Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi everyone. I'm completely new to OSQuery. Can anyone explain what it means by `attributes(user_data=True)` in the table schema? (<https://github.com/osquery/osquery/blob/master/specs/user_ssh_keys.table#L14> for example)

From the <https://osquery.readthedocs.io/en/stable/development/creating-tables/|docs> on creating tables:

&gt;&gt; user_data=True: This tells the caller that they should provide a uid in the query predicate. By default the table will inspect the current user's content, but may be asked to include results from others.

To put that in plain terms, unless you provide a uid (usually done by joining with the `users` table), this query only returns results for the current user. 

Typically that means that without specifying a user, you’ll see results for your user with `osqueryi` and no results with `osqueryd`. 