rssd-init.understand service schema (Generative AI Large Language Model Prompt)
Understand the following structure of an SQLite database designed to store cybersecurity and compliance data for files in a file system.
The database is designed to store devices in the 'device' table and entities called 'resources' stored in the immutable append-only
'uniform_resource' table. Each time files are "walked" they are stored in ingestion session and link back to 'uniform_resource'. Because all
tables are generally append only and immutable it means that the ingest_session_fs_path_entry table can be used for revision control
and historical tracking of file changes.
Use the following SQLite Schema to generate SQL queries that interact with these tables and once you understand them let me know so I can ask you for help:
-- code provenance: `RssdInitSqlNotebook.v001_once_initialDDL` (file:///home/baasit/www.surveilr.com/lib/std/lifecycle.sql.ts)
CREATE TABLE IF NOT EXISTS "party_type" (
"party_type_id" ULID PRIMARY KEY NOT NULL,
"code" TEXT /* UNIQUE COLUMN */ NOT NULL,
"value" TEXT NOT NULL,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("code")
);
CREATE TABLE IF NOT EXISTS "party" (
"party_id" VARCHAR PRIMARY KEY NOT NULL,
"party_type_id" ULID NOT NULL,
"party_name" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("party_type_id") REFERENCES "party_type"("party_type_id")
);
CREATE TABLE IF NOT EXISTS "party_relation_type" (
"party_relation_type_id" ULID PRIMARY KEY NOT NULL,
"code" TEXT /* UNIQUE COLUMN */ NOT NULL,
"value" TEXT NOT NULL,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("code")
);
CREATE TABLE IF NOT EXISTS "party_relation" (
"party_relation_id" VARCHAR PRIMARY KEY NOT NULL,
"party_id" VARCHAR NOT NULL,
"related_party_id" VARCHAR NOT NULL,
"relation_type_id" ULID NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("party_id") REFERENCES "party"("party_id"),
FOREIGN KEY("related_party_id") REFERENCES "party"("party_id"),
FOREIGN KEY("relation_type_id") REFERENCES "party_relation_type"("party_relation_type_id"),
UNIQUE("party_id", "related_party_id", "relation_type_id")
);
CREATE TABLE IF NOT EXISTS "gender_type" (
"gender_type_id" ULID PRIMARY KEY NOT NULL,
"code" TEXT /* UNIQUE COLUMN */ NOT NULL,
"value" TEXT NOT NULL,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("code")
);
CREATE TABLE IF NOT EXISTS "sex_type" (
"sex_type_id" ULID PRIMARY KEY NOT NULL,
"code" TEXT /* UNIQUE COLUMN */ NOT NULL,
"value" TEXT NOT NULL,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("code")
);
CREATE TABLE IF NOT EXISTS "person_type" (
"person_type_id" ULID PRIMARY KEY NOT NULL,
"code" TEXT /* UNIQUE COLUMN */ NOT NULL,
"value" TEXT NOT NULL,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("code")
);
CREATE TABLE IF NOT EXISTS "person" (
"person_id" ULID PRIMARY KEY NOT NULL,
"party_id" VARCHAR NOT NULL,
"person_type_id" ULID NOT NULL,
"person_first_name" TEXT NOT NULL,
"person_middle_name" TEXT,
"person_last_name" TEXT NOT NULL,
"previous_name" TEXT,
"honorific_prefix" TEXT,
"honorific_suffix" TEXT,
"gender_id" ULID NOT NULL,
"sex_id" ULID NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("party_id") REFERENCES "party"("party_id"),
FOREIGN KEY("person_type_id") REFERENCES "person_type"("person_type_id"),
FOREIGN KEY("gender_id") REFERENCES "gender_type"("gender_type_id"),
FOREIGN KEY("sex_id") REFERENCES "sex_type"("sex_type_id")
);
CREATE TABLE IF NOT EXISTS "organization" (
"organization_id" ULID PRIMARY KEY NOT NULL,
"party_id" VARCHAR NOT NULL,
"name" TEXT NOT NULL,
"alias" TEXT,
"description" TEXT,
"license" TEXT NOT NULL,
"federal_tax_id_num" TEXT,
"registration_date" DATE NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("party_id") REFERENCES "party"("party_id")
);
CREATE TABLE IF NOT EXISTS "organization_role_type" (
"organization_role_type_id" ULID PRIMARY KEY NOT NULL,
"code" TEXT /* UNIQUE COLUMN */ NOT NULL,
"value" TEXT NOT NULL,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("code")
);
CREATE TABLE IF NOT EXISTS "organization_role" (
"organization_role_id" VARCHAR PRIMARY KEY NOT NULL,
"person_id" VARCHAR NOT NULL,
"organization_id" VARCHAR NOT NULL,
"organization_role_type_id" ULID NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("person_id") REFERENCES "party"("party_id"),
FOREIGN KEY("organization_id") REFERENCES "party"("party_id"),
FOREIGN KEY("organization_role_type_id") REFERENCES "organization_role_type"("organization_role_type_id"),
UNIQUE("person_id", "organization_id", "organization_role_type_id")
);
CREATE TABLE IF NOT EXISTS "device" (
"device_id" VARCHAR PRIMARY KEY NOT NULL,
"name" TEXT NOT NULL,
"state" TEXT CHECK(json_valid(state)) NOT NULL,
"boundary" TEXT NOT NULL,
"segmentation" TEXT CHECK(json_valid(segmentation) OR segmentation IS NULL),
"state_sysinfo" TEXT CHECK(json_valid(state_sysinfo) OR state_sysinfo IS NULL),
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("name", "state", "boundary")
);
CREATE TABLE IF NOT EXISTS "device_party_relationship" (
"device_party_relationship_id" VARCHAR PRIMARY KEY NOT NULL,
"device_id" VARCHAR NOT NULL,
"party_id" VARCHAR NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("device_id") REFERENCES "device"("device_id"),
FOREIGN KEY("party_id") REFERENCES "party"("party_id"),
UNIQUE("device_id", "party_id")
);
CREATE TABLE IF NOT EXISTS "behavior" (
"behavior_id" VARCHAR PRIMARY KEY NOT NULL,
"device_id" VARCHAR NOT NULL,
"behavior_name" TEXT NOT NULL,
"behavior_conf_json" TEXT CHECK(json_valid(behavior_conf_json)) NOT NULL,
"assurance_schema_id" VARCHAR,
"governance" TEXT CHECK(json_valid(governance) OR governance IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("device_id") REFERENCES "device"("device_id"),
FOREIGN KEY("assurance_schema_id") REFERENCES "assurance_schema"("assurance_schema_id"),
UNIQUE("device_id", "behavior_name")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_resource_path_match_rule" (
"ur_ingest_resource_path_match_rule_id" VARCHAR PRIMARY KEY NOT NULL,
"namespace" TEXT NOT NULL,
"regex" TEXT NOT NULL,
"flags" TEXT NOT NULL,
"nature" TEXT,
"priority" TEXT,
"description" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("namespace", "regex")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_resource_path_rewrite_rule" (
"ur_ingest_resource_path_rewrite_rule_id" VARCHAR PRIMARY KEY NOT NULL,
"namespace" TEXT NOT NULL,
"regex" TEXT NOT NULL,
"replace" TEXT NOT NULL,
"priority" TEXT,
"description" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("namespace", "regex", "replace")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session" (
"ur_ingest_session_id" VARCHAR PRIMARY KEY NOT NULL,
"device_id" VARCHAR NOT NULL,
"behavior_id" VARCHAR,
"behavior_json" TEXT CHECK(json_valid(behavior_json) OR behavior_json IS NULL),
"ingest_started_at" TIMESTAMPTZ NOT NULL,
"ingest_finished_at" TIMESTAMPTZ,
"session_agent" TEXT CHECK(json_valid(session_agent)) NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("device_id") REFERENCES "device"("device_id"),
FOREIGN KEY("behavior_id") REFERENCES "behavior"("behavior_id"),
UNIQUE("device_id", "created_at")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_fs_path" (
"ur_ingest_session_fs_path_id" VARCHAR PRIMARY KEY NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"root_path" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
UNIQUE("ingest_session_id", "root_path", "created_at")
);
CREATE TABLE IF NOT EXISTS "uniform_resource" (
"uniform_resource_id" VARCHAR PRIMARY KEY NOT NULL,
"device_id" VARCHAR NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"ingest_fs_path_id" VARCHAR,
"ingest_session_imap_acct_folder_message" VARCHAR,
"ingest_issue_acct_project_id" VARCHAR,
"uri" TEXT NOT NULL,
"content_digest" TEXT NOT NULL,
"content" BLOB,
"nature" TEXT,
"size_bytes" INTEGER,
"last_modified_at" TIMESTAMPTZ,
"content_fm_body_attrs" TEXT CHECK(json_valid(content_fm_body_attrs) OR content_fm_body_attrs IS NULL),
"frontmatter" TEXT CHECK(json_valid(frontmatter) OR frontmatter IS NULL),
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("device_id") REFERENCES "device"("device_id"),
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
FOREIGN KEY("ingest_fs_path_id") REFERENCES "ur_ingest_session_fs_path"("ur_ingest_session_fs_path_id"),
FOREIGN KEY("ingest_session_imap_acct_folder_message") REFERENCES "ur_ingest_session_imap_acct_folder_message"("ur_ingest_session_imap_acct_folder_message_id"),
FOREIGN KEY("ingest_issue_acct_project_id") REFERENCES "ur_ingest_session_plm_acct_project"("ur_ingest_session_plm_acct_project_id"),
UNIQUE("device_id", "content_digest", "uri", "size_bytes")
);
CREATE TABLE IF NOT EXISTS "uniform_resource_transform" (
"uniform_resource_transform_id" VARCHAR PRIMARY KEY NOT NULL,
"uniform_resource_id" VARCHAR NOT NULL,
"uri" TEXT NOT NULL,
"content_digest" TEXT NOT NULL,
"content" BLOB,
"nature" TEXT,
"size_bytes" INTEGER,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("uniform_resource_id") REFERENCES "uniform_resource"("uniform_resource_id"),
UNIQUE("uniform_resource_id", "content_digest", "nature", "size_bytes")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_fs_path_entry" (
"ur_ingest_session_fs_path_entry_id" VARCHAR PRIMARY KEY NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"ingest_fs_path_id" VARCHAR NOT NULL,
"uniform_resource_id" VARCHAR,
"file_path_abs" TEXT NOT NULL,
"file_path_rel_parent" TEXT NOT NULL,
"file_path_rel" TEXT NOT NULL,
"file_basename" TEXT NOT NULL,
"file_extn" TEXT,
"captured_executable" TEXT CHECK(json_valid(captured_executable) OR captured_executable IS NULL),
"ur_status" TEXT,
"ur_diagnostics" TEXT CHECK(json_valid(ur_diagnostics) OR ur_diagnostics IS NULL),
"ur_transformations" TEXT CHECK(json_valid(ur_transformations) OR ur_transformations IS NULL),
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
FOREIGN KEY("ingest_fs_path_id") REFERENCES "ur_ingest_session_fs_path"("ur_ingest_session_fs_path_id"),
FOREIGN KEY("uniform_resource_id") REFERENCES "uniform_resource"("uniform_resource_id")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_task" (
"ur_ingest_session_task_id" VARCHAR PRIMARY KEY NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"uniform_resource_id" VARCHAR,
"captured_executable" TEXT CHECK(json_valid(captured_executable)) NOT NULL,
"ur_status" TEXT,
"ur_diagnostics" TEXT CHECK(json_valid(ur_diagnostics) OR ur_diagnostics IS NULL),
"ur_transformations" TEXT CHECK(json_valid(ur_transformations) OR ur_transformations IS NULL),
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
FOREIGN KEY("uniform_resource_id") REFERENCES "uniform_resource"("uniform_resource_id")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_imap_account" (
"ur_ingest_session_imap_account_id" VARCHAR PRIMARY KEY NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"email" TEXT,
"password" TEXT,
"host" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
UNIQUE("ingest_session_id", "email")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_imap_acct_folder" (
"ur_ingest_session_imap_acct_folder_id" VARCHAR PRIMARY KEY NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"ingest_account_id" VARCHAR NOT NULL,
"folder_name" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
FOREIGN KEY("ingest_account_id") REFERENCES "ur_ingest_session_imap_account"("ur_ingest_session_imap_account_id"),
UNIQUE("ingest_account_id", "folder_name")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_imap_acct_folder_message" (
"ur_ingest_session_imap_acct_folder_message_id" VARCHAR PRIMARY KEY NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"ingest_imap_acct_folder_id" VARCHAR NOT NULL,
"message" TEXT NOT NULL,
"message_id" TEXT NOT NULL,
"subject" TEXT NOT NULL,
"from" TEXT NOT NULL,
"cc" TEXT CHECK(json_valid(cc)) NOT NULL,
"bcc" TEXT CHECK(json_valid(bcc)) NOT NULL,
"status" TEXT[] NOT NULL,
"date" DATE,
"email_references" TEXT CHECK(json_valid(email_references)) NOT NULL,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
FOREIGN KEY("ingest_imap_acct_folder_id") REFERENCES "ur_ingest_session_imap_acct_folder"("ur_ingest_session_imap_acct_folder_id"),
UNIQUE("message", "message_id")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_account" (
