Adding table spec documentation

osquery/tables/specs/centos/rpm_packages.table

@@ -1,11 +1,12 @@
 table_name("rpm_packages")
+description("The installed RPM package database.")
 schema([
-    Column("name", TEXT),
-    Column("version", TEXT),
-    Column("release", TEXT),
-    Column("source", TEXT),
-    Column("size", BIGINT),
-    Column("sha1", TEXT),
-    Column("arch", TEXT),
+    Column("name", TEXT, "RPM package name"),
+    Column("version", TEXT, "Package version"),
+    Column("release", TEXT, "Package release"),
+    Column("source", TEXT, "Source RPM package name (optional)"),
+    Column("size", BIGINT, "Package size in bytes"),
+    Column("sha1", TEXT, "SHA1 hash of the package contents"),
+    Column("arch", TEXT, "Architecture(s) supported"),
 ])
 implementation("system/rpm_packages@genRpms")

osquery/tables/specs/darwin/alf.table

@@ -1,4 +1,5 @@
 table_name("alf")
+description("OS X application layer firewall (Firewall) service details.")
 schema([
     Column("allow_signed_enabled", INTEGER),
     Column("firewall_unload", INTEGER),

osquery/tables/specs/darwin/alf_exceptions.table

@@ -1,6 +1,7 @@
 table_name("alf_exceptions")
+description("OS X application layer firewall (Firewall) service exceptions.")
 schema([
-    Column("path", TEXT),
+    Column("path", TEXT, "Path to the executable that is excepted"),
     Column("state", INTEGER),
 ])
 implementation("firewall@genALFExceptions")

osquery/tables/specs/darwin/alf_services.table

@@ -1,7 +1,8 @@
 table_name("alf_services")
+description("OS X application layer firewall (Firewall) services.")
 schema([
-    Column("service", TEXT),
-    Column("process", TEXT),
+    Column("service", TEXT, "Firewalled service name"),
+    Column("process", TEXT, "Process name"),
     Column("state", INTEGER),
 ])
 implementation("firewall@genALFServices")

osquery/tables/specs/darwin/apps.table

@@ -1,20 +1,21 @@
 table_name("apps")
+description("OS X applications installed in known search paths (e.g., /Applications)")
 schema([
-    Column("name", TEXT),
-    Column("path", TEXT),
-    Column("bundle_executable", TEXT),
-    Column("bundle_identifier", TEXT),
-    Column("bundle_name", TEXT),
-    Column("bundle_short_version", TEXT),
-    Column("bundle_version", TEXT),
-    Column("bundle_package_type", TEXT),
-    Column("compiler", TEXT),
-    Column("development_region", TEXT),
-    Column("display_name", TEXT),
-    Column("info_string", TEXT),
-    Column("minimum_system_version", TEXT),
-    Column("category", TEXT),
-    Column("applescript_enabled", TEXT),
-    Column("copyright", TEXT),
+    Column("name", TEXT, "Name of the Name.app folder"),
+    Column("path", TEXT, "Absolute and full Name.app path"),
+    Column("bundle_executable", TEXT, "Info properties CFBundleExecutable label"),
+    Column("bundle_identifier", TEXT, "Info properties CFBundleIdentifier label"),
+    Column("bundle_name", TEXT, "Info properties CFBundleName label"),
+    Column("bundle_short_version", TEXT, "Info properties CFBundleShortVersionString label"),
+    Column("bundle_version", TEXT, "Info properties CFBundleVersion label"),
+    Column("bundle_package_type", TEXT, "Info properties CFBundlePackageType label"),
+    Column("compiler", TEXT, "Info properties DTCompiler label"),
+    Column("development_region", TEXT, "Info properties CFBundleDevelopmentRegion label"),
+    Column("display_name", TEXT, "Info properties CFBundleDisplayName label"),
+    Column("info_string", TEXT, "Info properties CFBundleGetInfoString label"),
+    Column("minimum_system_version", TEXT, "Info properties LSMinimumSystemVersion label"),
+    Column("category", TEXT, "Info properties LSApplicationCategoryType label"),
+    Column("applescript_enabled", TEXT, "Info properties NSAppleScriptEnabled label"),
+    Column("copyright", TEXT, "Info properties NSHumanReadableCopyright label"),
 ])
 implementation("apps@genApps")

