👋We’re launching free support for BYOD Android devices and looking for early feedback. Interested?

Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Guides Vitals Queries Policies Software OS settings Data tables API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

account_policy_data

click to open the table of contents

account​_policy​_data

Additional macOS user account data from the AccountPolicy section of OpenDirectory, the identity provider used by Apple.

Column Type Description
creation_time double When the account was first created
failed_login_count bigint The number of failed login attempts using an incorrect password. Count resets after a correct password is entered.
failed_login_timestamp double The time of the last failed login attempt. Resets after a correct password is entered
password_last_set_time double The time the password was last changed
uid bigint User ID

Example

Query the creation date of user accounts. You could also query the date of the last failed login attempt or password change.

SELECT strftime('%Y-%m-%d %H:%M:%S',creation_time,'unixepoch') AS creationdate FROM account_policy_data;

See each user's last password set date and number of failed logins since last successful login to detect any intrusion attempts.

SELECT u.username, u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;

Notes

  • The values in this OpenDirectory table are related to account creation. In the past, it was fairly common to use OpenDirectory to have a home folder (~) on a server, and then log in and get that folder wherever they are. (These days, this use case is more uncommon.)
  • To determine who is logged in to the Mac, or for example, to check the record name versus the computer's "short name", consider using the data in the DSCL table.
  • Many installers incorporate scripts due to actions that are handled by pre or post-scripts vs installer package payloads. These script actions aren't tracked in the "bill of materials" (.bom) file. So, don't blindly trust the "bill of materials" (.bom) file as the source of truth on what has or hasn't been installed.
Edit page

Questions?

Ask us anything
{{table.title}} evented table