allister
12/07/2022, 2:52 PMclong
01/17/2023, 7:42 PMuser_interaction_events
table, however it requires that a user as authorized osqueryd in the "Input Monitoring" privacy settings. Unfortunately, MDM can only be used to add the osqueryd entry to the input monitoring setting, but not actually enable it. The enable part has to be done by the end user themselves (AFAICT). Is there a way to have osqueryd prompt for the user to enable that permission when it runs with the enable_keyboard/mouse_events
flags set?allister
01/25/2023, 9:35 AMallister
01/25/2023, 9:38 AMsudo pfctl -s info 2&>/dev/null | awk '/Status/{print $2}'
the nicety/side effect of me just running code that wraps pfctl is I can also make sure what rules are in place and what order they're in, since I'm allowing end users to open additional ports at this point. I may want to parse ranges and audit those additional rules so it's not the worst thing in the world it isn't already built-in to osqueryallister
01/25/2023, 9:40 AMseph
01/25/2023, 3:53 PMallister
01/25/2023, 4:51 PMseph
01/27/2023, 3:14 AMpf
is a bsd package filter. Reading a bit about it, the api is /dev/pf
. It’s obviously possible to write something 🙂allister
02/14/2023, 1:38 PMallister
02/14/2023, 1:39 PMselect count(*) from iokit_registry;
count(*) = 2048
that is at least similar to the count from raw ioreg
% ioreg | wc -l
2049
Stefano Bonicatti
02/14/2023, 3:02 PMioreg
and ioreg -l
. One is only listing the devices, the other is also expanding and showing the properties of each deviceKiwito
02/27/2023, 9:29 AMlast_opened_time from apps
but I couldn't find the answer. Some apps results as -1
even though they are open. Is this a known issue? I also checked gitlab issues but I couldn't see anything.Kiran Nunna
03/03/2023, 4:36 AMallister
03/03/2023, 2:51 PMAndrew Zick
03/20/2023, 10:26 PMgethostuuid()
. Is it a MacOS api or something that returns a uuid that the device already generated at some point?Kiwito
03/25/2023, 10:32 PMallister
03/26/2023, 10:23 AMStryker0x
04/02/2023, 8:02 PMAnuj Kharbanda
04/03/2023, 9:32 AMlast_opened_time
in the apps
table.
What does the word "opened" signifies here, like the time app was launched or the time it was last used ?
The results signifies the former (time when app was launched) for most cases, but it seems to be inconsistent sometimes.
For some apps running for a longer duration of time, the last_opened_time seems to be changing even though the app was running for the whole time before that. And this value is not equivalent to the last accessed/used time either.allister
04/03/2023, 10:04 AMKiwito
04/03/2023, 8:26 PMcom.apple.WebKit.Networking.xpc
and parent process is launchd
. So whatever making that request is using webkit
Actually I am quite sure it is safari but are they anyway find out this kind situation's origin? In my opinion I need something like auditd but maybe I am missing something.allister
04/07/2023, 6:29 AM# default, shouldn't be present with most sync server configs
/bin/launchctl bootout system/io.osquery.agent
# purge the app bundle, symlinks
/bin/rm -rf /opt/osquery
/bin/rm -f /usr/local/bin/osqueryi
/bin/rm -f /usr/local/bin/osqueryctl
# drop the default config/certs, logs, and local db
/bin/rm -rf /private/var/osquery
/bin/rm -rf /private/var/log/osquery
/bin/rm -rf /var/osquery/osquery.db
# forget newer-style pkgid from receipts db
/usr/bin/pkgutil --forget io.osquery.agent
should probably get that added to osqueryctl, at present there's just clean
which dumps the dboneiroi
05/02/2023, 9:50 AMos_version.version
in the application of the RSR, my query is, where might this be tracked ? I'll be looking at the os_version.build
though I am not certain this will change either, has anyone had the opportunity to review the RSR's introduced in macOS > 13.x (Ventura) as yet ? Many thanks!ihor
05/03/2023, 7:40 AMBrad Girardeau
05/11/2023, 5:45 AMunified_log
table is that pagination is global even within a single query. For example, this gives incomplete results:
select subsystem, count(*) from unified_log where
timestamp > -1 and max_rows = 10000 and
(subsystem = 'com.apple.securityd' and category = 'kcacl') or
(subsystem = 'com.apple.Authorization' and category = 'authd')
group by subsystem;
Internally sqlite splits it into two subqueries for each OR clause, where the first moves pagination ahead before the second runs. I didn't see an easy way to change how the pagination works, so I made a PR adding a predicate column to be able to pass in complex conditions with one SQL constraintCassio
05/24/2023, 6:43 PMTor Houghton
05/26/2023, 4:22 PMKiwito
05/29/2023, 9:43 PMendpoint security framework
or eslogger
via osquery other than file_events
?allister
05/30/2023, 1:22 AMallister
05/30/2023, 1:26 AM