osquery/tables/specs/darwin/ca_certs.table

@@ -1,13 +1,14 @@
 table_name("ca_certs")
+description("Certificate Authorities installed in Keychains/ca-bundles.")
 schema([
-    Column("common_name", TEXT),
-    Column("not_valid_before", DATETIME),
-    Column("not_valid_after", DATETIME),
-    Column("key_algorithm", TEXT),
-    Column("key_usage", TEXT),
-    Column("subject_key_id", TEXT),
-    Column("authority_key_id", TEXT),
-    Column("sha1", TEXT),
+    Column("common_name", TEXT, "CommonName of the CA"),
+    Column("not_valid_before", DATETIME, "Lower bound of valid date"),
+    Column("not_valid_after", DATETIME, "Certificate expiration data"),
+    Column("key_algorithm", TEXT, "Key algorithm used"),
+    Column("key_usage", TEXT, "Certificate key usage and extended key usage"),
+    Column("subject_key_id", TEXT, "SKID an optionally included SHA1"),
+    Column("authority_key_id", TEXT, "AKID an optionally included SHA1"),
+    Column("sha1", TEXT, "SHA1 hash of the raw certificate contents"),
 
 ])
 implementation("ca_certs@genCerts")

osquery/tables/specs/darwin/homebrew_packages.table

@@ -1,7 +1,8 @@
 table_name("homebrew_packages")
+description("The installed homebrew package database.")
 schema([
-    Column("name", TEXT),
-    Column("path", TEXT),
-    Column("version", TEXT),
+    Column("name", TEXT, "Package name"),
+    Column("path", TEXT, "Package install path"),
+    Column("version", TEXT, "Current 'linked' version"),
 ])
 implementation("system/homebrew_packages@genHomebrewPackages")

osquery/tables/specs/darwin/iokit_devicetree.table

@@ -1,13 +1,14 @@
 table_name("iokit_devicetree")
+description("The IOKit DeviceTree registry")
 schema([
-    Column("name", TEXT),
-    Column("class", TEXT),
-    Column("id", BIGINT),
-    Column("parent", BIGINT),
-    Column("device_path", TEXT),
-    Column("service", INTEGER),
-    Column("busy_state", INTEGER),
-    Column("retain_count", INTEGER),
-    Column("depth", INTEGER),
+    Column("name", TEXT, "Device node name"),
+    Column("class", TEXT, "Best matching device class (most-specific category)"),
+    Column("id", BIGINT, "IOKit internal registry ID"),
+    Column("parent", BIGINT, "Parent device registry ID"),
+    Column("device_path", TEXT, "Device tree path"),
+    Column("service", INTEGER, "1 if the device conforms to IOService else 0"),
+    Column("busy_state", INTEGER, "1 if the device is in a busy state else 0"),
+    Column("retain_count", INTEGER, "The device reference count"),
+    Column("depth", INTEGER, "Device nested depth"),
 ])
 implementation("system/iokit_registry@genIOKitDeviceTree")

osquery/tables/specs/darwin/iokit_registry.table

@@ -1,11 +1,12 @@
 table_name("iokit_registry")
+description("The full IOKit registry without selecting a plane.")
 schema([
-    Column("name", TEXT),
-    Column("class", TEXT),
-    Column("id", BIGINT),
-    Column("parent", BIGINT),
-    Column("busy_state", INTEGER),
-    Column("retain_count", INTEGER),
-    Column("depth", INTEGER),
+    Column("name", TEXT, "Default name of the node"),
+    Column("class", TEXT, "Best matching device class (most-specific category)"),
+    Column("id", BIGINT, "IOKit internal registry ID"),
+    Column("parent", BIGINT, "Parent registry ID"),
+    Column("busy_state", INTEGER, "1 if the node is in a busy state else 0"),
+    Column("retain_count", INTEGER, "The node reference count"),
+    Column("depth", INTEGER, "Node nested depth"),
 ])
 implementation("system/iokit_registry@genIOKitRegistry")

