osquery #macos

Andrew Zick

03/20/2023, 10:26 PM

A bit of a followup on my question in #general, for Mac, I don’t quite understand where this call to

gethostuuid()

. Is it a MacOS api or something that returns a uuid that the device already generated at some point?

Kiwito

03/25/2023, 10:32 PM

Hello everyone, when we update the pack, we need to restart osquerd deamon, right? So the question is, what would be the best way to do that? I mean, how can I understand on endpoint that pack is updated? And when deamon restart, I wonder if counters restarts, too or not? I don't want to mess with interval. Due to some restriction, I have quite low frequency.

allister

03/26/2023, 10:23 AM

1. I’d think you only should need to reload the daemon of you’re not using a sync server where the client polls for a configuration-related update 2. The interval is a pretty simple counter that I believe starts with the daemon, so I would expect it to restart in that case

Stryker0x

04/02/2023, 8:02 PM

XPOST: https://osquery.slack.com/archives/CBMR0L7SM/p1680465522850509 In case someone has run into this issue before.

Anuj Kharbanda

04/03/2023, 9:32 AM

Hi Team, I want to understand the significance of the column

last_opened_time

in the

apps

table. What does the word "opened" signifies here, like the time app was launched or the time it was last used ? The results signifies the former (time when app was launched) for most cases, but it seems to be inconsistent sometimes. For some apps running for a longer duration of time, the last_opened_time seems to be changing even though the app was running for the whole time before that. And this value is not equivalent to the last accessed/used time either.

allister

04/03/2023, 10:04 AM

The significance is the same output you’d get from mdfind about an app: Apple has associated that metadata with it, and it is as accurate as Apple makes it. I mentioned this previously: https://osquery.slack.com/archives/C08VA8R6F/p1677645044940249?thread_ts=1677490157.818159&channel=C08VA8R6F&message_ts=1677645044.940249

Kiwito

04/03/2023, 8:26 PM

Hey everyone, I have question not directly about osquery. I try to find origin of some suspicious traffic. In osquery, I see they are coming from

com.apple.WebKit.Networking.xpc

and parent process is

launchd

. So whatever making that request is using

webkit

Actually I am quite sure it is safari but are they anyway find out this kind situation's origin? In my opinion I need something like auditd but maybe I am missing something.

allister

04/07/2023, 6:29 AM

I'm assuming to uninstall osquery this is the 'generic' way on a Mac, yes? Anyone aware of uninstallers/scripts?

Copy code

# default, shouldn't be present with most sync server configs
/bin/launchctl bootout system/io.osquery.agent
# purge the app bundle, symlinks
/bin/rm -rf /opt/osquery
/bin/rm -f /usr/local/bin/osqueryi
/bin/rm -f /usr/local/bin/osqueryctl
# drop the default config/certs, logs, and local db
/bin/rm -rf /private/var/osquery
/bin/rm -rf /private/var/log/osquery
/bin/rm -rf /var/osquery/osquery.db
# forget newer-style pkgid from receipts db
/usr/bin/pkgutil --forget io.osquery.agent

should probably get that added to osqueryctl, at present there's just

clean

which dumps the db

oneiroi

05/02/2023, 9:50 AM

Hello all, Apple have released a Rapid Security update this applies the fixes but does not bump the

os_version.version

in the application of the RSR, my query is, where might this be tracked ? I'll be looking at the

os_version.build

though I am not certain this will change either, has anyone had the opportunity to review the RSR's introduced in macOS > 13.x (Ventura) as yet ? Many thanks!

ihor

05/03/2023, 7:40 AM

Hi All, I'm trying to build osquery from source on MacOS, but I can't find how to make one package for both architectures (arm, x86). I would be grateful for any hints.

Brad Girardeau

05/11/2023, 5:45 AM

Something that tripped me up with the

unified_log

table is that pagination is global even within a single query. For example, this gives incomplete results:

Copy code

select subsystem, count(*) from unified_log where 
  timestamp > -1 and max_rows = 10000 and 
  (subsystem = 'com.apple.securityd' and category = 'kcacl') or
  (subsystem = 'com.apple.Authorization' and category = 'authd')
  group by subsystem;

Internally sqlite splits it into two subqueries for each OR clause, where the first moves pagination ahead before the second runs. I didn't see an easy way to change how the pagination works, so I made a PR adding a predicate column to be able to pass in complex conditions with one SQL constraint

Cassio

05/24/2023, 6:43 PM

hi, is there any known issues related with osquery agent in MacOS that could lead into false positivies from osx-attacks.conf library enabled? since randomly alerts have been generated during the latest security updates from Apple during the last 45 days? anyone had similar issues?

Tor Houghton

05/26/2023, 4:22 PM

unsure if this is the right channel, but here goes: the macos packages on github, will that install an arm64 version of osquery, or an amd64 version that has to run through rosetta? (if the latter, is there a plan to release an arm64/aarch64 package for macos?)

