osquery-1/specs/user_ssh_keys.table

19 lines
638 B
Plaintext

table_name("user_ssh_keys")
description("Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.")
schema([
Column("uid", BIGINT, "The local user that owns the key file",
additional=True),
Column("path", TEXT, "Path to key file", index=True),
Column("encrypted", INTEGER, "1 if key is encrypted, 0 otherwise"),
ForeignKey(column="uid", table="users"),
])
attributes(user_data=True, no_pkey=True)
implementation("user_ssh_keys@getUserSshKeys")
examples([
"select * from users join user_ssh_keys using (uid) where encrypted = 0",
])
fuzz_paths([
"/home",
"/Users",
])