yup, signature can see two arch's for universal binaries and one for intel-only's

I'm attempting to use the

user_interaction_events

table, however it requires that a user as authorized osqueryd in the "Input Monitoring" privacy settings. Unfortunately, MDM can only be used to add the osqueryd entry to the input monitoring setting, but not actually enable it. The enable part has to be done by the end user themselves (AFAICT). Is there a way to have osqueryd prompt for the user to enable that permission when it runs with the

enable_keyboard/mouse_events

flags set?

I admittedly don't understand how low-level the packetfilter/pf firewall is on macOS and need to audit if it's enabled. AFAIK there's no table for that, nor is it something I can see a running process for, so I most likely have to shell out to pfctl, yes?

sudo pfctl -s info 2&>/dev/null | awk '/Status/{print $2}'

the nicety/side effect of me just running code that wraps pfctl is I can also make sure what rules are in place and what order they're in, since I'm allowing end users to open additional ports at this point. I may want to parse ranges and audit those additional rules so it's not the worst thing in the world it isn't already built-in to osquery

I'm just more interested for curiosities sake, like there probably is some other attribute/artifact/way I can detect it's enabled/inspecting packets besides did my launchd job keep it alive

I would not expect a running process, no. I don’t think there’s a table, I don’t know if there are frameworks for that data. Maybe you could write a table. :) Otherwise, shelling seems like what you get.

This is why I need to learn c, yknow? So I can throw these things in hopper and see how it’s determining that inspection is active

pf

is a bsd package filter. Reading a bit about it, the api is

/dev/pf

. It’s obviously possible to write something 🙂

I'm coming back to the conversation here https://osquery.slack.com/archives/C08VA8R6F/p1584106015024600?thread_ts=1584103388.017700&cid=C08VA8R6F and not quite getting why the `iokit_registry`table can't get this data.

select count(*) from iokit_registry;
count(*) = 2048

that is at least similar to the count from raw ioreg

% ioreg | wc -l                                                                                          
    2049

I think it’s the same difference between

ioreg

and

ioreg -l

. One is only listing the devices, the other is also expanding and showing the properties of each device

I have checked all messages about

last_opened_time from apps

but I couldn't find the answer. Some apps results as

-1

even though they are open. Is this a known issue? I also checked gitlab issues but I couldn't see anything.

Hi Team, is there any relation between Apps and Processes table (for Mac)? We have a use-case, to determine the list of processes for a given application.

an 'app' is just a bundle of stuff, right? You may not be able to be comprehensive to determine what launched from all the possible associated code inside an app, but there's a long-standing example query about finding processes and JOINing on the path from the app table

A bit of a followup on my question in #general, for Mac, I don’t quite understand where this call to

gethostuuid()

. Is it a MacOS api or something that returns a uuid that the device already generated at some point?

Hello everyone, when we update the pack, we need to restart osquerd deamon, right? So the question is, what would be the best way to do that? I mean, how can I understand on endpoint that pack is updated? And when deamon restart, I wonder if counters restarts, too or not? I don't want to mess with interval. Due to some restriction, I have quite low frequency.

1. I’d think you only should need to reload the daemon of you’re not using a sync server where the client polls for a configuration-related update 2. The interval is a pretty simple counter that I believe starts with the daemon, so I would expect it to restart in that case

XPOST: https://osquery.slack.com/archives/CBMR0L7SM/p1680465522850509 In case someone has run into this issue before.

Hi Team, I want to understand the significance of the column

last_opened_time

in the

apps

table. What does the word "opened" signifies here, like the time app was launched or the time it was last used ? The results signifies the former (time when app was launched) for most cases, but it seems to be inconsistent sometimes. For some apps running for a longer duration of time, the last_opened_time seems to be changing even though the app was running for the whole time before that. And this value is not equivalent to the last accessed/used time either.

The significance is the same output you’d get from mdfind about an app: Apple has associated that metadata with it, and it is as accurate as Apple makes it. I mentioned this previously: https://osquery.slack.com/archives/C08VA8R6F/p1677645044940249?thread_ts=1677490157.818159&channel=C08VA8R6F&message_ts=1677645044.940249

Hey everyone, I have question not directly about osquery. I try to find origin of some suspicious traffic. In osquery, I see they are coming from

com.apple.WebKit.Networking.xpc

and parent process is

launchd

. So whatever making that request is using

webkit

Actually I am quite sure it is safari but are they anyway find out this kind situation's origin? In my opinion I need something like auditd but maybe I am missing something.

I'm assuming to uninstall osquery this is the 'generic' way on a Mac, yes? Anyone aware of uninstallers/scripts?

# default, shouldn't be present with most sync server configs
/bin/launchctl bootout system/io.osquery.agent
# purge the app bundle, symlinks
/bin/rm -rf /opt/osquery
/bin/rm -f /usr/local/bin/osqueryi
/bin/rm -f /usr/local/bin/osqueryctl
# drop the default config/certs, logs, and local db
/bin/rm -rf /private/var/osquery
/bin/rm -rf /private/var/log/osquery
/bin/rm -rf /var/osquery/osquery.db
# forget newer-style pkgid from receipts db
/usr/bin/pkgutil --forget io.osquery.agent

should probably get that added to osqueryctl, at present there's just

clean

which dumps the db

Hello all, Apple have released a Rapid Security update this applies the fixes but does not bump the

os_version.version

in the application of the RSR, my query is, where might this be tracked ? I'll be looking at the

os_version.build

though I am not certain this will change either, has anyone had the opportunity to review the RSR's introduced in macOS > 13.x (Ventura) as yet ? Many thanks!

Hi All, I'm trying to build osquery from source on MacOS, but I can't find how to make one package for both architectures (arm, x86). I would be grateful for any hints.

Something that tripped me up with the

unified_log

table is that pagination is global even within a single query. For example, this gives incomplete results:

select subsystem, count(*) from unified_log where 
  timestamp > -1 and max_rows = 10000 and 
  (subsystem = 'com.apple.securityd' and category = 'kcacl') or
  (subsystem = 'com.apple.Authorization' and category = 'authd')
  group by subsystem;

Internally sqlite splits it into two subqueries for each OR clause, where the first moves pagination ahead before the second runs. I didn't see an easy way to change how the pagination works, so I made a PR adding a predicate column to be able to pass in complex conditions with one SQL constraint

hi, is there any known issues related with osquery agent in MacOS that could lead into false positivies from osx-attacks.conf library enabled? since randomly alerts have been generated during the latest security updates from Apple during the last 45 days? anyone had similar issues?

unsure if this is the right channel, but here goes: the macos packages on github, will that install an arm64 version of osquery, or an amd64 version that has to run through rosetta? (if the latter, is there a plan to release an arm64/aarch64 package for macos?)

has any of you seen usage of

endpoint security framework

or

eslogger

via osquery other than

file_events

?

Via osquery is a work in progress (@sharvil has given talks about this) but the full capabilities are listed here https://developer.apple.com/documentation/endpointsecurity/event_types

I believe a boundary of capability is the app entitlement where osquery is continuing to be read-only ’in spirit’ whereas tools like Santa can set policies and use a full system extension and also look at file paths and volume mounts and such, in additional contrast to other tools that need entitlements to look at network traffic which are similarly extension-only