Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

users

click to open the table of contents
macOS logo Windows logo Linux logo ChromeOS logo

users

Local user accounts (including domain accounts that have logged on locally (Windows)).

Column Type Description
description text Optional user description
Only available on macOS, Windows, and Linux
directory text User's home directory
Only available on macOS, Windows, and Linux
email text Email
Only available on chrome
gid bigint Group ID (unsigned)
Only available on macOS, Windows, and Linux
gid_signed bigint Default group ID as int64 signed (Apple)
Only available on macOS, Windows, and Linux
is_hidden integer IsHidden attribute set in OpenDirectory
Only available on macOS
pid_with_namespace integer Pids that contain a namespace
Only available on Linux
shell text User's configured default shell
Only available on macOS, Windows, and Linux
type text Whether the account is roaming (domain), local, or a system profile
Only available on Windows
uid bigint User ID
uid_signed bigint User ID as int64 signed (Apple)
Only available on macOS, Windows, and Linux
username text Username
uuid text User's UUID (Apple) or SID (Windows)

Example

List users that have interactive access via a shell that isn't false.

SELECT * FROM users WHERE shell!='/usr/bin/false';

Notes

Edit page

Questions?

Ask us anything
{{table.title}} evented table