Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

Apple

Linux

Windows

ChromeOS

security_profile_info

Information on the security profile of a given system by listing the system Account and Audit Policies. This table mimics the exported securitypolicy output from the secedit tool.

Column	Type	Description
audit_account_logon	integer	Determines whether the operating system MUST audit each time this computer validates the credentials of an account
audit_account_manage	integer	Determines whether the operating system MUST audit each event of account management on a computer
audit_ds_access	integer	Determines whether the operating system MUST audit each instance of user attempts to access an Active Directory object that has its own system access control list (SACL) specified
audit_logon_events	integer	Determines whether the operating system MUST audit each instance of a user attempt to log on or log off this computer
audit_object_access	integer	Determines whether the operating system MUST audit each instance of user attempts to access a non-Active Directory object that has its own SACL specified
audit_policy_change	integer	Determines whether the operating system MUST audit each instance of user attempts to change user rights assignment policy, audit policy, account policy, or trust policy
audit_privilege_use	integer	Determines whether the operating system MUST audit each instance of user attempts to exercise a user right
audit_process_tracking	integer	Determines whether the operating system MUST audit process-related events
audit_system_events	integer	Determines whether the operating system MUST audit System Change, System Startup, System Shutdown, Authentication Component Load, and Loss or Excess of Security events
clear_text_password	integer	Determines whether passwords MUST be stored by using reversible encryption
enable_admin_account	integer	Determines whether the Administrator account on the local computer is enabled
enable_guest_account	integer	Determines whether the Guest account on the local computer is enabled
force_logoff_when_expire	integer	Determines whether SMB client sessions with the SMB server will be forcibly disconnected when the client's logon hours expire
lockout_bad_count	integer	Number of failed logon attempts after which a user account MUST be locked out
logon_to_change_password	integer	Determines if logon session is required to change the password
lsa_anonymous_name_lookup	integer	Determines if an anonymous user is allowed to query the local LSA policy
maximum_password_age	integer	Determines the maximum number of days that a password can be used before the client requires the user to change it
minimum_password_age	integer	Determines the minimum number of days that a password must be used before the user can change it
minimum_password_length	integer	Determines the least number of characters that can make up a password for a user account
new_administrator_name	text	Determines the name of the Administrator account on the local computer
new_guest_name	text	Determines the name of the Guest account on the local computer
password_complexity	integer	Determines whether passwords must meet a series of strong-password guidelines
password_history_size	integer	Number of unique new passwords that must be associated with a user account before an old password can be reused