Meta pixel
Fleet logo
Osquery management Security compliance Vulnerability management
SUCCESS STORIES
Wayfair Schrödinger F100 security & networking co.
Docs Releases Health checks & queries Explore data
GUIDES Deployment guides How-to guides
Community
Announcements Security Engineering Podcasts Reports
CONTRIBUTE Join the conversation Contribute to Fleet
RESOURCES Handbook Logos & artwork
Pricing Try it out
All platforms
Windows
Linux
macOS
ChromeOS
search

A menu icon Tables {{numberOfTablesDisplayed}}

right chevron down chevron

Tables{{numberOfTablesDisplayed}}

macOS logo Windows logo Linux logo macOS logo

account_policy_data

Additional macOS user account data from the AccountPolicy section of OpenDirectory.

Column Type Description
uid bigint User ID
creation_time double When the account was first created
failed_login_count bigint The number of failed login attempts using an incorrect password. Count resets after a correct password is entered.
failed_login_timestamp double The time of the last failed login attempt. Resets after a correct password is entered
password_last_set_time double The time the password was last changed

Example

Query the creation date of user accounts. You could also query the date of the last failed login attempt or password change.

SELECT strftime('%Y-%m-%d %H:%M:%S',creation_time,'unixepoch') AS creationdate FROM account_policy_data;

See each user's last password set date and number of failed logins since last successful login to detect any intrusion attempts.

SELECT u.username u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
Edit page

Need more help?

Slack logo Ask the community on Slack