osquery-1/specs/users.table

table_name("users")
description("Local user accounts (including domain accounts that have logged on locally (Windows)).")
schema([
    Column("uid", BIGINT, "User ID", index=True),
    Column("gid", BIGINT, "Group ID (unsigned)"),
    Column("uid_signed", BIGINT, "User ID as int64 signed (Apple)"),
    Column("gid_signed", BIGINT, "Default group ID as int64 signed (Apple)"),
    Column("username", TEXT, "Username", additional=True),
    Column("description", TEXT, "Optional user description"),
    Column("directory", TEXT, "User's home directory"),
    Column("shell", TEXT, "User's configured default shell"),
    Column("uuid", TEXT, "User's UUID (Apple) or SID (Windows)"),
])
extended_schema(WINDOWS, [
    Column("type", TEXT, "Whether the account is roaming (domain), local, or a system profile"),
])

extended_schema(DARWIN, [
    Column("is_hidden", INTEGER, "IsHidden attribute set in OpenDirectory")
])
implementation("users@genUsers")
examples([
  "select * from users where uid = 1000",
  "select * from users where username = 'root'",
  "select count(*) from users u, user_groups ug where u.uid = ug.uid",
])