add audit queries

some-natalie · some-natalie · commit 271a72ad4043 · 2021-09-20T10:19:44.000-06:00
diff --git a/sql/README.md b/sql/README.md
@@ -0,0 +1,25 @@
+# SQL Queries for GitHub Enterprise Server
+
+:warning: Run these directly against your GitHub Enterprise Server database at your own risk.  A safer method to run these is outlined [here](USAGE.md).
+
+## Audit queries
+
+The `audit` folder has queries that are all around auditing credentials, webhooks, apps, etc.
+
+- `admin-tokens.sql` - A report of all tokens with the `site_admin` scope and when they were last used.
+- `authorizations.sql` - A report of all personal access tokens and when they were last used.  Same as above, but without the `site_admin` scope limitation.  This is a big report.
+- `deploy-keys.sql` - A report of all deploy keys, when it was last used, who set it up and when, how long the key is, and what repository it's tied to.
+- `github-apps.sql` - A report of all GitHub apps, who owns them, the scope it's installed at, if it's public or not, and the URL it's sending data to.
+- `hooks-repos.sql` - A report of all repository webhooks used in the past week, who owns it, and where the webhook goes.  This is limited to a week based on the length of time these are kept in the `hookshot_delivery_logs` table.
+- `hooks-users.sql` - Same report as above, but for user-owned webhooks.
+- `oauth-apps.sql` - A report of all OAuth apps, who owns it, where it goes, and when it was last used.
+- `user-emails.sql` - A report of all emails that don't match a list of approved domains you define in the `WHERE` clause.  This query should be deprecated by [this issue](https://github.com/github/roadmap/issues/204).
+- `user-ssh-keys.sql` - A report of all user SSH keys, when it was last used, when it was set up, and how long the key is.
+
+## Security queries
+
+The `security` folder has queries that are all around dependency alerts and any other security features.
+
+## Usage queries
+
+The `usage` folder has queries that are all around usage of various features in GitHub Enterprise Server.
diff --git a/sql/USAGE.md b/sql/USAGE.md
@@ -0,0 +1 @@
+# Using the SQL queries
diff --git a/sql/audit/admin-tokens.sql b/sql/audit/admin-tokens.sql
@@ -0,0 +1,23 @@
+/*
+ * This pulls a list of all apps, tokens, and scopes associated with that token
+ * as well as when it was last used, created, and updated for anything with 
+ * the `site_admin` scope.
+ */
+SELECT
+	z.id,
+	u.login as owner_name,
+	u.type as owner_type,
+	a.name as app_name,
+	z.accessed_at,
+	z.created_at,
+	z.updated_at,
+	z.description,
+	z.scopes
+FROM
+	github_enterprise.oauth_authorizations z
+JOIN github_enterprise.users u ON
+	z.user_id = u.id
+LEFT JOIN github_enterprise.oauth_applications a ON
+	z.application_id = a.id
+WHERE
+	z.scopes LIKE "%site_admin%"
diff --git a/sql/audit/authorizations.sql b/sql/audit/authorizations.sql
@@ -0,0 +1,20 @@
+/* 
+ * This pulls a list of all apps, tokens, and scopes associated with that token
+ * as well as when it was last used, created, and updated.
+ */
+SELECT
+	z.id,
+	u.login as owner_name,
+	u.type as owner_type,
+	a.name as app_name,
+	z.accessed_at,
+	z.created_at,
+	z.updated_at,
+	z.description,
+	z.scopes
+FROM
+	github_enterprise.oauth_authorizations z
+JOIN github_enterprise.users u ON
+	z.user_id = u.id
+LEFT JOIN github_enterprise.oauth_applications a ON
+	z.application_id = a.id;
diff --git a/sql/audit/deploy-keys.sql b/sql/audit/deploy-keys.sql
@@ -0,0 +1,32 @@
+/* 
+ * This query returns SSH deploy keys and what repo they're tied to, when last
+ * used, etc.
+ */
+SELECT
+	d.title as key_name,
+	d.created_at,
+	d.updated_at,
+	d.verified_at,
+	d.accessed_at as last_used,
+	length(d.key) as key_length,
+	u.login as created_by_name,
+	d.created_by as created_by_type,
+	r.name as repo_name,
+	x.login as repo_owner_name
+FROM
+	github_enterprise.public_keys d
+LEFT JOIN github_enterprise.users u ON
+	d.creator_id = u.id
+LEFT JOIN github_enterprise.repositories r ON
+	d.repository_id = r.id
+LEFT JOIN (
+	SELECT
+		id,
+		login,
+		type
+	FROM
+		github_enterprise.users u2
+    ) x ON
+	x.id = r.owner_id
+WHERE
+	d.repository_id IS NOT NULL;
diff --git a/sql/audit/github-apps.sql b/sql/audit/github-apps.sql
@@ -0,0 +1,20 @@
+/* 
+ * This pulls a list of all github apps, who owns them, and when they were 
+ * created or updated.