Kiwito

05/29/2023, 9:43 PM

has any of you seen usage of

endpoint security framework

eslogger

via osquery other than

file_events

allister

05/30/2023, 1:22 AM

Via osquery is a work in progress (@sharvil has given talks about this) but the full capabilities are listed here https://developer.apple.com/documentation/endpointsecurity/event_types

allister

05/30/2023, 1:26 AM

I believe a boundary of capability is the app entitlement where osquery is continuing to be read-only ’in spirit’ whereas tools like Santa can set policies and use a full system extension and also look at file paths and volume mounts and such, in additional contrast to other tools that need entitlements to look at network traffic which are similarly extension-only

Rod Christiansen

06/13/2023, 11:38 PM

Does Fleet escrow FileVault PRKs (personal recovery keys) under its MDM?

Rod Christiansen

06/13/2023, 11:41 PM

Looks like yes: https://github.com/fleetdm/fleet/blob/561348f9515ecefc4f911d93a7b66542168b404f/server/service/osquery_utils/queries.go#L578 ?

Rod Christiansen

06/13/2023, 11:42 PM

Or is this for a query not device mgmt?

Grigory Emelianov

06/23/2023, 1:48 PM

Hi there, I ran into an issue when getting data from two MacBooks. Both devices have different hardware UUID if I look at the system info on the devices but the query returns an identical hardware UUID for both. • Both devices are not VMs • There were no changes in hardware e.g. original motherboards • Both devices are in use I saw a discussion before but it was not happening to many. Can anyone point me to any idea on what's wrong? Did it happen to anyone? Thanks!

allister

06/23/2023, 2:14 PM

wat

allister

06/23/2023, 2:17 PM

(I know that’s not helpful, but) What does system information (formerly known as system profiler) say for that value? How about

ioreg

(which is where I’m assuming the value is being pulled from by the table)?

oneiroi

07/11/2023, 12:05 PM

Also asking here about this thread incase anyone has encountered similar issues with the versions being returned from the

apps

table (macOS) && is handling the version comparison differently thanks !

Anuj Kharbanda

07/28/2023, 11:53 AM

Hi there, I have a very simple use case: I need to fetch latest 100 log entries from

unified_log

table. However, the problem is that this table returns data from earliest to latest and in patches of 100, so using "ORDER BY" does not work as expected for the entire data. Even if I try to use a normal query or paginate the response, it still fetches older data first. Is there a way I can achieve this? (Fetch latest 100 logs from Unified logs) Thanks !!

np5

08/02/2023, 10:03 AM

Hi! Looking at the managed_policies, it seems that when the values are not integers, strings or booleans, they are reported as empty strings, probably because of this. It would be interesting to report all the values, but I understand it is important to maintain backward compatibilities. What about introducing a “key” column that is a flattened path to the value (dot separated key or array index) ? Has something similar already been discussed ?

np5

08/02/2023, 10:03 AM

For example:

np5

08/02/2023, 10:03 AM

Copy code

<dict>
  […]
  <key>PayloadType</key>
  <string>com.apple.system-extension-policy</string>
  <key>AllowUserOverrides</key>
  <true/>
  <key>AllowedSystemExtensions</key>
  <dict>
    <key>EQHXZ8M8AV</key>
    <array>
      <string>com.google.santa.daemon</string>
    </array>
  </dict>
  <key>AllowedSystemExtensionTypes</key>
  <dict>
    <key>EQHXZ8M8AV</key>
    <array>
      <string>EndpointSecurityExtension</string>
    </array>
  </dict>
</dict>

+-----------------------------------+--------------------------------------+-----------------------------+--------------+---------------------------+----------+--------+
| domain                            | uuid                                 | name                        | key          | value                     | username | manual |
+-----------------------------------+--------------------------------------+-----------------------------+--------------+---------------------------+----------+--------+
| com.apple.system-extension-policy | 00000000-0000-0000-0000-000000000000 | AllowUserOverrides          |              | 1                         |          | 0      |
| com.apple.system-extension-policy | 00000000-0000-0000-0000-000000000000 | AllowedSystemExtensions     | EQHXZ8M8AV.0 | com.google.santa.daemon   |          | 0      |
| com.apple.system-extension-policy | 00000000-0000-0000-0000-000000000000 | AllowedSystemExtensionTypes | EQHXZ8M8AV.0 | EndpointSecurityExtension |          | 0      |
+-----------------------------------+--------------------------------------+-----------------------------+--------------+---------------------------+----------+--------+

np5

08/02/2023, 10:17 AM

or like the plist table, subkey and a ‘/’ separator

Kathy Satterlee

08/09/2023, 11:09 PM

Has anyone managed to pull data from the

config.pvs

for a Parallels VM with osquery? Working on grabbing performance data for VMs and would like to grab CPU, RAM and disk allocation settings along with the other data I'm grabbing about the running process.

Steve Poe

09/02/2023, 3:12 AM

Has anyone used osquery to report on external displays/monitors attached on MacBookPros?