macos
  • p

    Praveen Kumar

    09/06/2022, 6:57 PM
    please find the screenshot from the xcode for above related issue
  • Mystery Incorporated

    Mystery Incorporated

    09/17/2022, 9:40 AM
    Hello in github releases there is osquery-macos-x86-64 and there is osqueryd-macos-bare what is the difference?
  • a

    allister

    10/03/2022, 6:00 AM
    ok how do I make the magical mdfind table do my bidding, this is the complement from the CLI that works:
    mdfind -name pip- info
    but no matter what iteration I try (kMDItemFSName, kMDItemDisplayName, glob's, spaces) I can't seem to get any results from mdfind.query, using @fritz's file table join syntax, e.g.:
    > SELECT f.path FROM file AS f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = "kMDItemFSName == 'pip-*info'";
    > SELECT f.path FROM file AS f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = "kMDItemDisplayName == 'pip- info'";
  • f

    fritz

    10/03/2022, 1:01 PM
    @allister it appears the infix
    *
    is contributing to the problem, you could maybe overcome this with an &&'ed argument:
    SELECT * FROM mdfind WHERE query = "kMDItemFSName == '*pip*'c && kMDItemFSName == '*info'c";
  • f

    fritz

    10/03/2022, 1:12 PM
    The "simple syntax" no longer appears to be supported by the osquery
    mdfind
    table but works still in victor's earlier launcher implementation kolide_spotlight:
    osquery> SELECT COUNT(*) FROM kolide_spotlight WHERE query = "-name pip- info";
    +----------+
    | COUNT(*) |
    +----------+
    | 10       |
    +----------+
  • a

    allister

    10/03/2022, 1:13 PM
    Ah, it was right under my nose! Thanks as always 🙇
  • f

    fritz

    10/03/2022, 1:15 PM
    Maybe I am misremembering, it is possible the simple syntax was never supported by
    mdfind
    and it was only in @groob’s
    kolide_spotlight
    table..., I can't find any changes since the initial introduction of
    mdfind
    that would have impacted it
  • f

    fritz

    10/03/2022, 1:16 PM
    perhaps it is something worth filing an issue to add support for
  • f

    fritz

    10/03/2022, 1:16 PM
    though i never wind up using the simple syntax because it is just a bit too magical for my tastes, I never really know how it will behave
  • a

    allister

    10/03/2022, 1:50 PM
    what does the
    'c
    kindof-suffix represent?
  • b

    Brandon Kurtz

    10/03/2022, 9:48 PM
    👋 Anyone have experience with the new unified-log table? https://osquery.slack.com/archives/C08V7KTJB/p1664587105586999
  • f

    fritz

    10/05/2022, 1:11 PM
    @Brandon Kurtz what kind of experience are you looking for? What are you looking to accomplish?
  • l

    lvferdi

    10/17/2022, 6:26 PM
    I have been looking at the unified_log table and capabilities in version 5.5.1 and I have seen all queries get denylisted pretty quickly. I have the following query looking for xprotect actions in unified_logs:
    select timestamp as time, datetime(timestamp, 'unixepoch') AS utc_time, storage, message, actiity, process, pid, sender, tid, category, subsystem FROM unified_log WHERE (sender = 'AppleSystemPolicy' AND message like '%ASP: Security policy%') and timestamp > -1;
    This tends to either get denylisted on first run or on the second. Any thoughts on how to collect this and other data from unified_log without being denylisted would be appreciated.
  • Stefano Bonicatti

    Stefano Bonicatti

    10/18/2022, 11:29 AM
    Also, I’ve noticed that the cursor in the logs doesn’t seem to move forward, it always returns the first 100 rows (be it via shell or daemon)
  • defensivedepth

    defensivedepth

    11/08/2022, 12:55 PM
    @Guillaume Tagging you since you originally wrote this query 🙂 https://fleetdm.com/queries/antivirus-healthy-mac-os Do you know of an easy way to find out what the latest versions are?
  • a

    allister

    11/08/2022, 1:07 PM
    wasn't there a feed at one point? I'm assuming you've seen the Howard Oakley/EclecticLight blog posts on the topic?
  • defensivedepth