"ur_ingest_session_plm_account_id" VARCHAR PRIMARY KEY NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"provider" TEXT NOT NULL,
"org_name" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
UNIQUE("provider", "org_name")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_acct_project" (
"ur_ingest_session_plm_acct_project_id" VARCHAR PRIMARY KEY NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"ingest_account_id" VARCHAR NOT NULL,
"parent_project_id" TEXT,
"name" TEXT NOT NULL,
"description" TEXT,
"id" TEXT,
"key" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
FOREIGN KEY("ingest_account_id") REFERENCES "ur_ingest_session_plm_account"("ur_ingest_session_plm_account_id"),
UNIQUE("name", "description")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_acct_project_issue" (
"ur_ingest_session_plm_acct_project_issue_id" VARCHAR PRIMARY KEY NOT NULL,
"ingest_session_id" VARCHAR NOT NULL,
"ur_ingest_session_plm_acct_project_id" VARCHAR NOT NULL,
"uniform_resource_id" VARCHAR,
"issue_id" TEXT NOT NULL,
"issue_number" INTEGER,
"parent_issue_id" TEXT,
"title" TEXT NOT NULL,
"body" TEXT,
"body_text" TEXT,
"body_html" TEXT,
"state" TEXT NOT NULL,
"assigned_to" TEXT,
"user" VARCHAR NOT NULL,
"url" TEXT NOT NULL,
"closed_at" TEXT,
"issue_type_id" VARCHAR,
"time_estimate" INTEGER,
"aggregate_time_estimate" INTEGER,
"time_original_estimate" INTEGER,
"time_spent" INTEGER,
"aggregate_time_spent" INTEGER,
"aggregate_time_original_estimate" INTEGER,
"workratio" INTEGER,
"current_progress" INTEGER,
"total_progress" INTEGER,
"resolution_name" TEXT,
"resolution_date" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
FOREIGN KEY("ur_ingest_session_plm_acct_project_id") REFERENCES "ur_ingest_session_plm_acct_project"("ur_ingest_session_plm_acct_project_id"),
FOREIGN KEY("uniform_resource_id") REFERENCES "uniform_resource"("uniform_resource_id"),
FOREIGN KEY("user") REFERENCES "ur_ingest_session_plm_user"("ur_ingest_session_plm_user_id"),
FOREIGN KEY("issue_type_id") REFERENCES "ur_ingest_session_plm_issue_type"("ur_ingest_session_plm_issue_type_id"),
UNIQUE("title", "issue_id", "state", "assigned_to")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_acct_label" (
"ur_ingest_session_plm_acct_label_id" VARCHAR PRIMARY KEY NOT NULL,
"ur_ingest_session_plm_acct_project_id" VARCHAR NOT NULL,
"ur_ingest_session_plm_acct_project_issue_id" VARCHAR NOT NULL,
"label" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ur_ingest_session_plm_acct_project_id") REFERENCES "ur_ingest_session_plm_acct_project"("ur_ingest_session_plm_acct_project_id"),
FOREIGN KEY("ur_ingest_session_plm_acct_project_issue_id") REFERENCES "ur_ingest_session_plm_acct_project_issue"("ur_ingest_session_plm_acct_project_issue_id")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_milestone" (
"ur_ingest_session_plm_milestone_id" VARCHAR PRIMARY KEY NOT NULL,
"ur_ingest_session_plm_acct_project_id" VARCHAR NOT NULL,
"title" TEXT NOT NULL,
"milestone_id" TEXT NOT NULL,
"url" TEXT NOT NULL,
"html_url" TEXT NOT NULL,
"open_issues" INTEGER,
"closed_issues" INTEGER,
"due_on" TIMESTAMPTZ,
"closed_at" TIMESTAMPTZ,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ur_ingest_session_plm_acct_project_id") REFERENCES "ur_ingest_session_plm_acct_project"("ur_ingest_session_plm_acct_project_id")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_acct_relationship" (
"ur_ingest_session_plm_acct_relationship_id" VARCHAR PRIMARY KEY NOT NULL,
"ur_ingest_session_plm_acct_project_id_prime" VARCHAR NOT NULL,
"ur_ingest_session_plm_acct_project_id_related" TEXT NOT NULL,
"ur_ingest_session_plm_acct_project_issue_id_prime" VARCHAR NOT NULL,
"ur_ingest_session_plm_acct_project_issue_id_related" TEXT NOT NULL,
"relationship" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ur_ingest_session_plm_acct_project_id_prime") REFERENCES "ur_ingest_session_plm_acct_project"("ur_ingest_session_plm_acct_project_id"),
FOREIGN KEY("ur_ingest_session_plm_acct_project_issue_id_prime") REFERENCES "ur_ingest_session_plm_acct_project_issue"("ur_ingest_session_plm_acct_project_issue_id")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_user" (
"ur_ingest_session_plm_user_id" VARCHAR PRIMARY KEY NOT NULL,
"user_id" TEXT NOT NULL,
"login" TEXT NOT NULL,
"email" TEXT,
"name" TEXT,
"url" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("user_id", "login")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_comment" (
"ur_ingest_session_plm_comment_id" VARCHAR PRIMARY KEY NOT NULL,
"ur_ingest_session_plm_acct_project_issue_id" VARCHAR NOT NULL,
"comment_id" TEXT NOT NULL,
"node_id" TEXT NOT NULL,
"url" TEXT NOT NULL,
"body" TEXT,
"body_text" TEXT,
"body_html" TEXT,
"user" VARCHAR NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ur_ingest_session_plm_acct_project_issue_id") REFERENCES "ur_ingest_session_plm_acct_project_issue"("ur_ingest_session_plm_acct_project_issue_id"),
FOREIGN KEY("user") REFERENCES "ur_ingest_session_plm_user"("ur_ingest_session_plm_user_id"),
UNIQUE("comment_id", "url", "body")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_reaction" (
"ur_ingest_session_plm_reaction_id" VARCHAR PRIMARY KEY NOT NULL,
"reaction_id" TEXT NOT NULL,
"reaction_type" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("reaction_type")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_issue_reaction" (
"ur_ingest_session_plm_issue_reaction_id" VARCHAR PRIMARY KEY NOT NULL,
"ur_ingest_plm_reaction_id" VARCHAR NOT NULL,
"ur_ingest_plm_issue_id" VARCHAR NOT NULL,
"count" INTEGER NOT NULL DEFAULT 1,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("ur_ingest_plm_reaction_id") REFERENCES "ur_ingest_session_plm_reaction"("ur_ingest_session_plm_reaction_id"),
FOREIGN KEY("ur_ingest_plm_issue_id") REFERENCES "ur_ingest_session_plm_acct_project_issue"("ur_ingest_session_plm_acct_project_issue_id"),
UNIQUE("ur_ingest_plm_issue_id", "ur_ingest_plm_reaction_id")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_plm_issue_type" (
"ur_ingest_session_plm_issue_type_id" VARCHAR PRIMARY KEY NOT NULL,
"avatar_id" TEXT,
"description" TEXT NOT NULL,
"icon_url" TEXT NOT NULL,
"id" TEXT NOT NULL,
"name" TEXT NOT NULL,
"subtask" BOOLEAN NOT NULL,
