hey channel. It's been a while. just downloaded 4.3.0 for MacOS, but seeing this weird error:

~  sudo /usr/local/bin/osqueryctl start                                                                                                       14:33:35 
/Library/LaunchDaemons/com.facebook.osqueryd.plist: service already loaded
Load failed: 37: Operation already in progress
 ~  sudo /usr/local/bin/osqueryctl stop
 ~  sudo /usr/local/bin/osqueryctl start                                                                                                      14:33:45 
 ~  sudo /usr/local/bin/osqueryctl status                                                                                                      14:33:49 
com.facebook.osqueryd is not running

4…….3?

Does anybody know why I could be having an issue where all entries in

osquery_schedule

have a

last_executed = 0

? I have enabled the osx-attack pack but no queries seem to be running, I left the default Intervals and I'm using filesystem logging. If this is not the right place to ask this let me know where thanks! :)

Hi all, i would like to check the status on the work being done in https://github.com/osquery/osquery/pull/6904 , is there any chance to see this happening in the short term? or is it just looking for somebody with time to do the final changes?

Sort of new to messing around with osquery configurations... I noticed my agent doesn't survive reboots. I have to

/usr/local/bin/osqueryctl restart

when I start the machine. I am running Big Sur. Aside from croning this, is there already a way to start the osquery agents on boot?

👋 The macos pkg doesn’t have the same hash on github and on the osquery website, is it expected

what am I missing here…

{
  "auto_table_construction": {
    "munki_app_usage_local": {
      "query": "select event, bundle_id, app_version, app_path, last_time, number_times from munki_app_usage_local;",
      "path": "/Library/Managed Installs/application_usage.sqlite",
      "columns": [
        "event",
        "bundle_id",
        "app_version",
        "app_path",
        "last_time",
        "number_times"
      ]
    }
  }
}

and it's got stuff in it

sqlite> select count(*) from application_usage;
290

but osqueryi isn't seeing it

osquery> SELECT count(*) FROM munki_app_usage_local;
I0709 18:58:29.412958 86793728 virtual_sqlite_table.cpp:111] ATC table: Could not prepare database at path: "/Library/Managed Installs/application_usage.sqlite"
W0709 18:58:29.413038 86793728 auto_constructed_tables.cpp:47] ATC Table: Error Code: 1 Could not generate data: Could not prepare database for path /Library/Managed Installs/application_usage.sqlite
count(*) = 0

Has anyone been successful getting an endpoint security entitlement from apple? I’d love to implement the new tables without disabling SIP but reached out to someone there and got the usual “sorry, no idea how long this will take” response. Really happy to have paid my $99 to have no SLA on getting an entitlement

@Utsav Shah, I am not sure what documentation might exist, the general principle was that

uuid

's generated by the system will start with a known set of characters, eg.

FFFFEEE

For example on my test device:

osquery> SELECT SUBSTR(uuid,1,16), COUNT(SUBSTR(uuid,1,16)) FROM users GROUP BY SUBSTR(uuid,1,16);
+-------------------+--------------------------+
| SUBSTR(uuid,1,16) | COUNT(SUBSTR(uuid,1,16)) |
+-------------------+--------------------------+
| 425D5A4B-8EF2-4E  | 1                        |
| 595A9274-B7F3-43  | 1                        |
| 76057753-404D-41  | 1                        |
| E96D1341-6627-4E  | 1                        |
| FFFFEEEE-DDDD-CC  | 112                      |
+-------------------+--------------------------+

I’m in the process of upgrading osquery from 3.3.0 to 4.9.0. I have the 4.9.0 code building fine and packaging for 

MacOS

 creating a pkg fine also.  I notice the packaging mechanism has changed since 3.3.0. One thing that I can’t find how to do with 4.9.0 packaging on 

MacOS

 is to ensure a restart of 

osqueryd

 at the end of the install.  With the 3.3.0 code base, there was a flag passed to the now-superseded packaging script. Any tips on how the same type of postinstall unload/load of the daemon can be achieved?

