allister
05/12/2022, 2:03 AMMystery Incorporated
05/17/2022, 9:08 AMseph
allister
05/25/2022, 9:28 AMallister
05/25/2022, 9:31 AMallister
05/25/2022, 9:32 AMallister
05/25/2022, 9:33 AMallister
05/25/2022, 9:48 AM/Library/Application\ Support/com.apple.TCC/MDMOverrides.plist
allister
05/25/2022, 9:54 AMseph
seph
allister
05/25/2022, 11:13 AMallister
05/25/2022, 11:15 AMosquery> .mode line
osquery> SELECT CASE
...> WHEN
...> (select value from plist
...> where path = "/Library/Application Support/com.apple.TCC/MDMOverrides.plist"
...> and key = "io.osquery.agent"
...> and subkey = "kTCCServiceSystemPolicyAllFiles/Allowed") = 1 THEN 'enabled'
...> ELSE 'disabled'
...> END AS falconFDAAllowed;
falconFDAAllowed = enabled
allister
05/25/2022, 11:17 AM% ls -lO /Library/Application\ Support/com.apple.TCC/MDMOverrides.plist
-rw-r--r-- 1 root wheel restricted 5795 May 23 18:59 /Library/Application Support/com.apple.TCC/MDMOverrides.plist
allister
05/25/2022, 11:24 AMdisabled
⢠if the perms/file/key/value are ALL present, I'd get enabled
allister
05/25/2022, 11:25 AMMike Myers
05/25/2022, 3:38 PMallister
05/25/2022, 4:08 PMseph
so how can I validate it really has it, as set by MDM, when its known the GUI wouldnât reflect that state - how do I exercise it accuratelyThere are way to many âitâ in that for me to know what youâre asking. How can you validate what has what?
seph
allister
05/26/2022, 10:44 AMallister
05/27/2022, 4:46 PMSELECT CASE
WHEN
(SELECT count(*)
FROM plist
WHERE path = "/Library/Application Support/com.apple.TCC/MDMOverrides.plist") > 0 THEN
(SELECT value
FROM plist
WHERE path = "/Library/Application Support/com.apple.TCC/MDMOverrides.plist"
AND KEY = "com.crowdstrike.falcon.Agent"
AND subkey = "kTCCServiceSystemPolicyAllFiles/Allowed")
ELSE "couldn't read"
END cs_fda_status;
1 means enabled, 0 disabled, NO RESULT means profile/matching key not present, "couldn't read" means no FDA for osqueryd itselfallister
05/27/2022, 4:48 PMallister
05/27/2022, 4:50 PMMystery Incorporated
06/05/2022, 11:32 AMMystery Incorporated
06/06/2022, 8:05 AMAdam Connor
06/08/2022, 12:04 PMSteve Poe
06/10/2022, 12:46 AMtemperature_sensor
for info and it doesn't seem correct:
/usr/local/bin/osqueryi --line "select * from temperature_sensors order by fahrenheit desc;"
key = TB0T
name = Battery TS_MAX
celsius = -1.0
fahrenheit = 30.2
key = TB1T
name = Battery 1
celsius = -1.0
fahrenheit = 30.2
key = TB2T
name = Battery 2
celsius = -1.0
fahrenheit = 30.2
key = TG0H
name = GPU Heatsink
celsius = -1.0
fahrenheit = 30.2
key = TW0P
name = Airport Proximity
celsius = -1.0
fahrenheit = 30.2
key = Tp0C
name = Power Supply 1 Alt.
celsius = -1.0
fahrenheit = 30.2
key = Ts0P
name = Palm Rest
celsius = -1.0
fahrenheit = 30.2
Steve Poe
06/10/2022, 12:48 AMKM
06/22/2022, 12:33 AM