incident_response: bugfixes across queries

incident_response/disk_events_macos.sql

@@ -5,4 +5,4 @@
 SELECT
   *
 FROM
-  authorizations;
+  disk_events;

incident_response/files-dev.sql

@@ -2,7 +2,11 @@
 --
 -- tags: postmortem
 -- platform: posix
-SELECT *
-FROM file
-    JOIN hash ON file.path = hash.path
-WHERE file.path LIKE "/dev/%%";
+SELECT
+  file.*,
+  magic.data
+FROM
+  file
+  JOIN magic ON file.path = magic.path
+WHERE
+  file.path LIKE "/dev/%%";

incident_response/process_open_pipes.sql

@@ -1,8 +1,11 @@
--- Return the list of interface addresses
+-- Return the list of open pipes per process
 --
 -- tags: postmortem
 -- platform: posix
-SELECT p.path AS p_path, p.name AS p_name,
-    pop.*
-FROM process_open_pipes AS pop
-    LEFT JOIN processes p ON pop.pid = p.pid;
+SELECT
+  p.path AS p_path,
+  p.name AS p_name,
+  pop.*
+FROM
+  process_open_pipes AS pop
+  LEFT JOIN processes p ON pop.pid = p.pid;

incident_response/processes.sql

@@ -2,7 +2,8 @@
 --
 -- tags: postmortem
 -- platform: posix
-SELECT pid,
+SELECT
+  pid,
   name,
   path,
   cmdline,
@@ -13,7 +14,7 @@ SELECT pid,
   gid,
   euid,
   egid,
-  seuid,
+  suid,
   sgid,
   on_disk,
   start_time,
@@ -22,4 +23,5 @@ SELECT pid,
   threads,
   nice,
   cgroup_path
-FROM processes
+FROM
+  processes

incident_response/seccomp_events.sql

@@ -2,4 +2,7 @@
 --
 -- tags: postmortem
 -- platform: linux
-SELECT * FROM seccomp_events;
+SELECT
+  *
+FROM
+  seccomp_events;