"url" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("id", "name")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_attachment" (
"ur_ingest_session_attachment_id" VARCHAR PRIMARY KEY NOT NULL,
"uniform_resource_id" VARCHAR,
"name" TEXT,
"uri" TEXT NOT NULL,
"content" BLOB,
"nature" TEXT,
"size" INTEGER,
"checksum" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("uniform_resource_id") REFERENCES "uniform_resource"("uniform_resource_id"),
UNIQUE("uniform_resource_id", "checksum", "nature", "size")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_udi_pgp_sql" (
"ur_ingest_session_udi_pgp_sql_id" VARCHAR PRIMARY KEY NOT NULL,
"sql" TEXT NOT NULL,
"nature" TEXT NOT NULL,
"content" BLOB,
"behaviour" TEXT CHECK(json_valid(behaviour) OR behaviour IS NULL),
"query_error" TEXT,
"uniform_resource_id" VARCHAR,
"ingest_session_id" VARCHAR,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("uniform_resource_id") REFERENCES "uniform_resource"("uniform_resource_id"),
FOREIGN KEY("ingest_session_id") REFERENCES "ur_ingest_session"("ur_ingest_session_id"),
UNIQUE("sql", "ingest_session_id")
);
CREATE TABLE IF NOT EXISTS "orchestration_nature" (
"orchestration_nature_id" TEXT PRIMARY KEY NOT NULL,
"nature" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("orchestration_nature_id", "nature")
);
CREATE TABLE IF NOT EXISTS "orchestration_session" (
"orchestration_session_id" VARCHAR PRIMARY KEY NOT NULL,
"device_id" VARCHAR NOT NULL,
"orchestration_nature_id" TEXT NOT NULL,
"version" TEXT NOT NULL,
"orch_started_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"orch_finished_at" TIMESTAMPTZ,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
"args_json" TEXT CHECK(json_valid(args_json) OR args_json IS NULL),
"diagnostics_json" TEXT CHECK(json_valid(diagnostics_json) OR diagnostics_json IS NULL),
"diagnostics_md" TEXT,
FOREIGN KEY("device_id") REFERENCES "device"("device_id"),
FOREIGN KEY("orchestration_nature_id") REFERENCES "orchestration_nature"("orchestration_nature_id")
);
CREATE TABLE IF NOT EXISTS "orchestration_session_entry" (
"orchestration_session_entry_id" VARCHAR PRIMARY KEY NOT NULL,
"session_id" VARCHAR NOT NULL,
"ingest_src" TEXT NOT NULL,
"ingest_table_name" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
FOREIGN KEY("session_id") REFERENCES "orchestration_session"("orchestration_session_id")
);
CREATE TABLE IF NOT EXISTS "orchestration_session_state" (
"orchestration_session_state_id" VARCHAR PRIMARY KEY NOT NULL,
"session_id" VARCHAR NOT NULL,
"session_entry_id" VARCHAR,
"from_state" TEXT NOT NULL,
"to_state" TEXT NOT NULL,
"transition_result" TEXT CHECK(json_valid(transition_result) OR transition_result IS NULL),
"transition_reason" TEXT,
"transitioned_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
FOREIGN KEY("session_id") REFERENCES "orchestration_session"("orchestration_session_id"),
FOREIGN KEY("session_entry_id") REFERENCES "orchestration_session_entry"("orchestration_session_entry_id"),
UNIQUE("orchestration_session_state_id", "from_state", "to_state")
);
CREATE TABLE IF NOT EXISTS "orchestration_session_exec" (
"orchestration_session_exec_id" VARCHAR PRIMARY KEY NOT NULL,
"exec_nature" TEXT NOT NULL,
"session_id" VARCHAR NOT NULL,
"session_entry_id" VARCHAR,
"parent_exec_id" VARCHAR,
"namespace" TEXT,
"exec_identity" TEXT,
"exec_code" TEXT NOT NULL,
"exec_status" INTEGER NOT NULL,
"input_text" TEXT,
"exec_error_text" TEXT,
"output_text" TEXT,
"output_nature" TEXT CHECK(json_valid(output_nature) OR output_nature IS NULL),
"narrative_md" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
FOREIGN KEY("session_id") REFERENCES "orchestration_session"("orchestration_session_id"),
FOREIGN KEY("session_entry_id") REFERENCES "orchestration_session_entry"("orchestration_session_entry_id"),
FOREIGN KEY("parent_exec_id") REFERENCES "orchestration_session_exec"("orchestration_session_exec_id")
);
CREATE TABLE IF NOT EXISTS "orchestration_session_issue" (
"orchestration_session_issue_id" UUID PRIMARY KEY NOT NULL,
"session_id" VARCHAR NOT NULL,
"session_entry_id" VARCHAR,
"issue_type" TEXT NOT NULL,
"issue_message" TEXT NOT NULL,
"issue_row" INTEGER,
"issue_column" TEXT,
"invalid_value" TEXT,
"remediation" TEXT,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
FOREIGN KEY("session_id") REFERENCES "orchestration_session"("orchestration_session_id"),
FOREIGN KEY("session_entry_id") REFERENCES "orchestration_session_entry"("orchestration_session_entry_id")
);
CREATE TABLE IF NOT EXISTS "orchestration_session_issue_relation" (
"orchestration_session_issue_relation_id" UUID PRIMARY KEY NOT NULL,
"issue_id_prime" UUID NOT NULL,
"issue_id_rel" TEXT NOT NULL,
"relationship_nature" TEXT NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
FOREIGN KEY("issue_id_prime") REFERENCES "orchestration_session_issue"("orchestration_session_issue_id")
);
CREATE TABLE IF NOT EXISTS "orchestration_session_log" (
"orchestration_session_log_id" UUID PRIMARY KEY NOT NULL,
"category" TEXT,
"parent_exec_id" UUID,
"content" TEXT NOT NULL,
"sibling_order" INTEGER,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
FOREIGN KEY("parent_exec_id") REFERENCES "orchestration_session_log"("orchestration_session_log_id")
);
CREATE TABLE IF NOT EXISTS "uniform_resource_graph" (
"name" VARCHAR PRIMARY KEY NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL)
);
CREATE TABLE IF NOT EXISTS "uniform_resource_edge" (
"graph_name" VARCHAR NOT NULL,
"nature" TEXT NOT NULL,
"node_id" TEXT NOT NULL,
"uniform_resource_id" VARCHAR NOT NULL,
"elaboration" TEXT CHECK(json_valid(elaboration) OR elaboration IS NULL),
FOREIGN KEY("graph_name") REFERENCES "uniform_resource_graph"("name"),
FOREIGN KEY("uniform_resource_id") REFERENCES "uniform_resource"("uniform_resource_id"),
UNIQUE("graph_name", "nature", "node_id", "uniform_resource_id")
);
CREATE TABLE IF NOT EXISTS "surveilr_osquery_ms_node" (
"surveilr_osquery_ms_node_id" VARCHAR PRIMARY KEY NOT NULL,
"node_key" TEXT NOT NULL,
"host_identifier" TEXT NOT NULL,
"tls_cert_subject" TEXT,
"os_version" TEXT NOT NULL,
"platform" TEXT NOT NULL,
"last_seen" TIMESTAMP NOT NULL,
"status" TEXT NOT NULL DEFAULT 'active',
"osquery_version" TEXT,