    defensivedepth

    11/08/2022, 1:12 PM
    Nope 🙂
  • defensivedepth

    defensivedepth

    11/08/2022, 1:12 PM
    Will go find them
  • defensivedepth

    defensivedepth

    11/08/2022, 1:13 PM
    I know Win much better than macOS
  • a

    allister

    11/08/2022, 1:13 PM
    well I mean it's a stretch to call xprotect "AV"
  • a

    allister

    11/08/2022, 1:14 PM
    the resolution is also not directly related to what that query is looking at
  • defensivedepth

    defensivedepth

    11/08/2022, 1:15 PM
    How so?
  • a

    allister

    11/08/2022, 1:16 PM
    you could query the state of the checkbox the resolution is pointing at, since you're hoping a disconnected action will result in a 'healthy AV' state
  • defensivedepth

    defensivedepth

    11/08/2022, 1:21 PM
    I think there are probably a couple pieces here. 1. Is the system configured to automatically pull the definition updates 2. Is the actual state of the system what you would expect it to be (ie those updates have been installed) Same issue with Windows Monthly Patch Tuesday - I want to check that a system is set to automatically download & install updates, but I also want to check that updates have successfully ben installed recently (ie monthly)
  • Guillaume

    Guillaume

    11/08/2022, 1:51 PM
    Nudge has the same issue. I think we have it on the backlog to find a way to add variables to policies and then find a way to provide this info but it hasn’t been prioritized so far
  • a

    allister

    11/08/2022, 1:57 PM
    I could very easily be mistaken that the checkbox in (now as of Ventura) System Settings isn't actually defaults (or otherwise) directly read-able
  • a

    allister

    11/14/2022, 3:31 AM
    I'm not sure why I conflated kernel panics and crashes back then, but I've since chimed in on #6776 since it's unresolved I'd REALLY VERY MUCH like to be able to confirm stability with the output of this table 😅
  • t

    Terje Kvernes

    11/14/2022, 3:06 PM
    Hm, in the fleetdm UI there is a field for macs, “Used by”, which shows an email address that is probably used for iCloud at some point for the host. Does anyone where this data is gathered from?
  • j

    Jshi

    11/25/2022, 6:37 AM
    I get error when build in Intel MacOS, can anybody know how to fix this? [ 52%] Building CXX object plugins/config/parsers/CMakeFiles/plugins_config_parsers.dir/feature_vectors.cpp.o/Users/shijunyan/Documents/code/osquery/osquery/events/darwin/endpointsecurity.cpp:102:35: error: no member named 'global_seq_num' in 'es_message_t' ec->global_seq_num = message->global_seq_num; ~~~~~~~ ^ 1 error generated. make[2]: * [osquery/events/CMakeFiles/osquery_events.dir/darwin/endpointsecurity.cpp.o] Error 1 make[2]: * Waiting for unfinished jobs.... [ 52%] Building CXX object osquery/tables/utility/CMakeFiles/osquery_tables_utility_utilitytable.dir/file.cpp.o [ 52%] Building CXX object libs/src/aws-sdk-cpp/CMakeFiles/thirdparty_aws-cpp-sdk-ec2.dir/src/aws-sdk-cpp/aws-cpp-sdk-ec2/source/model/CreateInstanceExportTaskResponse.cpp.o [ 52%] Building CXX object plugins/config/parsers/CMakeFiles/plugins_config_parsers.dir/file_paths.cpp.o [ 52%] Building CXX object osquery/carver/CMakeFiles/osquery_carver.dir/carver.cpp.o [ 52%] Building CXX object libs/src/aws-sdk-cpp/CMakeFiles/thirdparty_aws-cpp-sdk-ec2.dir/src/aws-sdk-cpp/aws-cpp-sdk-ec2/source/model/CreateInternetGatewayRequest.cpp.o/Users/shijunyan/Documents/code/osquery/osquery/events/darwin/endpointsecurity_fim.cpp:160:35: error: no member named 'global_seq_num' in 'es_message_t' ec->global_seq_num = message->global_seq_num; ~~~~~~~ ^ 1 error generated. make[2]: * [osquery/events/CMakeFiles/osquery_events.dir/darwin/endpointsecurity_fim.cpp.o] Error 1 make[1]: * [osquery/events/CMakeFiles/osquery_events.dir/all] Error 2 make[1]: * Waiting for unfinished jobs....
  • s

    Slackbot

    11/28/2022, 8:15 PM
    This message was deleted.