Tables
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
Apple
Linux
Windows
ChromeOS
system_controls
system_controls
The sysctl binary found in many UNIX-like operating systems reads and modifies system kernel attributes. The system_controls osquery table expresses the data made available by the sysctl binary on Linux and macOS.
| Column | Type | Description |
|---|---|---|
| config_value | text | The MIB value set in /etc/sysctl.conf |
| current_value | text | Value of setting |
| field_name | text | Specific attribute of opaque type Only available on macOS and Linux |
| name | text | Full sysctl MIB name |
| oid | text | Control MIB |
| subsystem | text | Subsystem ID, control type |
| type | text | Data type |
Example
Collect the hardware model and the number of CPU cores from a Mac:
SELECT current_value,name FROM system_controls WHERE name='hw.model' OR name='hw.ncpu';Collect the reason for the last shutdown event, the duration since and timestamp of the most recent boot, and, the duration since and timestamp of the most recent wake from sleep:
SELECT current_value,name FROM system_controls WHERE name='kern.shutdownreason' OR name='kern.boottime' OR name='kern.waketime';Discover if IP Forwarding is enabled:
SELECT name,current_value FROM system_controls WHERE name='net.inet.ip.forwarding' AND current_value='1';Notes
Because the system_control table provides access to a large quantity of low-level, unique settings available via sysctl it is ideal for use in Fleet policies.
E.g., the number of CPU cores can be obtained with the following sysctl command:
% sysctl hw.ncpu
hw.ncpu: 12Questions?
SOC2 Type 2