"osquery_build_platform" TEXT NOT NULL,
"device_id" VARCHAR NOT NULL,
"behavior_id" VARCHAR,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("device_id") REFERENCES "device"("device_id"),
FOREIGN KEY("behavior_id") REFERENCES "behavior"("behavior_id"),
UNIQUE("host_identifier", "os_version"),
UNIQUE("node_key")
);
CREATE TABLE IF NOT EXISTS "ur_ingest_session_osquery_ms_log" (
"ur_ingest_session_osquery_ms_log_id" VARCHAR PRIMARY KEY NOT NULL,
"node_key" TEXT NOT NULL,
"log_type" TEXT NOT NULL,
"log_data" TEXT CHECK(json_valid(log_data)) NOT NULL,
"applied_jq_filters" TEXT CHECK(json_valid(applied_jq_filters) OR applied_jq_filters IS NULL),
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
FOREIGN KEY("node_key") REFERENCES "surveilr_osquery_ms_node"("node_key"),
UNIQUE("node_key", "log_type", "log_data")
);
CREATE TABLE IF NOT EXISTS "osquery_policy" (
"osquery_policy_id" VARCHAR PRIMARY KEY NOT NULL,
"policy_group" TEXT,
"policy_name" TEXT NOT NULL,
"osquery_code" TEXT NOT NULL,
"policy_description" TEXT NOT NULL,
"policy_pass_label" TEXT NOT NULL DEFAULT 'Pass',
"policy_fail_label" TEXT NOT NULL DEFAULT 'Fail',
"policy_pass_remarks" TEXT,
"policy_fail_remarks" TEXT,
"osquery_platforms" TEXT,
"created_at" TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
"created_by" TEXT DEFAULT 'UNKNOWN',
"updated_at" TIMESTAMPTZ,
"updated_by" TEXT,
"deleted_at" TIMESTAMPTZ,
"deleted_by" TEXT,
"activity_log" TEXT,
UNIQUE("policy_name", "osquery_code")
);
CREATE TABLE IF NOT EXISTS "surveilr_table_size" (
"table_name" VARCHAR PRIMARY KEY NOT NULL,
"table_size_mb" INTEGER NOT NULL
);
CREATE INDEX IF NOT EXISTS "idx_party__party_type_id__party_name" ON "party"("party_type_id", "party_name");
CREATE INDEX IF NOT EXISTS "idx_party_relation__party_id__related_party_id__relation_type_id" ON "party_relation"("party_id", "related_party_id", "relation_type_id");
CREATE INDEX IF NOT EXISTS "idx_organization_role__person_id__organization_id__organization_role_type_id" ON "organization_role"("person_id", "organization_id", "organization_role_type_id");
CREATE INDEX IF NOT EXISTS "idx_device__name__state" ON "device"("name", "state");
CREATE INDEX IF NOT EXISTS "idx_device_party_relationship__device_id__party_id" ON "device_party_relationship"("device_id", "party_id");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_fs_path__ingest_session_id__root_path" ON "ur_ingest_session_fs_path"("ingest_session_id", "root_path");
CREATE INDEX IF NOT EXISTS "idx_uniform_resource__device_id__uri" ON "uniform_resource"("device_id", "uri");
CREATE INDEX IF NOT EXISTS "idx_uniform_resource_transform__uniform_resource_id__content_digest" ON "uniform_resource_transform"("uniform_resource_id", "content_digest");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_fs_path_entry__ingest_session_id__file_path_abs" ON "ur_ingest_session_fs_path_entry"("ingest_session_id", "file_path_abs");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_task__ingest_session_id" ON "ur_ingest_session_task"("ingest_session_id");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_imap_acct_folder__ingest_session_id__folder_name" ON "ur_ingest_session_imap_acct_folder"("ingest_session_id", "folder_name");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_imap_acct_folder_message__ingest_session_id" ON "ur_ingest_session_imap_acct_folder_message"("ingest_session_id");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_imap_account__ingest_session_id__email" ON "ur_ingest_session_imap_account"("ingest_session_id", "email");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_account__provider__org_name" ON "ur_ingest_session_plm_account"("provider", "org_name");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_acct_project__name__description" ON "ur_ingest_session_plm_acct_project"("name", "description");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_acct_project_issue__title__issue_id__state__assigned_to" ON "ur_ingest_session_plm_acct_project_issue"("title", "issue_id", "state", "assigned_to");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_acct_label__ur_ingest_session_plm_acct_project_issue_id" ON "ur_ingest_session_plm_acct_label"("ur_ingest_session_plm_acct_project_issue_id");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_milestone__ur_ingest_session_plm_acct_project_id" ON "ur_ingest_session_plm_milestone"("ur_ingest_session_plm_acct_project_id");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_acct_relationship__ur_ingest_session_plm_acct_project_id_prime" ON "ur_ingest_session_plm_acct_relationship"("ur_ingest_session_plm_acct_project_id_prime");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_user__user_id__login" ON "ur_ingest_session_plm_user"("user_id", "login");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_comment__ur_ingest_session_plm_acct_project_issue_id" ON "ur_ingest_session_plm_comment"("ur_ingest_session_plm_acct_project_issue_id");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_reaction__ur_ingest_session_plm_reaction_id" ON "ur_ingest_session_plm_reaction"("ur_ingest_session_plm_reaction_id");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_issue_reaction__ur_ingest_session_plm_issue_reaction_id" ON "ur_ingest_session_plm_issue_reaction"("ur_ingest_session_plm_issue_reaction_id");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_plm_issue_type__id" ON "ur_ingest_session_plm_issue_type"("id");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_attachment__uniform_resource_id__content" ON "ur_ingest_session_attachment"("uniform_resource_id", "content");
CREATE INDEX IF NOT EXISTS "idx_ur_ingest_session_udi_pgp_sql__ingest_session_id" ON "ur_ingest_session_udi_pgp_sql"("ingest_session_id");
CREATE INDEX IF NOT EXISTS "idx_orchestration_nature__orchestration_nature_id__nature" ON "orchestration_nature"("orchestration_nature_id", "nature");
CREATE INDEX IF NOT EXISTS "idx_uniform_resource_edge__uniform_resource_id" ON "uniform_resource_edge"("uniform_resource_id");
CREATE INDEX IF NOT EXISTS "idx_surveilr_osquery_ms_node__node_key" ON "surveilr_osquery_ms_node"("node_key");,CREATE TEMP TABLE IF NOT EXISTS "session_state_ephemeral" (
