Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

Apple

Linux

Windows

ChromeOS

system_controls

The sysctl binary found in many UNIX-like operating systems reads and modifies system kernel attributes. The system_controls osquery table expresses the data made available by the sysctl binary on Linux and macOS.

Column	Type	Description
config_value	text	The MIB value set in /etc/sysctl.conf
current_value	text	Value of setting
field_name	text	Specific attribute of opaque type Only available on macOS and Linux
name	text	Full sysctl MIB name
oid	text	Control MIB
subsystem	text	Subsystem ID, control type
type	text	Data type

Example

Collect the hardware model and the number of CPU cores from a Mac:

SELECT current_value,name FROM system_controls WHERE name='hw.model' OR name='hw.ncpu';

Collect the reason for the last shutdown event, the duration since and timestamp of the most recent boot, and, the duration since and timestamp of the most recent wake from sleep:

SELECT current_value,name FROM system_controls WHERE name='kern.shutdownreason' OR name='kern.boottime' OR name='kern.waketime';

Discover if IP Forwarding is enabled:

SELECT name,current_value FROM system_controls WHERE name='net.inet.ip.forwarding' AND current_value='1';

Notes

Because the system_control table provides access to a large quantity of low-level, unique settings available via sysctl it is ideal for use in Fleet policies.

E.g., the number of CPU cores can be obtained with the following sysctl command: