For testing, you can load the extension with osqueryi.
By default, osquery does not want to load extensions not owned by root. You can either change the ownership of macadmins_extension.ext to root, or run osquery with the --allow_unsafe flag.
osqueryi --extension /path/to/macadmins_extension.extFor production deployment, you should refer to the osquery documentation.
| Table | Description | Platforms | Notes |
|---|---|---|---|
filevault_users |
Information on the users able to unlock the current boot volume when encrypted with Filevault | macOS | |
google_chrome_profiles |
Profiles configured in Goolge Chrome. | Linux / macOS / Windows | |
mdm |
Information on the device's MDM enrollment | macOS | Code based on work by Kolide |
munki_info |
Information from the last Munki run | macOS | Code based on work by Kolide |
munki_installs |
Items Munki is managing | macOS | Code based on work by Kolide |
puppet_info |
Information on the last Puppet run | Linux / macOS / Windows | |
puppet_logs |
Logs from the last Puppet run | Linux / macOS / Windows | |
puppet_state |
State of every resource Puppet is managing | Linux / macOS / Windows | |
unified_log |
Results from macOS' Unified Log | macOS | Use the constraints predicate and last to limit the number of results you pull, or this will not be very performant at all (select * from unified_log where last="1h" and predicate='processImagePath contains "mdmclient"';) |