"key" TEXT PRIMARY KEY NOT NULL,
"value" TEXT NOT NULL
);,CREATE TABLE IF NOT EXISTS surveilr_table_size (
table_name TEXT PRIMARY KEY,
table_size_mb REAL
);
DELETE FROM surveilr_table_size;
INSERT INTO surveilr_table_size (table_name, table_size_mb)
SELECT name,
ROUND(SUM(pgsize) / (1024.0 * 1024), 2)
FROM dbstat
GROUP BY name;,INSERT INTO "ur_ingest_resource_path_match_rule" ("ur_ingest_resource_path_match_rule_id", "namespace", "regex", "flags", "nature", "priority", "description", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('ignore .git and node_modules paths', 'default', '/(\.git|node_modules)/', 'IGNORE_RESOURCE', NULL, NULL, 'Ignore any entry with `/.git/` or `/node_modules/` in the path.', NULL, (CURRENT_TIMESTAMP), NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO UPDATE SET ur_ingest_resource_path_match_rule_id = COALESCE(EXCLUDED.ur_ingest_resource_path_match_rule_id, ur_ingest_resource_path_match_rule_id), namespace = COALESCE(EXCLUDED.namespace, namespace), regex = COALESCE(EXCLUDED.regex, regex), flags = COALESCE(EXCLUDED.flags, flags), description = COALESCE(EXCLUDED.description, description), "updated_at" = CURRENT_TIMESTAMP, "updated_by" = (SELECT "value" FROM "session_state_ephemeral" WHERE "key" = 'current_user');
INSERT INTO "ur_ingest_resource_path_match_rule" ("ur_ingest_resource_path_match_rule_id", "namespace", "regex", "flags", "nature", "priority", "description", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('typical ingestion extensions', 'default', '\.(?P<nature>md|mdx|html|json|jsonc|puml|txt|toml|yml|xml|tap|csv|tsv|ssv|psv|tm7|pdf|docx|doc|pptx|ppt|xlsx|xls)$', 'CONTENT_ACQUIRABLE', '?P<nature>', NULL, 'Ingest the content for md, mdx, html, json, jsonc, puml, txt, toml, and yml extensions. Assume the nature is the same as the extension.', NULL, (CURRENT_TIMESTAMP), NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO UPDATE SET ur_ingest_resource_path_match_rule_id = COALESCE(EXCLUDED.ur_ingest_resource_path_match_rule_id, ur_ingest_resource_path_match_rule_id), namespace = COALESCE(EXCLUDED.namespace, namespace), regex = COALESCE(EXCLUDED.regex, regex), flags = COALESCE(EXCLUDED.flags, flags), description = COALESCE(EXCLUDED.description, description), "updated_at" = CURRENT_TIMESTAMP, "updated_by" = (SELECT "value" FROM "session_state_ephemeral" WHERE "key" = 'current_user');
INSERT INTO "ur_ingest_resource_path_match_rule" ("ur_ingest_resource_path_match_rule_id", "namespace", "regex", "flags", "nature", "priority", "description", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('surveilr-[NATURE] style capturable executable', 'default', 'surveilr\[(?P<nature>[^\]]*)\]', 'CAPTURABLE_EXECUTABLE', '?P<nature>', NULL, 'Any entry with `surveilr-[XYZ]` in the path will be treated as a capturable executable extracting `XYZ` as the nature', NULL, (CURRENT_TIMESTAMP), NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO UPDATE SET ur_ingest_resource_path_match_rule_id = COALESCE(EXCLUDED.ur_ingest_resource_path_match_rule_id, ur_ingest_resource_path_match_rule_id), namespace = COALESCE(EXCLUDED.namespace, namespace), regex = COALESCE(EXCLUDED.regex, regex), flags = COALESCE(EXCLUDED.flags, flags), description = COALESCE(EXCLUDED.description, description), "updated_at" = CURRENT_TIMESTAMP, "updated_by" = (SELECT "value" FROM "session_state_ephemeral" WHERE "key" = 'current_user');
INSERT INTO "ur_ingest_resource_path_match_rule" ("ur_ingest_resource_path_match_rule_id", "namespace", "regex", "flags", "nature", "priority", "description", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('surveilr-SQL capturable executable', 'default', 'surveilr-SQL', 'CAPTURABLE_EXECUTABLE | CAPTURABLE_SQL', NULL, NULL, 'Any entry with surveilr-SQL in the path will be treated as a capturable SQL executable and allow execution of the SQL', NULL, (CURRENT_TIMESTAMP), NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO UPDATE SET ur_ingest_resource_path_match_rule_id = COALESCE(EXCLUDED.ur_ingest_resource_path_match_rule_id, ur_ingest_resource_path_match_rule_id), namespace = COALESCE(EXCLUDED.namespace, namespace), regex = COALESCE(EXCLUDED.regex, regex), flags = COALESCE(EXCLUDED.flags, flags), description = COALESCE(EXCLUDED.description, description), "updated_at" = CURRENT_TIMESTAMP, "updated_by" = (SELECT "value" FROM "session_state_ephemeral" WHERE "key" = 'current_user');
INSERT INTO "ur_ingest_resource_path_rewrite_rule" ("ur_ingest_resource_path_rewrite_rule_id", "namespace", "regex", "replace", "priority", "description", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('.plantuml -> .puml', 'default', '(\.plantuml)$', '.puml', NULL, 'Treat .plantuml as .puml files', NULL, (CURRENT_TIMESTAMP), NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "ur_ingest_resource_path_rewrite_rule" ("ur_ingest_resource_path_rewrite_rule_id", "namespace", "regex", "replace", "priority", "description", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('.text -> .txt', 'default', '(\.text)$', '.txt', NULL, 'Treat .text as .txt files', NULL, (CURRENT_TIMESTAMP), NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "ur_ingest_resource_path_rewrite_rule" ("ur_ingest_resource_path_rewrite_rule_id", "namespace", "regex", "replace", "priority", "description", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('.yaml -> .yml', 'default', '(\.yaml)$', '.yml', NULL, 'Treat .yaml as .yml files', NULL, (CURRENT_TIMESTAMP), NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "party_type" ("party_type_id", "code", "value", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ((ulid()), 'ORGANIZATION', 'Organization', NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "party_type" ("party_type_id", "code", "value", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ((ulid()), 'PERSON', 'Person', NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "orchestration_nature" ("orchestration_nature_id", "nature", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('surveilr-transform-csv', 'Transform CSV', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "orchestration_nature" ("orchestration_nature_id", "nature", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('surveilr-transform-xml', 'Transform XML', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "orchestration_nature" ("orchestration_nature_id", "nature", "elaboration", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ('surveilr-transform-html', 'Transform HTML', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "uniform_resource_graph" ("name", "elaboration") VALUES ('filesystem', '{}') ON CONFLICT DO NOTHING;
