diff --git a/osquery/tables/specs/centos/rpm_packages.table b/osquery/tables/specs/centos/rpm_packages.table index ebd00343..01f07cb2 100644 --- a/osquery/tables/specs/centos/rpm_packages.table +++ b/osquery/tables/specs/centos/rpm_packages.table @@ -1,11 +1,12 @@ table_name("rpm_packages") +description("The installed RPM package database.") schema([ - Column("name", TEXT), - Column("version", TEXT), - Column("release", TEXT), - Column("source", TEXT), - Column("size", BIGINT), - Column("sha1", TEXT), - Column("arch", TEXT), + Column("name", TEXT, "RPM package name"), + Column("version", TEXT, "Package version"), + Column("release", TEXT, "Package release"), + Column("source", TEXT, "Source RPM package name (optional)"), + Column("size", BIGINT, "Package size in bytes"), + Column("sha1", TEXT, "SHA1 hash of the package contents"), + Column("arch", TEXT, "Architecture(s) supported"), ]) implementation("system/rpm_packages@genRpms") diff --git a/osquery/tables/specs/darwin/alf.table b/osquery/tables/specs/darwin/alf.table index 7178ab70..30fc5a41 100644 --- a/osquery/tables/specs/darwin/alf.table +++ b/osquery/tables/specs/darwin/alf.table @@ -1,4 +1,5 @@ table_name("alf") +description("OS X application layer firewall (Firewall) service details.") schema([ Column("allow_signed_enabled", INTEGER), Column("firewall_unload", INTEGER), diff --git a/osquery/tables/specs/darwin/alf_exceptions.table b/osquery/tables/specs/darwin/alf_exceptions.table index 4ae13ef3..4a07eb1b 100644 --- a/osquery/tables/specs/darwin/alf_exceptions.table +++ b/osquery/tables/specs/darwin/alf_exceptions.table @@ -1,6 +1,7 @@ table_name("alf_exceptions") +description("OS X application layer firewall (Firewall) service exceptions.") schema([ - Column("path", TEXT), + Column("path", TEXT, "Path to the executable that is excepted"), Column("state", INTEGER), ]) implementation("firewall@genALFExceptions") diff --git a/osquery/tables/specs/darwin/alf_services.table b/osquery/tables/specs/darwin/alf_services.table index 0cbbc371..50c76c2f 100644 --- a/osquery/tables/specs/darwin/alf_services.table +++ b/osquery/tables/specs/darwin/alf_services.table @@ -1,7 +1,8 @@ table_name("alf_services") +description("OS X application layer firewall (Firewall) services.") schema([ - Column("service", TEXT), - Column("process", TEXT), + Column("service", TEXT, "Firewalled service name"), + Column("process", TEXT, "Process name"), Column("state", INTEGER), ]) implementation("firewall@genALFServices") diff --git a/osquery/tables/specs/darwin/apps.table b/osquery/tables/specs/darwin/apps.table index 57344c6d..009ada70 100644 --- a/osquery/tables/specs/darwin/apps.table +++ b/osquery/tables/specs/darwin/apps.table @@ -1,20 +1,21 @@ table_name("apps") +description("OS X applications installed in known search paths (e.g., /Applications)") schema([ - Column("name", TEXT), - Column("path", TEXT), - Column("bundle_executable", TEXT), - Column("bundle_identifier", TEXT), - Column("bundle_name", TEXT), - Column("bundle_short_version", TEXT), - Column("bundle_version", TEXT), - Column("bundle_package_type", TEXT), - Column("compiler", TEXT), - Column("development_region", TEXT), - Column("display_name", TEXT), - Column("info_string", TEXT), - Column("minimum_system_version", TEXT), - Column("category", TEXT), - Column("applescript_enabled", TEXT), - Column("copyright", TEXT), + Column("name", TEXT, "Name of the Name.app folder"), + Column("path", TEXT, "Absolute and full Name.app