overrides.