+ */
+SELECT
+	i.id,
+	i.bot_id,
+	i.name as integration_name,
+	u.login as owner,
+	u.type,
+	i.url,
+	i.created_at,
+	i.updated_at,
+	i.public,
+	i.slug as friendly_name,
+	i.public
+FROM
+	github_enterprise.integrations i
+JOIN github_enterprise.users u ON
+	i.owner_id = u.id;
diff --git a/sql/audit/hooks-repos.sql b/sql/audit/hooks-repos.sql
@@ -0,0 +1,30 @@
+/* 
+ * This brings up the list of REPOSITORY webhooks that have been active in the
+ * past week, who owns them, and where the webhook goes.
+ */
+SELECT
+	DISTINCT h.id,
+	u.login as creator,
+	h.updated_at,
+	r.name as repo_name,
+	u.login as repo_owner,
+	u.type as owner_type,
+	c.value as url,
+	MAX(l.delivered_at) as latest_delivery
+FROM
+	github_enterprise.hooks h
+JOIN github_enterprise.hook_config_attributes c ON
+	h.id = c.hook_id
+JOIN github_enterprise.users u ON
+	h.creator_id = u.id
+JOIN github_enterprise.hookshot_delivery_logs l ON
+	h.id = l.hook_id
+JOIN github_enterprise.repositories r ON
+	h.installation_target_id = r.id
+WHERE
+	c.key = 'url'
+	AND h.installation_target_type = 'Repository'
+GROUP BY
+	h.id
+ORDER BY
+	MAX(l.delivered_at) DESC;
diff --git a/sql/audit/hooks-users.sql b/sql/audit/hooks-users.sql
@@ -0,0 +1,27 @@
+/*
+ * This brings up the list of USER webhooks that have been active in the past
+ * week, who owns them, and where the webhook goes.
+ */
+SELECT
+	DISTINCT h.id,
+	u.login as creator,
+	h.updated_at,
+	u.login as repo_owner,
+	u.type as owner_type,
+	c.value as url,
+	MAX(l.delivered_at) as latest_delivery
+FROM
+	github_enterprise.hooks h
+JOIN github_enterprise.hook_config_attributes c ON
+	h.id = c.hook_id
+JOIN github_enterprise.users u ON
+	h.creator_id = u.id
+JOIN github_enterprise.hookshot_delivery_logs l ON
+	h.id = l.hook_id
+WHERE
+	c.key = 'url'
+	AND h.installation_target_type = 'User'
+GROUP BY
+	h.id
+ORDER BY
+	MAX(l.delivered_at) DESC;
diff --git a/sql/audit/oauth-apps.sql b/sql/audit/oauth-apps.sql
@@ -0,0 +1,16 @@
+/*
+ * This pulls up a list of all OAuth apps and where they go, as well as when
+ * they were last updated and what login they are associated with.
+ */
+SELECT
+	o.name,
+	o.url,
+	o.callback_url,
+	o.created_at,
+	o.updated_at,
+	u.login,
+	u.type
+FROM
+	github_enterprise.oauth_applications o
+JOIN github_enterprise.users u ON
+	o.user_id = u.id;
diff --git a/sql/audit/user-emails.sql b/sql/audit/user-emails.sql
@@ -0,0 +1,22 @@
+/* 
+ * This pulls a list of all email addresses and the user account it is tied to
+ * that don't match the list of domains in the WHERE clause.  Add however many
+ * "%domain.com" needed to cover your company's approved domains.
+ *
+ * This query should be deprecated by this issue:
+ * https://github.com/github/roadmap/issues/204
+ *
+ * If you want a list of all emails, remove the WHERE clause.
+ */
+SELECT
+	u.login,
+	e.email,
+	u.suspended_at
+FROM
+	github_enterprise.users u
+JOIN github_enterprise.user_emails e ON
+	e.user_id = u.id
+WHERE
+	u.gravatar_email != e.email
+	AND e.email not like "%company.com"
+	AND e.email not like "%.tld";
diff --git a/sql/audit/user-ssh-keys.sql b/sql/audit/user-ssh-keys.sql
@@ -0,0 +1,18 @@
+/*
+ * This query returns user SSH keys and when they were last used.
+ */
+SELECT
+	d.title as key_name,
+	d.created_at,
+	d.updated_at,
+	d.verified_at,
+	d.accessed_at as last_used,
+	length(d.key) as key_length,
+	u.login as created_by_name,
+	d.created_by as created_by_type
+FROM
+	github_enterprise.public_keys d
+LEFT JOIN github_enterprise.users u ON
+	d.creator_id = u.id
+WHERE
+	d.user_id IS NOT NULL;
