trying to limit returned users from the users table in macos, getting unexpected results -

SELECT * from users WHERE username NOT LIKE '_%';

returns nothing, but

SELECT * FROM users WHERE username NOT LIKE '_a%';

returns expected results (I get _d and _k and _n usernames, but no _a results). v4.2.0 am I crazy?

I saw this tweet which is related to MacOs ransomware https://twitter.com/lordx64/status/1314614366361264130 ..

doesn't that look like a proof of concept?

Can you run the following on the device in question and paste the output?

Of note, and this should be considered by others using the

disk_encryption

table (perhaps @zwass knows the reason since he helped write it), you should always use a

CROSS JOIN

to call

disk_encryption

first in the

FROM

clause otherwise the query runtime will be excessively slow, eg.

osquery> select m.path,
    ...> case when de.encrypted = 1 then "true" else "false" end as filevault
    ...> from disk_encryption de
    ...> CROSS join mounts m on m.device_alias = de.name;
+--------------------------+-----------+
| path                     | filevault |
+--------------------------+-----------+
| /Volumes/Jeyi            | false     |
| /System/Volumes/Data     | true      |
| /private/var/vm          | true      |
| /                        | true      |
| /Volumes/Untitled        | false     |
+--------------------------+-----------+
Run Time: real 0.723 user 0.189720 sys 0.154101

osquery> select m.path,
    ...> case when de.encrypted = 1 then "true" else "false" end as filevault
    ...> from mounts m
    ...> CROSS join disk_encryption de on m.device_alias = de.name;
+--------------------------+-----------+
| path                     | filevault |
+--------------------------+-----------+
| /                        | true      |
| /System/Volumes/Data     | true      |
| /private/var/vm          | true      |
| /Volumes/Jeyi            | false     |
| /Volumes/Untitled        | false     |
+--------------------------+-----------+
Run Time: real 5.845 user 1.532276 sys 1.258735

Wanted to utilize osquery on all devices and send over all logs to cloud solutions such as AWS as part of aggregation and querying?what is the best/quickest and repeatable way to do this?

Oh yes,my apology,what about downloading files can we do it utilizing OSQuery?

are there any mechanisms for querying the new system extensions in Catalina+ in oquery? is this being worked on at all?

Hi #general I am trying to build a query to evaluate if the CrowdStrike agent process is running for both Big Sur and previous OS, but I am not being very successful. Here is the query I've built:

SELECT * FROM processes WHERE name='com.crowdstrike.falcon.Agent' OR 'falcond' AND (state='R' OR '82');

The process name com.crowdstrike.falcon.Agent is only present in BigSur but not in previous OS versions. Previous OSs, the process is called falcond. In other words, I need to be able to evaluate which one is true, but the above query is only working in BigSur. Any ideas on how to improve this query? Thank you

just sanity check to ensure that we have a decent collection for our osquery deployments over macos. I would love to get the process auditing working

--force=true
--host_identifier=hostname
--verbose=true
--tls_dump=true
--tls_hostname=___SITE____
--tls_server_certs=__PATH_TO_CERTS__
--enroll_secret_path=__PATH_TO_SECRET___
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--disable_events=false
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_process_events=true
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10

should osquery be sending results from different queries in one request to the /logger endpoint on TLS? If so, is there a flag to stop this behaviour?

Hi guys, i was trying to understand what is the status of the

asl

table. I understand it is deprecated since 10.12 but i still can query it and get data when i try in a 10.14 endpoint. But, is that data reliable? or will I be missing events? Should i be looking at using the trail of bits extension for the time being?

Hi everyone some important information about FileVault and Osquery in this blog post we put together. https://blog.kolide.com/modern-macs-still-need-filevault-d5e2f55c083b

I noticed M1's are shipping without osquery able to make proper detection, so I bumped @seph's issue with some background/random observations

Can I use osquery (v4.6.0) to determine the keyboard type installed? If so, what would that query look like?

👋 I’m struggling to get FIM file access working on MacOS… FIM is working and I have

file_accesses

in my config. What else could I be forgetting?

Also, as I understand it, standard FIM file access distinct from enabling process_file_events. Is this correct?

does anyone know the bundle identifier for the osqueryd binary on macOS? (trying to write a Full Disk Access MDM policy for it). It looks like it's just "osqueryd"; can anyone confirm?:

~ ❯ sudo /usr/bin/codesign -vvvv --display --entitlements - ~/Downloads/osqueryd                                                                                                                                                                                                   
Executable=/Users/user/Downloads/osqueryd
Identifier=osqueryd
Format=Mach-O thin (x86_64)
<snip>
Signature size=9077
Authority=Developer ID Application: Theodore Reed (B89LNTUADM)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Dec 16, 2020 at 10:34:40 PM
Info.plist=not bound
TeamIdentifier=B89LNTUADM
Runtime Version=10.14.0
Sealed Resources=none
Internal requirements count=1 size=168

#linux is it possible to read the content of the file using osquery in linux ?

I wonder if it’s wrong to have osquery create that directory. I can argue either way

If osquery tried to create it on startup. it might make some things simple for end users. But, it would mean that an error in the config would results in a bunch of logs somewhere perhaps unexpected. It might also have some bootstrapping weirdness. If you’re testing osquery, and you invoke it with a log path from the command line, you might get directories created instead of an error. Not really sure what people would find least confusing. ¯\_(ツ)_/¯

Is there a way to query a list of system extensions?

@Mike Myers curious about your thoughts pertaining to a comment i posted on the Safari Extensions issue: https://github.com/osquery/osquery/issues/6498 I found what I believe to be a better datasource.

In the Thrift extensions API this is exposed as

getQueryColumns

As ways to get tables maintained, golang is just way more approachable than (objective)c++, y'know? I'd be much more comfortable yolo 'ing stuff to be git blame'd for later since I can have way more friendlies check my stuff before sending a PR

is the macOS pkg installing lenses to a subdirectory of lenses which is a subdirectory of lenses… unintentionally? The docs say the pkg makes this as one of the entires in the created directory structure:

/private/var/osquery/lenses/{*}.aug

but it's one 'extra' level down… packs are at the expected level one below /p/v/osq…

The text inside it I mean. Is it a structured type (eg. xml, ini, plist, json, etc?)

Are you using vanilla osquery or Kolide's launcher extension?

Is there documentation anywhere on how to uninstall an orbit package?

Regarding the

system_extensions

table and the new mdm_managed column implementation… it doesn't rely on the presence of the sysext before returning its bool-as-int, 1 if "pre-allowed", 0 if not, correct?