How to List Users Across All Mac, Windows, and Linux Devices
Using Kolide, you can easily view and query Users across your fleet.
Introduction
Most modern operating systems (including macOS, Windows and common Linux distributions) include the concept of users. A user (account) allows an end-user to authenticate (typically login via password) to a system and access the resources to which they have adequate permission to view/modify.
Each user on a device is represented by a unique identifier (typically a UID), which allows the operating system to correlate that user with the various resources and their individual access permissions.
Each user account typically has a home directory where they can store data, which is inaccessible to other users on the device (without authentication).
Users can be part of one or many user groups which grant them additional privileges or permissions. For example on a macOS device a user may be part of the 'admin' group which allows them to perform certain actions (such as creating or deleting other user accounts, and changing system-wide settings).
What User Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Users from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Users Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| description | Text |
Optional user description |
|
| directory | Text |
User's home directory |
|
| failed_logins_count | Bigint |
The number of failed login attempts using an incorrect password. Count resets after a correct password is entered Data only available for: Note on data collection: On macOS this data is collected only for user accounts that are listed in the Users & Groups preference pane in the System Preferences app. On Windows this information is obtained from WMI. |
|
| gid | Text |
Group ID |
|
| gid_signed | Bigint |
User ID as int64 signed Data only available for: |
|
| last_logged_in_at | Timestamp |
The time the user last logged on to the system Data only available for: |
|
| logins_count | Bigint |
The number of times the account was logged in Note on data collection: On macOS and Linux, this information is obtained via the |
|
| password_expires_at | Timestamp |
The time the password is scheduled to expire Data only available for: |
|
| password_last_set_at | Timestamp |
The time the password was last changed Data only available for: |
|
| shell | Text |
User's configured default shell |
|
| type | Text |
Whether the account is roaming (domain), local, or a system profile Data only available for: |
|
| uid | Text |
User ID |
|
| uid_signed | Bigint |
User ID as int64 signed Data only available for: |
|
| user_created_at | Timestamp |
When the account was first created Data only available for: Note on data collection: On macOS this data is collected only for user accounts that are listed in the Users & Groups preference pane in the System Preferences app. |
|
| username | Text |
The unique username used to log in |
|
| uuid | Text |
User's UUID (macOS) or SID (Windows) Data only available for: |
|
| windows_user_type | Enum::Text |
Type of account to which the user has privileges Data only available for: Can be one of the following:
|
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT
device_name,
username,
password_last_set_at,
ROUND(EXTRACT(epoch FROM CURRENT_TIMESTAMP(0)::TIMESTAMP WITHOUT TIME ZONE - password_last_set_at)/86400) AS password_age_days
FROM device_users
WHERE password_last_set_at IS NOT NULL
-- Specify threshold for password age
AND password_last_set_at < (NOW() - interval '90 days')
-- Omit system accounts on macOS
AND uuid NOT LIKE 'FFFFEEEE%'| username | device_name | password_age_days | password_last_set_at |
|---|---|---|---|
| jenkins | Jenkins-MacBook-Pro | 131 | 2022-01-15T22:11:28.000Z |
| corbin | corbin-mbp-2 | 873 | 2020-01-04T20:21:26.000Z |
| ashley | Ashleys-MacBook-Pro-3 | 160 | 2021-12-17T19:41:55.000Z |
| max-headroom | Maxs-MacBook-Air | 481 | 2021-01-30T16:56:22.000Z |
| enoch | enoch-imac | 623 | 2020-09-10T20:00:15.000Z |
WITH
_human_users AS (
SELECT
device_name, uid, username, directory, shell, uuid, d.type AS device_type
FROM device_users du
JOIN devices d ON du.device_id = d.id
WHERE SUBSTR(uuid,1,7) != 'FFFFEEE'
AND shell != '/usr/bin/false'
AND directory LIKE '/Users/%'
AND d.type = 'Mac'
GROUP BY device_name, username, uid, directory, shell, uuid, d.type
),
merge_user_data AS (
SELECT
device_name, uid, username, shell
FROM _human_users)
SELECT * FROM merge_user_data;| uid | shell | username | device_name |
|---|---|---|---|
| 501 | /bin/zsh | jarvis | Tonys-MacBook-Pro |
| 501 | /bin/zsh | dave | daves-imac |
| 501 | /bin/bash | alicia | Alicias-MacBook-Air |
| 501 | /bin/zsh | fyne | balthazar |
| 501 | /bin/zsh | caitlin | Caitlins-MacBook-Pro |
| 501 | /bin/zsh | zoomroom | Conference-Room-Zoom |
| 501 | /bin/zsh | chris | Chris-M1 |
Why Should I Collect Users?
Understanding the user accounts on a device, and the level of permission which they have, is a common device compliance requirement for Security and IT teams. It is generally recommended that you do not have any more accounts with admin level privileges than absolutely necessary.
Many applications are installed on a per-user basis and it can be important to collect user information in order to correlate specific software or preferences with an individual user account.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
User information may contain usernames or full names of private (non-work) accounts which are not intended to be shared with an employer. For example, if you are using a BYOD device and you keep a separate user account for contracting work for another company, you may wish not to share this information with your organization.
When you use Kolide to list User data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