Hi all, I am seeing some instances of

Failed to read the following manifest.json file

for files that do not exist. Is this a known issue or something easily resolved?

With osquery on macOS, it is possible to show browser history? I am looking at the schema info (https://osquery.io/schema/4.9.0/) but I don't think so or don't know what I should be looking for.

hi all, https://blog.kolide.com/checking-macos-screenlock-remotely-62ab056274f0 is an excellent blog post on retrieving whether screenlock is enabled and the grace period, but is there a way to actually retrieve the screen saver timeout? AFAICT, the screenlock is only enabled if either the display turns off (timeout is easy to find from plist tables) or if the screensaver turns on, and we want the (screensaver time + grace period) to see the total time for when a password is required after a workstation goes idle.

Under what conditions is the osquery table

package_install_history

updated? I installed two apps yesterday (Evernote and Spotify via brew) and I'd expect them to show up in the package history? I am using osquery 4.9 on macOS 10.15.7. Current uptime: 3 days.

For osquery 5, does it / will it require a System Extension to interface with the Endpoint Security API ?

As in, will one need to push an MDM profile to allow said extension 🙂

I can spin up a github issue but wanted to bring it up here. Would it make sense to put the actual osquery version in the Info.plist of the app bundle? Currently there isn’t one. This would make it very easy for tools to make sure the correct osquery version is installed without jumping through extra hoops or shelling out to osquery itself.

Hi, is it somehow possible to query the /var/log/system.log and search for a specific term in it? I cannot find a corresponding table to do so :(

hey channel. Can I provide a suggestion? In the release note or osquery.io/downloads, can you please list the compatible/tested Macos Versions? It's a little hidden in here https://osquery.readthedocs.io/en/[version_number]/installation/install-macos/ . And it took me some time to dig it out. Thank you

Should this havce full disk access or just osqueryd?

I’m testing a deployment of Osquery 5.0.1 on Mac OS 10.15. Under osquery 4.9 I was able to attach an ATC to the /Users/%/Library/Safari/History.db via Full Disk Access. Under the new scheme (https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#automatically-granting-permissions-silent-installs) my safari_browser_history ATC fails to return any results. ATC config hasn’t changed, and my other ATCs for Chrome, Firefox, etc. continue to work, though of course those History DBs are in another path. Is there something more that needs to be configured to re-establish this access?

hi folks - long time no see. is file integrity monitoring in osquery 5 using the endpoint security framework or is it still using FSEvents?

Hi. Apologies if this has been asked before, I've searched and haven't found much information so please point me towards previous posts if I've missed it. Are there any plans on compiling osquery natively as an arm64 or universal 2 binary?

those are likely system-wide policies instead of per-user policies

has anyone spelunked into how to perhaps mash up mdls for kMDItemExecutableArchitectures to add a "kind" column to the apps table on Darwin?

I had a distinct memory that

wifi_survey

had stopped working on macos (due to Apple changing the permissions around this?). Trying it just now I found that it works and

wifi_networks

does not. Is that expected? And is there some entitlement or profile that can allow

wifi_networks

to work?

Anyone else receiving the following error with macos osquery

magic

table:

osquery> select * from magic WHERE path like '/usr/local/bin/%';
W0124 14:19:17.487205 337212928 magic.cpp:53] Unable to load magic list of database: /usr/share/file/magic.mgc:/usr/share/misc/magic.mgc because: File 5.32 supports only version 14 magic files. `/usr/share/file/magic.mgc' is version 16
osquery>

osquery> .version
osquery 5.0.1
using SQLite 3.35.5
osquery>

osquery> select * from os_version;
         name = macOS
      version = 12.1
     platform = darwin
         arch = x86_64
osquery>

how do we run osqueryd on mac to run with a flagfile to fleet config?

/Library/SystemExtensions/db.plist

has all the relevant bits. I'm thinking i can turn that into a table on macadmins/osquery-extensions

since osquery is also an endpointsecurity sysext now this would affect osquery should a user re-enroll in mdm or if the sysext profile is ever replaced