Table `users` on linux by default to return only users in `/etc/passwd` by lucasmrod · Pull Request #8342 · osquery/osquery
For manual testing I used this guide to setup a local OpenLDAP directory server and a Ubuntu VM that uses such server for authentication.
The Ubuntu VM has 51 local users and 2 "remote" users (joe,uid:1005 and julie,uid:1006) in an LDAP directory.
SELECT uid,username FROM users; // returns 51 local users as expected
+-------+---------------------+
| uid | username |
+-------+---------------------+
| 0 | root |
| 1 | daemon |
| 2 | bin |
| 3 | sys |
| 4 | sync |
| 5 | games |
| 6 | man |
| 7 | lp |
| 8 | mail |
| 9 | news |
| 10 | uucp |
| 13 | proxy |
| 33 | www-data |
| 34 | backup |
| 38 | list |
| 39 | irc |
| 41 | gnats |
| 65534 | nobody |
| 100 | systemd-network |
| 101 | systemd-resolve |
| 102 | messagebus |
| 103 | systemd-timesync |
| 104 | syslog |
| 105 | _apt |
| 106 | tss |
| 107 | uuidd |
| 108 | systemd-oom |
| 109 | tcpdump |
| 110 | avahi-autoipd |
| 111 | usbmux |
| 112 | dnsmasq |
| 113 | kernoops |
| 114 | avahi |
| 115 | cups-pk-helper |
| 116 | rtkit |
| 117 | whoopsie |
| 118 | sssd |
| 119 | speech-dispatcher |
| 120 | fwupd-refresh |
| 121 | nm-openvpn |
| 122 | saned |
| 123 | colord |
| 124 | geoclue |
| 125 | pulse |
| 126 | gnome-initial-setup |
| 127 | hplip |
| 128 | gdm |
| 1000 | luk |
| 1002 | citrixlog |
| 129 | openldap |
| 1003 | zoo |
+-------+---------------------+
SELECT uid,username FROM users WHERE include_remote=1; // returns 53 users as expected
+-------+---------------------+
| uid | username |
+-------+---------------------+
| 0 | root |
| 1 | daemon |
| 2 | bin |
| 3 | sys |
| 4 | sync |
| 5 | games |
| 6 | man |
| 7 | lp |
| 8 | mail |
| 9 | news |
| 10 | uucp |
| 13 | proxy |
| 33 | www-data |
| 34 | backup |
| 38 | list |
| 39 | irc |
| 41 | gnats |
| 65534 | nobody |
| 100 | systemd-network |
| 101 | systemd-resolve |
| 102 | messagebus |
| 103 | systemd-timesync |
| 104 | syslog |
| 105 | _apt |
| 106 | tss |
| 107 | uuidd |
| 108 | systemd-oom |
| 109 | tcpdump |
| 110 | avahi-autoipd |
| 111 | usbmux |
| 112 | dnsmasq |
| 113 | kernoops |
| 114 | avahi |
| 115 | cups-pk-helper |
| 116 | rtkit |
| 117 | whoopsie |
| 118 | sssd |
| 119 | speech-dispatcher |
| 120 | fwupd-refresh |
| 121 | nm-openvpn |
| 122 | saned |
| 123 | colord |
| 124 | geoclue |
| 125 | pulse |
| 126 | gnome-initial-setup |
| 127 | hplip |
| 128 | gdm |
| 1000 | luk |
| 1002 | citrixlog |
| 129 | openldap |
| 1003 | zoo |
| 1005 | joe |
| 1006 | julie |
+-------+---------------------+
SELECT * FROM users where uid = 1000; // returns a local user luk as expected
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
| 1000 | 1000 | 1000 | 1000 | luk | Lucas,,, | /home/luk | /bin/bash | |
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
SELECT * FROM users where username = 'luk'; // returns a local user luk as expected
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
| 1000 | 1000 | 1000 | 1000 | luk | Lucas,,, | /home/luk | /bin/bash | |
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
SELECT * FROM users where username = 'luk' OR uid < 10; // returns a local user luk + other local users as expected
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
| 1000 | 1000 | 1000 | 1000 | luk | Lucas,,, | /home/luk | /bin/bash | |
| 0 | 0 | 0 | 0 | root | root | /root | /bin/bash | |
| 1 | 1 | 1 | 1 | daemon | daemon | /usr/sbin | /usr/sbin/nologin | |
| 2 | 2 | 2 | 2 | bin | bin | /bin | /usr/sbin/nologin | |
| 3 | 3 | 3 | 3 | sys | sys | /dev | /usr/sbin/nologin | |
| 4 | 65534 | 4 | 65534 | sync | sync | /bin | /bin/sync | |
| 5 | 60 | 5 | 60 | games | games | /usr/games | /usr/sbin/nologin | |
| 6 | 12 | 6 | 12 | man | man | /var/cache/man | /usr/sbin/nologin | |
| 7 | 7 | 7 | 7 | lp | lp | /var/spool/lpd | /usr/sbin/nologin | |
| 8 | 8 | 8 | 8 | mail | mail | /var/mail | /usr/sbin/nologin | |
| 9 | 9 | 9 | 9 | news | news | /var/spool/news | /usr/sbin/nologin | |
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
SELECT * FROM users where (username = 'luk' OR uid < 10) AND include_remote=1; // returns a local user luk + other local users as expected
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
| 0 | 0 | 0 | 0 | root | root | /root | /bin/bash | |
| 1 | 1 | 1 | 1 | daemon | daemon | /usr/sbin | /usr/sbin/nologin | |
| 2 | 2 | 2 | 2 | bin | bin | /bin | /usr/sbin/nologin | |
| 3 | 3 | 3 | 3 | sys | sys | /dev | /usr/sbin/nologin | |
| 4 | 65534 | 4 | 65534 | sync | sync | /bin | /bin/sync | |
| 5 | 60 | 5 | 60 | games | games | /usr/games | /usr/sbin/nologin | |
| 6 | 12 | 6 | 12 | man | man | /var/cache/man | /usr/sbin/nologin | |
| 7 | 7 | 7 | 7 | lp | lp | /var/spool/lpd | /usr/sbin/nologin | |
| 8 | 8 | 8 | 8 | mail | mail | /var/mail | /usr/sbin/nologin | |
| 9 | 9 | 9 | 9 | news | news | /var/spool/news | /usr/sbin/nologin | |
| 1000 | 1000 | 1000 | 1000 | luk | Lucas,,, | /home/luk | /bin/bash | |
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
SELECT * FROM users where (username = 'julie' OR uid = 1005) AND include_remote=1; // returns the two remote users as expected
+------+-----+------------+------------+----------+-------------+-------------+---------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+------+-----+------------+------------+----------+-------------+-------------+---------+------+
| 1005 | 600 | 1005 | 600 | joe | joe | /home/joe | /bin/sh | |
| 1006 | 600 | 1006 | 600 | julie | julie | /home/julie | /bin/sh | |
+------+-----+------------+------------+----------+-------------+-------------+---------+------+
SELECT * FROM users where (username = 'julie' OR uid = 1005); // returns empty as expected