INSERT INTO "uniform_resource_graph" ("name", "elaboration") VALUES ('imap', '{}') ON CONFLICT DO NOTHING;
INSERT INTO "uniform_resource_graph" ("name", "elaboration") VALUES ('plm', '{}') ON CONFLICT DO NOTHING;
INSERT INTO "uniform_resource_graph" ("name", "elaboration") VALUES ('osquery-ms', '{}') ON CONFLICT DO NOTHING;
DROP VIEW IF EXISTS "plm_graph";
CREATE VIEW IF NOT EXISTS "plm_graph" AS
SELECT
ure.graph_name,
ure.nature,
ur.uniform_resource_id,
ur.uri,
ur_ingest_plm.ur_ingest_session_plm_acct_project_issue_id,
ur_ingest_plm.issue_id,
ur_ingest_plm.ur_ingest_session_plm_acct_project_id as project_id,
ur_ingest_plm.title,
ur_ingest_plm.body
FROM
uniform_resource_edge ure
JOIN
uniform_resource ur ON ure.uniform_resource_id = ur.uniform_resource_id
JOIN
ur_ingest_session_plm_acct_project_issue ur_ingest_plm ON ure.node_id = ur_ingest_plm.ur_ingest_session_plm_acct_project_issue_id
WHERE
ure.graph_name = 'plm';
;
DROP VIEW IF EXISTS "imap_graph";
CREATE VIEW IF NOT EXISTS "imap_graph" AS
SELECT
ure.graph_name,
ur.uniform_resource_id,
ur.nature,
ur.uri,
ur.content,
ur_ingest_imap.ur_ingest_session_imap_acct_folder_message_id,
ur_ingest_imap.ingest_imap_acct_folder_id,
ur_ingest_imap.message_id
FROM
uniform_resource_edge ure
JOIN
uniform_resource ur ON ure.uniform_resource_id = ur.uniform_resource_id
JOIN
ur_ingest_session_imap_acct_folder_message ur_ingest_imap ON ure.node_id = ur_ingest_imap.ur_ingest_session_imap_acct_folder_message_id
WHERE
ure.graph_name = 'imap';
;
DROP VIEW IF EXISTS "filesystem_graph";
CREATE VIEW IF NOT EXISTS "filesystem_graph" AS
SELECT
ure.graph_name,
ur.uniform_resource_id,
ur.nature,
ur.uri,
ur_ingest_fs_path.ur_ingest_session_fs_path_id,
ur_ingest_fs_path.root_path
FROM
uniform_resource_edge ure
JOIN
uniform_resource ur ON ure.uniform_resource_id = ur.uniform_resource_id
JOIN
ur_ingest_session_fs_path ur_ingest_fs_path ON ure.node_id = ur_ingest_fs_path.ur_ingest_session_fs_path_id
WHERE
ure.graph_name = 'filesystem';
;
INSERT INTO "osquery_policy" ("osquery_policy_id", "policy_group", "policy_name", "osquery_code", "policy_description", "policy_pass_label", "policy_fail_label", "policy_pass_remarks", "policy_fail_remarks", "osquery_platforms", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ((ulid()), NULL, 'Ad tracking is limited (macOS)', 'SELECT CASE WHEN EXISTS (SELECT 1 FROM managed_policies WHERE domain=''com.apple.AdLib'' AND name=''forceLimitAdTracking'' AND value=''1'' LIMIT 1) THEN ''true'' ELSE ''false'' END AS policy_result;', 'Checks that a mobile device management (MDM) solution configures the Mac to limit advertisement tracking.', 'Pass', 'Fail', NULL, 'Contact your IT administrator to ensure your Mac is receiving a profile that disables advertisement tracking.', '["macos"]', NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "osquery_policy" ("osquery_policy_id", "policy_group", "policy_name", "osquery_code", "policy_description", "policy_pass_label", "policy_fail_label", "policy_pass_remarks", "policy_fail_remarks", "osquery_platforms", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ((ulid()), NULL, 'Antivirus healthy (Linux)', 'SELECT score FROM (SELECT CASE WHEN COUNT(*) = 2 THEN ''true'' ELSE ''false'' END AS score FROM processes WHERE (name = ''clamd'') OR (name = ''freshclam'')) WHERE score = ''true'';', 'Checks that both ClamAV''s daemon and its updater service (freshclam) are running.', 'Pass', 'Fail', NULL, 'Ensure ClamAV and Freshclam are installed and running.', '["linux","windows","macos"]', NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "osquery_policy" ("osquery_policy_id", "policy_group", "policy_name", "osquery_code", "policy_description", "policy_pass_label", "policy_fail_label", "policy_pass_remarks", "policy_fail_remarks", "osquery_platforms", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ((ulid()), NULL, 'Antivirus healthy (macOS)', 'SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM plist WHERE (key = ''CFBundleShortVersionString'' AND path = ''/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist'' AND value>=2162) OR (key = ''CFBundleShortVersionString'' AND path = ''/Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist'' and value>=1.93)) WHERE score == 1;', 'Checks the version of Malware Removal Tool (MRT) and the built-in macOS AV (Xprotect). Replace version numbers with the latest version regularly.', 'Pass', 'Fail', NULL, 'To enable automatic security definition updates, on the failing device, select System Preferences > Software Update > Advanced > Turn on Install system data files and security updates.', '["macos"]', NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "osquery_policy" ("osquery_policy_id", "policy_group", "policy_name", "osquery_code", "policy_description", "policy_pass_label", "policy_fail_label", "policy_pass_remarks", "policy_fail_remarks", "osquery_platforms", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ((ulid()), NULL, 'Antivirus healthy (Windows)', 'SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = ''Good'' AND type = ''Antivirus'' AND signatures_up_to_date=1;', 'Checks the status of antivirus and signature updates from the Windows Security Center.', 'Pass', 'Fail', NULL, 'Ensure Windows Defender or your third-party antivirus is running, up to date, and visible in the Windows Security Center.', '["windows"]', NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "osquery_policy" ("osquery_policy_id", "policy_group", "policy_name", "osquery_code", "policy_description", "policy_pass_label", "policy_fail_label", "policy_pass_remarks", "policy_fail_remarks", "osquery_platforms", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ((ulid()), NULL, 