osquery/tables/specs/darwin/kernel_extensions.table

@@ -1,11 +1,12 @@
 table_name("kernel_extensions")
+description("OS X's kernel extensions, both loaded and within the load search path.")
 schema([
     Column("idx", INTEGER),
     Column("refs", INTEGER),
     Column("size", BIGINT),
     Column("wired", BIGINT),
-    Column("name", TEXT),
-    Column("version", TEXT),
+    Column("name", TEXT, "Extension label"),
+    Column("version", TEXT, "Extension version"),
     Column("linked_against", TEXT),
 ])
 implementation("kextstat@genKernelExtensions")

osquery/tables/specs/darwin/nvram.table

@@ -1,7 +1,8 @@
 table_name("nvram")
+description("Apple NVRAM variable listing")
 schema([
-    Column("name", TEXT),
-    Column("type", TEXT),
-    Column("value", TEXT),
+    Column("name", TEXT, "Variable name"),
+    Column("type", TEXT, "Data type (CFData, CFString, etc)"),
+    Column("value", TEXT, "Raw variable data"),
 ])
 implementation("nvram@genNVRAM")

osquery/tables/specs/darwin/xprotect_entries.table

@@ -1,11 +1,12 @@
 table_name("xprotect_entries")
+description("Database of the machine's XProtect signatures.")
 schema([
-    Column("name", TEXT, "Description of XProtect'ed malware"),
+    Column("name", TEXT, "Description of XProtected malware"),
     Column("launch_type", TEXT, "Launch services content type"),
-    Column("identity", TEXT, "XProtect identity"),
-    Column("filename", TEXT),
-    Column("filetype", TEXT),
-    Column("optional", INTEGER, "Match any of the identities/patterns."),
+    Column("identity", TEXT, "XProtect identity (SHA1) of content"),
+    Column("filename", TEXT, "Use this file name to match"),
+    Column("filetype", TEXT, "Use this file type to match"),
+    Column("optional", INTEGER, "Match any of the identities/patterns for this XProtect name"),
     Column("uses_pattern", INTEGER, "Uses a match pattern instead of identity"),
 ])
 implementation("xprotect@genXProtectEntries")

osquery/tables/specs/darwin/xprotect_reports.table

@@ -1,7 +1,8 @@
 table_name("xprotect_reports")
+description("Database of XProtect matches (if user generated/sent an XProtect report)")
 schema([
-    Column("name", TEXT, "Description of XProtect'ed malware"),
+    Column("name", TEXT, "Description of XProtected malware"),
     Column("user_action", TEXT, "Action taken by user after prompted"),
-    Column("time", TEXT, "Quarantine alert time."),
+    Column("time", TEXT, "Quarantine alert time"),
 ])
 implementation("xprotect@genXProtectReports")

osquery/tables/specs/linux/kernel_modules.table

@@ -1,8 +1,9 @@
 table_name("kernel_modules")
+description("Linux kernel modules both loaded and within the load search path")
 schema([
-    Column("name", TEXT),
-    Column("size", TEXT),
-    Column("used_by", TEXT),
+    Column("name", TEXT, "Module name"),
+    Column("size", TEXT, "Size of module content"),
+    Column("used_by", TEXT, "Module reverse dependencies"),
     Column("status", TEXT),
     Column("address", TEXT),
 ])

osquery/tables/specs/x/acpi_tables.table

@@ -1,7 +1,8 @@
 table_name("acpi_tables")
+description("Current ACPI tables")
 schema([
-    Column("name", TEXT),
-    Column("size", INTEGER),
-    Column("md5", TEXT),
+    Column("name", TEXT, "ACPI table name"),
+    Column("size", INTEGER, "Size of compiled table data"),
+    Column("md5", TEXT, "MD5 hash of table content"),
 ])
 implementation("system/acpi_tables@genACPITables")

osquery/tables/specs/x/arp_cache.table

@@ -1,8 +1,9 @@
 table_name("arp_cache")
+description("The ARP (IPv4) address cache")
 schema([
-    Column("address", TEXT),
-    Column("mac", TEXT),
-    Column("interface", TEXT),
+    Column("address", TEXT, "IPv4 address target"),
+    Column("mac", TEXT, "MAC address of broadcasted address"),
+    Column("interface", TEXT, "Interface of the network for the MAC"),
     Column("permanent", TEXT, "1 for true, 0 for false"),
 ])
 implementation("linux/arp_cache,darwin/routes@genArpCache")