SQL Views

June 27, 2026 · View on GitHub

Reusable SQL views that are automatically loaded by mquire on startup. Install them with just install-views.

Directory structure

Views are organized by operating system and architecture:

sql/views/
  common/
    common/       # Views for all platforms and architectures
  linux/
    common/       # Linux views for all architectures
    intel/        # Linux views specific to Intel/x86_64

The common directory acts as a wildcard: views placed there apply to all platforms or architectures.

Load order

When mquire starts, it loads SQL files from the autostart directory ($HOME/.config/trailofbits/mquire/autostart/) in the following order:

  1. common/common/: platform and architecture independent
  2. common/{arch}/: architecture-specific, all platforms
  3. {os}/common/: platform-specific, all architectures
  4. {os}/{arch}/: platform and architecture specific

Files within each directory are sorted alphabetically by filename.

Numbering convention

View filenames are prefixed with a number to control execution order. Ranges are allocated by category:

RangeCategoryDescription
000–099FoundationDeduplicated base tables (e.g., processes)
100–199Per-process analysisViews joining process data with files, network, memory
200–299Security / detectionRootkit detection, anomaly comparison
300+ReservedFuture categories

Leave gaps between your custom views (increments of 10) so new shipped views can be inserted without renumbering.

Shipped views

Linux

FileView nameDescription
000_processes.sqlprocessesDeduplicated process list across all discovery sources, filtered to user-space process leaders
100_process_network_connections.sqlprocess_network_connectionsMaps network connections to owning processes by joining through file descriptors
110_process_libraries.sqlprocess_librariesLists shared libraries mapped into each process, for spotting unexpected loaded objects
120_process_capabilities.sqlprocess_capabilitiesQuick-peek capability overview: one row per process, each set (effective/permitted/inheritable/ambient/bounding) rendered as a compact value (ALL, '' for empty, or the space-separated cap names); NULL means the set was unreadable
130_process_ptrace_flags.sqlprocess_ptrace_flagsQuick-peek ptrace overview: one row per process, the set PT_* flags rendered as a compact space-separated list ('' when the task is not being traced) plus the raw task_struct::ptrace value
200_tasklist_pidns_differences.sqltasklist_pidns_differencesDetects processes present in the task_list discovery source but missing from pid_ns (or vice versa), a rootkit-hiding indicator
210_process_anon_wx_regions.sqlprocess_anon_wx_regionsList per-process anonymous W+X memory regions, as an indicator for code injection
220_ld_env_override_processes.sqlld_env_override_processesLists processes that override the dynamic linker via LD_PRELOAD / LD_AUDIT / LD_LIBRARY_PATH