'Automatic installation of application updates is enabled (macOS)', 'SELECT 1 FROM managed_policies WHERE domain=''com.apple.SoftwareUpdate'' AND name=''AutomaticallyInstallAppUpdates'' AND value=1 LIMIT 1;', 'Checks that a mobile device management (MDM) solution configures the Mac to automatically install updates to App Store applications.', 'Pass', 'Fail', NULL, 'Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of application updates.', '["macos"]', NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "osquery_policy" ("osquery_policy_id", "policy_group", "policy_name", "osquery_code", "policy_description", "policy_pass_label", "policy_fail_label", "policy_pass_remarks", "policy_fail_remarks", "osquery_platforms", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ((ulid()), NULL, 'Automatic installation of operating system updates is enabled (macOS)', 'SELECT 1 FROM managed_policies WHERE domain=''com.apple.SoftwareUpdate'' AND name=''AutomaticallyInstallMacOSUpdates'' AND value=1 LIMIT 1;', 'Checks that a mobile device management (MDM) solution configures the Mac to automatically install operating system updates.', 'Pass', 'Fail', NULL, 'Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of operating system updates.', '["macos"]', NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;
INSERT INTO "osquery_policy" ("osquery_policy_id", "policy_group", "policy_name", "osquery_code", "policy_description", "policy_pass_label", "policy_fail_label", "policy_pass_remarks", "policy_fail_remarks", "osquery_platforms", "created_at", "created_by", "updated_at", "updated_by", "deleted_at", "deleted_by", "activity_log") VALUES ((ulid()), NULL, 'Ensure ''Minimum password length'' is set to ''14 or more characters''', 'SELECT 1 FROM security_profile_info WHERE minimum_password_length >= 14;', 'This policy setting determines the least number of characters that make up a password for a user account.', 'Pass', 'Fail', NULL, 'Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 14 or more characters
''Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password length''', '["windows"]', NULL, NULL, NULL, NULL, NULL, NULL, NULL) ON CONFLICT DO NOTHING;,SELECT * FROM system_info,SELECT DISTINCT value, key FROM process_envs WHERE key='SURVEILR_OSQUERY_BOUNDARY';,SELECT DISTINCT value, variable FROM default_environment WHERE variable='SURVEILR_OSQUERY_BOUNDARY';,SELECT
os.name,
os.major,
os.minor,
os.patch,
os.extra,
os.build,
os.arch,
os.platform,
os.version AS version,
k.version AS kernel_version
FROM
os_version os,
kernel_info k;
,
WITH display_version_table AS (
SELECT data as display_version
FROM registry
WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion'
),
ubr_table AS (
SELECT data AS ubr
FROM registry
WHERE path ='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UBR'
)
SELECT
os.name,
COALESCE(d.display_version, '') AS display_version,
COALESCE(CONCAT((SELECT version FROM os_version), '.', u.ubr), k.version) AS version
FROM
os_version os,
kernel_info k
LEFT JOIN
display_version_table d
LEFT JOIN
ubr_table u;
,SELECT * FROM users,
SELECT
ia.address,
id.mac
FROM
interface_addresses ia
JOIN interface_details id ON id.interface = ia.interface
JOIN routes r ON r.interface = ia.address
WHERE
(r.destination = '0.0.0.0' OR r.destination = '::') AND r.netmask = 0
AND r.type = 'remote'
AND (
inet_aton(ia.address) IS NOT NULL AND (
split(ia.address, '.', 0) = '10'
OR (split(ia.address, '.', 0) = '172' AND (CAST(split(ia.address, '.', 1) AS INTEGER) & 0xf0) = 16)
OR (split(ia.address, '.', 0) = '192' AND split(ia.address, '.', 1) = '168')
)
OR (inet_aton(ia.address) IS NULL AND regex_match(lower(ia.address), '^f[cd][0-9a-f][0-9a-f]:[0-9a-f:]+', 0) IS NOT NULL)
)
ORDER BY
r.metric ASC,
inet_aton(ia.address) IS NOT NULL DESC
LIMIT 1;
,
SELECT
ia.address,
id.mac
FROM
interface_addresses ia
JOIN interface_details id ON id.interface = ia.interface
JOIN routes r ON r.interface = ia.interface
WHERE
(r.destination = '0.0.0.0' OR r.destination = '::') AND r.netmask = 0
AND r.type = 'gateway'
AND (
inet_aton(ia.address) IS NOT NULL AND (
split(ia.address, '.', 0) = '10'
OR (split(ia.address, '.', 0) = '172' AND (CAST(split(ia.address, '.', 1) AS INTEGER) & 0xf0) = 16)
OR (split(ia.address, '.', 0) = '192' AND split(ia.address, '.', 1) = '168')
)
OR (inet_aton(ia.address) IS NULL AND regex_match(lower(ia.address), '^f[cd][0-9a-f][0-9a-f]:[0-9a-f:]+', 0) IS NOT NULL)
)
ORDER BY
r.metric ASC,
inet_aton(ia.address) IS NOT NULL DESC
LIMIT 1;
,SELECT p.name, p.path FROM listening_ports l JOIN processes p USING (pid);,SELECT * FROM uptime LIMIT 1;,
SELECT
ROUND((sum(free_space) * 100 * 10e-10) / (sum(size) * 10e-10)) AS percent_disk_space_available,
ROUND(sum(free_space) * 10e-10) AS gigs_disk_space_available,
ROUND(sum(size) * 10e-10) AS gigs_total_disk_space
FROM logical_drives
WHERE file_system = 'NTFS' LIMIT 1;
,
SELECT
(blocks_available * 100 / blocks) AS percent_disk_space_available,
round((blocks_available * blocks_size * 10e-10),2) AS gigs_disk_space_available,
round((blocks * blocks_size * 10e-10),2) AS gigs_total_disk_space
FROM mounts
WHERE path = '/' LIMIT 1;
,SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;,SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages;,SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages;,SELECT
CASE
WHEN NOT EXISTS (
SELECT 1
FROM users
CROSS JOIN user_ssh_keys USING (uid)
WHERE encrypted = '0'
) THEN 'true'
ELSE 'false'
END AS policy_result;
,SELECT
CASE
WHEN EXISTS (
SELECT 1
FROM mounts m
JOIN disk_encryption d ON m.device_alias = d.name
WHERE d.encrypted = 1 AND m.path = '/'
) THEN 'true'
ELSE 'false'
END AS policy_result;
,SELECT
CASE
WHEN EXISTS (
SELECT 1
FROM bitlocker_info
WHERE drive_letter = 'C:' AND protection_status = 1
) THEN 'true'
ELSE 'false'
END AS policy_result;
,SELECT
CASE
WHEN EXISTS (
SELECT 1
FROM disk_encryption
WHERE user_uuid IS NOT '' AND filevault_status = 'on'
LIMIT 1
) THEN 'true'
ELSE 'false'
END AS policy_result;
,
/* 'osQuery Result Filters' in 'RssdInitSqlNotebook' returned type object instead of string | string[] | SQLa.SqlTextSupplier */