6
Make Group ID columns consistent across Windows tables by mike-myers-tob · Pull...
source link: https://github.com/osquery/osquery/pull/6987
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Conversation
Closes #4264 by changing the behavior of users and processes to retrieve Group IDs the same way that groups does. See the issue for a longer explanation.
With the corrected behavior, observe that the gid values are of Local Groups and are consistent across tables, making it possible to JOIN on this column:
osquery> select * from users;
+------+-----+------------+------------+--------------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+-----------------------------+-----------------------------------------------+---------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid | type |
+------+-----+------------+------------+--------------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+-----------------------------+-----------------------------------------------+---------+
| 500 | 544 | 500 | 544 | Administrator | Built-in account for administering the computer/domain | | C:\Windows\system32\cmd.exe | S-1-5-21-1834681238-529199191-1868829719-500 | local |
| 503 | 581 | 503 | 581 | DefaultAccount | A user account managed by the system. | | C:\Windows\system32\cmd.exe | S-1-5-21-1834681238-529199191-1868829719-503 | local |
| 501 | 546 | 501 | 546 | Guest | Built-in account for guest access to the computer/domain | | C:\Windows\system32\cmd.exe | S-1-5-21-1834681238-529199191-1868829719-501 | local |
| 1002 | 544 | 1002 | 544 | mmyers | | C:\Users\mmyers | C:\Windows\system32\cmd.exe | S-1-5-21-1834681238-529199191-1868829719-1002 | local |
| 504 | 513 | 504 | 513 | WDAGUtilityAccount | A user account managed and used by the system for Windows Defender Application Guard scenarios. | | C:\Windows\system32\cmd.exe | S-1-5-21-1834681238-529199191-1868829719-504 | local |
| 18 | 18 | 18 | 18 | SYSTEM | | %systemroot%\system32\config\systemprofile | C:\Windows\system32\cmd.exe | S-1-5-18 | special |
| 19 | 19 | 19 | 19 | LOCAL SERVICE | | %systemroot%\ServiceProfiles\LocalService | C:\Windows\system32\cmd.exe | S-1-5-19 | special |
| 20 | 20 | 20 | 20 | NETWORK SERVICE | | %systemroot%\ServiceProfiles\NetworkService | C:\Windows\system32\cmd.exe | S-1-5-20 | special |
+------+-----+------------+------------+--------------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+-----------------------------+-----------------------------------------------+---------+
osquery> SELECT uid, gid from processes where path like "%osquery%";
+------+-----+
| uid | gid |
+------+-----+
| 1002 | 544 |
+------+-----+
osquery> select * from groups;
+-----+------------+-------------------------------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| gid | gid_signed | groupname | group_sid | comment |
+-----+------------+-------------------------------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 579 | 579 | Access Control Assistance Operators | S-1-5-32-579 | Members of this group can remotely query authorization attributes and permissions for resources on this computer. |
| 544 | 544 | Administrators | S-1-5-32-544 | Administrators have complete and unrestricted access to the computer/domain |
| 551 | 551 | Backup Operators | S-1-5-32-551 | Backup Operators can override security restrictions for the sole purpose of backing up or restoring files |
| 569 | 569 | Cryptographic Operators | S-1-5-32-569 | Members are authorized to perform cryptographic operations. |
| 562 | 562 | Distributed COM Users | S-1-5-32-562 | Members are allowed to launch, activate and use Distributed COM objects on this machine. |
| 573 | 573 | Event Log Readers | S-1-5-32-573 | Members of this group can read event logs from local machine |
| 546 | 546 | Guests | S-1-5-32-546 | Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted |
| 578 | 578 | Hyper-V Administrators | S-1-5-32-578 | Members of this group have complete and unrestricted access to all features of Hyper-V. |
| 568 | 568 | IIS_IUSRS | S-1-5-32-568 | Built-in group used by Internet Information Services. |
| 556 | 556 | Network Configuration Operators | S-1-5-32-556 | Members in this group can have some administrative privileges to manage configuration of networking features |
| 559 | 559 | Performance Log Users | S-1-5-32-559 | Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer |
| 558 | 558 | Performance Monitor Users | S-1-5-32-558 | Members of this group can access performance counter data locally and remotely |
| 547 | 547 | Power Users | S-1-5-32-547 | Power Users are included for backwards compatibility and possess limited administrative powers |
| 555 | 555 | Remote Desktop Users | S-1-5-32-555 | Members in this group are granted the right to logon remotely |
| 580 | 580 | Remote Management Users | S-1-5-32-580 | Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. |
| 552 | 552 | Replicator | S-1-5-32-552 | Supports file replication in a domain |
| 581 | 581 | System Managed Accounts Group | S-1-5-32-581 | Members of this group are managed by the system. |
| 545 | 545 | Users | S-1-5-32-545 | Users are prevented from making accidental or intentional system-wide changes and can run most applications |
+-----+------------+-------------------------------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
osquery> select users.uid, users.username, groups.gid, groups.groupname from users join groups join user_groups on users.uid=user_groups.uid and groups.gid=user_groups.gid;
+------+----------------+-----+-------------------------------+
| uid | username | gid | groupname |
+------+----------------+-----+-------------------------------+
| 500 | Administrator | 544 | Administrators |
| 503 | DefaultAccount | 581 | System Managed Accounts Group |
| 501 | Guest | 546 | Guests |
| 1002 | mmyers | 544 | Administrators |
| 1002 | mmyers | 545 | Users |
+------+----------------+-----+-------------------------------+
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK