osquery #macos

Grigory Emelianov

06/23/2023, 1:48 PM

Hi there, I ran into an issue when getting data from two MacBooks. Both devices have different hardware UUID if I look at the system info on the devices but the query returns an identical hardware UUID for both. • Both devices are not VMs • There were no changes in hardware e.g. original motherboards • Both devices are in use I saw a discussion before but it was not happening to many. Can anyone point me to any idea on what's wrong? Did it happen to anyone? Thanks!

allister

06/23/2023, 2:14 PM

wat

allister

06/23/2023, 2:17 PM

(I know that’s not helpful, but) What does system information (formerly known as system profiler) say for that value? How about

ioreg

(which is where I’m assuming the value is being pulled from by the table)?

oneiroi

07/11/2023, 12:05 PM

Also asking here about this thread incase anyone has encountered similar issues with the versions being returned from the

apps

table (macOS) && is handling the version comparison differently thanks !

Anuj Kharbanda

07/28/2023, 11:53 AM

Hi there, I have a very simple use case: I need to fetch latest 100 log entries from

unified_log

table. However, the problem is that this table returns data from earliest to latest and in patches of 100, so using "ORDER BY" does not work as expected for the entire data. Even if I try to use a normal query or paginate the response, it still fetches older data first. Is there a way I can achieve this? (Fetch latest 100 logs from Unified logs) Thanks !!

np5

08/02/2023, 10:03 AM

Hi! Looking at the managed_policies, it seems that when the values are not integers, strings or booleans, they are reported as empty strings, probably because of this. It would be interesting to report all the values, but I understand it is important to maintain backward compatibilities. What about introducing a “key” column that is a flattened path to the value (dot separated key or array index) ? Has something similar already been discussed ?

np5

08/02/2023, 10:03 AM

For example:

np5

08/02/2023, 10:03 AM

Copy code

<dict>
  […]
  <key>PayloadType</key>
  <string>com.apple.system-extension-policy</string>
  <key>AllowUserOverrides</key>
  <true/>
  <key>AllowedSystemExtensions</key>
  <dict>
    <key>EQHXZ8M8AV</key>
    <array>
      <string>com.google.santa.daemon</string>
    </array>
  </dict>
  <key>AllowedSystemExtensionTypes</key>
  <dict>
    <key>EQHXZ8M8AV</key>
    <array>
      <string>EndpointSecurityExtension</string>
    </array>
  </dict>
</dict>

+-----------------------------------+--------------------------------------+-----------------------------+--------------+---------------------------+----------+--------+
| domain                            | uuid                                 | name                        | key          | value                     | username | manual |
+-----------------------------------+--------------------------------------+-----------------------------+--------------+---------------------------+----------+--------+
| com.apple.system-extension-policy | 00000000-0000-0000-0000-000000000000 | AllowUserOverrides          |              | 1                         |          | 0      |
| com.apple.system-extension-policy | 00000000-0000-0000-0000-000000000000 | AllowedSystemExtensions     | EQHXZ8M8AV.0 | com.google.santa.daemon   |          | 0      |
| com.apple.system-extension-policy | 00000000-0000-0000-0000-000000000000 | AllowedSystemExtensionTypes | EQHXZ8M8AV.0 | EndpointSecurityExtension |          | 0      |
+-----------------------------------+--------------------------------------+-----------------------------+--------------+---------------------------+----------+--------+

np5

08/02/2023, 10:17 AM

or like the plist table, subkey and a ‘/’ separator

Kathy Satterlee

08/09/2023, 11:09 PM

Has anyone managed to pull data from the

config.pvs

for a Parallels VM with osquery? Working on grabbing performance data for VMs and would like to grab CPU, RAM and disk allocation settings along with the other data I'm grabbing about the running process.

Steve Poe

09/02/2023, 3:12 AM

Has anyone used osquery to report on external displays/monitors attached on MacBookPros?

Mike Krygier

09/23/2023, 1:03 AM

Has anyone used osquery to monitor file_events on MacOS when it is deployed through Elastic Agents / Osquery Manager?

allister

09/23/2023, 2:07 PM

I don’t know why ‘Elastic’ would have much to do with the ability for tables to populate, as long as the daemon sees a scheduled query and has full disk access there shouldn’t be too much that can go wrong (unless there’s a bug or misconfig in the query)

Mehmet

09/27/2023, 10:51 AM

Hi, I'm trying to understand how the

signature

table works on macOS in terms of the validation of a signature. I have a binary which has a valid ad-hoc signature(no team identifier and authority is available). I would expect the

is_signed

value to be

, but I'm getting

. Is it an expected behavior for being signed when there is a valid signature without team identifier and authority?

Jakob Magun

10/03/2023, 10:56 AM

defender

Gary

10/03/2023, 7:15 PM

I just built osquery from source on my mac, and ran osqueryi. When running the

select * from disk_encryption;

query, it doesn't seem to give me the correct result for

encryption_status

and

filevault_status

. How can I fix this issue? Thanks.

Guilherme Monteiro

10/05/2023, 11:51 AM

Hi All, Does anyone know if I can use the Host column as part of a query? Ex: when I run a query like select * from wifi_status I can see the Host column, but if I try to use it in a query I receive an error that Host is not a valid column

Akash Patel

10/06/2023, 4:31 PM

Hi All, is anyone having any issues with using osquery 5.4 with macOS Sonoma? Or know if there will be any compatibility issues?

Priya Jagyasi

10/09/2023, 10:15 AM

Hi All, I want to know what does the table power_sensors give information about? I ran it on my Mac Ventura 13.5.2 and it only gives -1 as values, please see below..what does -1 mean here?

allister

10/09/2023, 11:17 AM

It’s supposed to be Mac-compliant, and it’s obviously showing names, I’d next be looking at the schema for hints

Mehmet

10/11/2023, 8:13 AM

Is there any plan to parse the new login items? https://github.com/osquery/osquery/issues/5564

allister

10/11/2023, 9:01 AM

that issue seems to capture the fact a 'modern' table is not present, so until a btm-specific table gets contributed I'd say the plan is to… wait?

Jakob Magun

10/15/2023, 10:53 AM

I would like to habe osquery report on the status of Microsoft Defender of Endpoint AntiVirus solution. I can check if the

wdavdaemon

process is running but this will not assure that realtime protection is actually enabled. The command

mdatp health

provides status information. Any ideas for a solution?

Glen

10/25/2023, 2:47 PM

I’m trying to figure out how to detect touchid changes on osx? One of the branches of the threat model I’d like to prune is changes to touchid. The thought is to send a user through a different flow that requires a secondary step if there is a change to touchid on a user’s mac. Does anyone know how to check this using osquery? We are managing it using fleet. I see the

bioutil

command, but that isn’t great for change detection. Maybe there’s a way to query changes via

asl

logging? Asking here because possibly someone has already figured this out?

Kiwito

11/01/2023, 5:35 PM

Getting error on magic using on Sonoma with osquery 5.10.2 it looks like the same old error which was fixed on 5.2.1 I guess. Unable to load magic list of database. Can anyone else check magic Table ?

tlark

11/09/2023, 4:34 PM

cross posting here - we have FleetDM setup and I have data pipelines going and that is all great! What I am looking to do next is to track a computer's compute usage, like CPU + RAM + Disk I/O and I have process events enabled. This has gotten me pretty far, but what I am looking for advice on, is anyone using the process events to track what processes are running and then joining that to other tables to build some sort of basic compute algorithm to track how much compute each endpoint is using and if we need to upgrade or we can potentially look at right sizing the hardware for cost savings

macOS antivirus query

Scott Bonar

11/20/2023, 6:38 PM

What's the best way to query a macOS system to determine if it has antivirus running?

Rafa Bono

11/30/2023, 9:43 AM

Hi! I created a crontab for my user (macOS 14.1.1) and saw the

crontab

table is returning nothing. But having results by running

crontab -l

. Am I missing anything?

lvferdi

12/06/2023, 3:22 PM

I did an admittedly quick search through the history for this and didn’t find an answer. With the depreciation of OpenBSM, is there a new prescribed way to collect network socket event data on Mac. According to the docs it appears that socket_events are collected by OpenBSM with no callout to a secondary table to pull these events from after depreciation

allister

12/06/2023, 3:27 PM

within osquery I believe the answer is not at this time, but openbsm never was? network filters via system extensions are I think maybe under the same umbrella as the endpoint security framework and the apple-recommended way to monitor/grab that I'd think