path"), + Column("bundle_executable", TEXT, "Info properties CFBundleExecutable label"), + Column("bundle_identifier", TEXT, "Info properties CFBundleIdentifier label"), + Column("bundle_name", TEXT, "Info properties CFBundleName label"), + Column("bundle_short_version", TEXT, "Info properties CFBundleShortVersionString label"), + Column("bundle_version", TEXT, "Info properties CFBundleVersion label"), + Column("bundle_package_type", TEXT, "Info properties CFBundlePackageType label"), + Column("compiler", TEXT, "Info properties DTCompiler label"), + Column("development_region", TEXT, "Info properties CFBundleDevelopmentRegion label"), + Column("display_name", TEXT, "Info properties CFBundleDisplayName label"), + Column("info_string", TEXT, "Info properties CFBundleGetInfoString label"), + Column("minimum_system_version", TEXT, "Info properties LSMinimumSystemVersion label"), + Column("category", TEXT, "Info properties LSApplicationCategoryType label"), + Column("applescript_enabled", TEXT, "Info properties NSAppleScriptEnabled label"), + Column("copyright", TEXT, "Info properties NSHumanReadableCopyright label"), ]) implementation("apps@genApps") diff --git a/osquery/tables/specs/darwin/ca_certs.table b/osquery/tables/specs/darwin/ca_certs.table index abaa556f..5034d41e 100644 --- a/osquery/tables/specs/darwin/ca_certs.table +++ b/osquery/tables/specs/darwin/ca_certs.table @@ -1,13 +1,14 @@ table_name("ca_certs") +description("Certificate Authorities installed in Keychains/ca-bundles.") schema([ - Column("common_name", TEXT), - Column("not_valid_before", DATETIME), - Column("not_valid_after", DATETIME), - Column("key_algorithm", TEXT), - Column("key_usage", TEXT), - Column("subject_key_id", TEXT), - Column("authority_key_id", TEXT), - Column("sha1", TEXT), + Column("common_name", TEXT, "CommonName of the CA"), + Column("not_valid_before", DATETIME, "Lower bound of valid date"), + Column("not_valid_after", DATETIME, "Certificate expiration data"), + Column("key_algorithm", TEXT, "Key algorithm used"), + Column("key_usage", TEXT, "Certificate key usage and extended key usage"), + Column("subject_key_id", TEXT, "SKID an optionally included SHA1"), + Column("authority_key_id", TEXT, "AKID an optionally included SHA1"), + Column("sha1", TEXT, "SHA1 hash of the raw certificate contents"), ]) implementation("ca_certs@genCerts") diff --git a/osquery/tables/specs/darwin/homebrew_packages.table b/osquery/tables/specs/darwin/homebrew_packages.table index 73af6ac0..ce56c5c8 100644 --- a/osquery/tables/specs/darwin/homebrew_packages.table +++ b/osquery/tables/specs/darwin/homebrew_packages.table @@ -1,7 +1,8 @@ table_name("homebrew_packages") +description("The installed homebrew package database.") schema([ - Column("name", TEXT), - Column("path", TEXT), - Column("version", TEXT), + Column("name", TEXT, "Package name"), + Column("path", TEXT, "Package install path"), + Column("version", TEXT, "Current 'linked' version"), ]) implementation("system/homebrew_packages@genHomebrewPackages") \ No newline at end of file diff --git a/osquery/tables/specs/darwin/iokit_devicetree.table b/osquery/tables/specs/darwin/iokit_devicetree.table index a0fe5150..46c73920 100644 --- a/osquery/tables/specs/darwin/iokit_devicetree.table +++ b/osquery/tables/specs/darwin/iokit_devicetree.table @@ -1,13 +1,14 @@ table_name("iokit_devicetree") +description("The IOKit DeviceTree registry") schema([ - Column("name", TEXT), - Column("class", TEXT), - Column("id", BIGINT), - Column("parent", BIGINT), - Column("device_path", TEXT), - Column("service", INTEGER), - Column("busy_state", INTEGER), - Column("retain_count", INTEGER), - Column("depth", INTEGER), + Column("name", TEXT, "Device node name"), + Column("class", TEXT, "Best matching device class (most-specific category)"), + Column("id", BIGINT, "IOKit internal registry ID"), + Column("parent", BIGINT, "Parent device registry ID"), + Column("device_path", TEXT, "Device tree path"), + Column("service", INTEGER, "1 if the device conforms to IOService else 0"), + Column("busy_state", INTEGER, "1 if the device is in a busy state else 0"), + Column("retain_count", INTEGER, "The device reference count"), + Column("depth", INTEGER, "Device nested depth"), ]) implementation("system/iokit_registry@genIOKitDeviceTree") diff --git a/osquery/tables/specs/darwin/iokit_registry.table b/osquery/tables/specs/darwin/iokit_registry.table index d1e23632..106df65a 100644 --- a/osquery/tables/specs/darwin/iokit_registry.table +++ b/osquery/tables/specs/darwin/iokit_registry.table @@ -1,11 +1,12 @@ table_name("iokit_registry") +description("The full IOKit registry without selecting a plane.") schema([ - Column("name", TEXT), - Column("class", TEXT), - Column("id", BIGINT), - Column("parent", BIGINT), - Column("busy_state", INTEGER), - Column("retain_count", INTEGER), - Column("depth", INTEGER), + Column("name", TEXT, "Default name of the node"), + Column("class", TEXT, "Best matching device class (most-specific category)"), + Column("id", BIGINT, "IOKit internal registry ID"), + Column("parent", BIGINT, "Parent registry ID"), + Column("busy_state", INTEGER, "1 if the node is in a busy state else 0"), + Column("retain_count", INTEGER, "The node reference count"), + Column("depth", INTEGER, "Node nested depth"), ]) implementation("system/iokit_registry@genIOKitRegistry") diff --git a/osquery/tables/specs/darwin/kernel_extensions.table b/osquery/tables/specs/darwin/kernel_extensions.table index 06c40c78..fdc9a248 100644 --- a/osquery/tables/specs/darwin/kernel_extensions.table +++ b/osquery/tables/specs/darwin/kernel_extensions.table @@ -1,11 +1,12 @@ table_name("kernel_extensions") +description("OS X's kernel extensions, both loaded and within the load search path.") schema([ Column("idx", INTEGER), Column("refs", INTEGER), Column("size", BIGINT), Column("wired", BIGINT), - Column("name", TEXT), - Column("version", TEXT), + Column("name", TEXT, "Extension label"), + Column("version", TEXT, "Extension version"), Column("linked_against", TEXT), ]) implementation("kextstat@genKernelExtensions") diff --git a/osquery/tables/specs/darwin/nvram.table b/osquery/tables/specs/darwin/nvram.table index 6f4ad0a0..f61dc2dd 100644 --- a/osquery/tables/specs/darwin/nvram.table +++ b/osquery/tables/specs/darwin/nvram.table @@ -1,7 +1,8 @@ table_name("nvram") +description("Apple NVRAM variable listing") schema([ - Column("name", TEXT), - Column("type", TEXT), - Column("value", TEXT), + Column("name", TEXT, "Variable name"), + Column("type", TEXT, "Data type (CFData, CFString, etc)"), + Column("value", TEXT, "Raw variable data"), ]) implementation("nvram@genNVRAM") diff --git a/osquery/tables/specs/darwin/xprotect_entries.table b/osquery/tables/specs/darwin/xprotect_entries.table index b8856655..b99aa1c7 100644 --- a/osquery/tables/specs/darwin/xprotect_entries.table +++ b/osquery/tables/specs/darwin/xprotect_entries.table @@ -1,11 +1,12 @@ table_name("xprotect_entries") +description("Database of the machine's XProtect signatures.") schema([ - Column("name", TEXT, "Description of XProtect'ed malware"), + Column("name", TEXT, "Description of XProtected malware"), Column("launch_type", TEXT, "Launch services content type"), - Column("identity", TEXT, "XProtect identity"), - Column("filename", TEXT), - Column("filetype", TEXT), - Column("optional", INTEGER, "Match any of the identities/patterns."), + Column("identity", TEXT, "XProtect identity (SHA1) of content"), + Column("filename", TEXT, "Use this file name to match"), + Column("filetype", TEXT, "Use this file type to match"), + Column("optional", INTEGER, "Match any of the identities/patterns for this XProtect name"), Column("uses_pattern", INTEGER, "Uses a match pattern instead of identity"), ]) implementation("xprotect@genXProtectEntries") diff --git a/osquery/tables/specs/darwin/xprotect_reports.table b/osquery/tables/specs/darwin/xprotect_reports.table index 40a06f38..2f450141 100644 --- a/osquery/tables/specs/darwin/xprotect_reports.table +++ b/osquery/tables/specs/darwin/xprotect_reports.table @@ -1,7 +1,8 @@ table_name("xprotect_reports") +description("Database of XProtect matches (if user generated/sent an XProtect report)") schema([ - Column("name", TEXT, "Description of XProtect'ed malware"), + Column("name", TEXT, "Description of XProtected malware"), Column("user_action", TEXT, "Action taken by user after prompted"), - Column("time", TEXT, "Quarantine alert time."), + Column("time", TEXT, "Quarantine alert time"), ]) implementation("xprotect@genXProtectReports") \ No newline at end of file diff --git a/osquery/tables/specs/linux/kernel_modules.table b/osquery/tables/specs/linux/kernel_modules.table index 9ce31df9..1618a602 100644 --- a/osquery/tables/specs/linux/kernel_modules.table +++ b/osquery/tables/specs/linux/kernel_modules.table @@ -1,8 +1,9 @@ table_name("kernel_modules") +description("Linux kernel modules both loaded and within the load search path") schema([ - Column("name", TEXT), - Column("size", TEXT), - Column("used_by", TEXT), + Column("name", TEXT, "Module name"), + Column("size", TEXT, "Size of module content"), + Column("used_by", TEXT, "Module reverse dependencies"), Column("status", TEXT), Column("address", TEXT), ]) diff --git a/osquery/tables/specs/x/acpi_tables.table b/osquery/tables/specs/x/acpi_tables.table index 1ed82902..0623d4d7 100644 --- a/osquery/tables/specs/x/acpi_tables.table +++ b/osquery/tables/specs/x/acpi_tables.table @@ -1,7 +1,8 @@ table_name("acpi_tables") +description("Current ACPI tables") schema([ - Column("name", TEXT), - Column("size", INTEGER), - Column("md5", TEXT), + Column("name", TEXT, "ACPI table name"), + Column("size", INTEGER, "Size of compiled table data"), + Column("md5", TEXT, "MD5 hash of table content"), ]) implementation("system/acpi_tables@genACPITables") diff --git a/osquery/tables/specs/x/arp_cache.table b/osquery/tables/specs/x/arp_cache.table index ebe57b86..8f4180e4 100644 --- a/osquery/tables/specs/x/arp_cache.table +++ b/osquery/tables/specs/x/arp_cache.table @@ -1,8 +1,9 @@ table_name("arp_cache") +description("The ARP (IPv4) address cache") schema([ - Column("address", TEXT), - Column("mac", TEXT), - Column("interface", TEXT), + Column("address", TEXT, "IPv4 address target"), + Column("mac", TEXT, "MAC address of broadcasted address"), + Column("interface", TEXT, "Interface of the network for the MAC"), Column("permanent", TEXT, "1 for true, 0 for false"), ]) implementation("linux/arp_cache,darwin/routes@genArpCache")