https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
o

oneiroi

05/02/2023, 9:50 AM
Hello all, Apple have released a Rapid Security update this applies the fixes but does not bump the 
os_version.version
in the application of the RSR, my query is, where might this be tracked ? I'll be looking at the 
os_version.build
though I am not certain this will change either, has anyone had the opportunity to review the RSR's introduced in macOS > 13.x (Ventura) as yet ? Many thanks!
Copy code
sudo softwareupdate -ai
Downloading macOS Security Response 13.3.1 (a)
Will be re-checking the 
os_version
table after application to see what (if anything) changes
Copy code
➜  ~ ~/osqueryi --line
Using a virtual database. Need help, type '.help'
osquery> select * from os_version;
         name = macOS
      version = 13.3.1
        major = 13
        minor = 3
        patch = 1
        build = 22E261
     platform = darwin
platform_like = darwin
     codename = 
         arch = arm64
Copy code
Downloading: 100.00%
Downloaded: macOS Security Response 13.3.1 (a)
a

allister

05/02/2023, 11:23 AM
It won’t see it, it’s checking the SystemVersion plist. MDM could inventory it
I’d be surprised if there wasn’t already a feature request in to find a way to grab it without shelling out… or use an extension to shell out, it’s pretty easy to get at from e.g. sw_vers
s

seph

05/02/2023, 1:15 PM
Hrm. One of my coworkers observes this is not in the 
os_version
table. I wonder if we can expose that
Copy code
osquery> SELECT * FROM os_version;
+-------+---------+-------+-------+-------+--------+----------+---------------+----------+-------+
| name  | version | major | minor | patch | build  | platform | platform_like | codename | arch  |
+-------+---------+-------+-------+-------+--------+----------+---------------+----------+-------+
| macOS | 13.3.1  | 13    | 3     | 1     | 22E261 | darwin   | darwin        |          | arm64 |
+-------+---------+-------+-------+-------+--------+----------+---------------+----------+-------+
Oh. Because, as allister said, osquery is reading this from 
/System/Library/CoreServices/SystemVersion.plist
I can’t break out the debugger this morning, but I wonder where 
sw_vers
is pulling from
g

grahamgilbert

05/04/2023, 7:36 PM
Threw this up quick in case anyone needs it prior to it being added to osquery proper https://github.com/macadmins/osquery-extension/pull/31
s

seph

05/04/2023, 8:15 PM
One quick hack is to use pure sql using the plist table.
o

oneiroi

07/12/2023, 1:57 PM
@seph I've been hunting for the plist file to query, would this be 
/System/Library/CoreServices/SystemVersion.plist
or some other path ? Additional to update this thread; please be aware that Apple have recalled the 13.4.1a update with 13.4.1b noted to be available "soon"
s

seph

07/12/2023, 2:00 PM
Are you looking for 
/System/Cryptexes/OS/System/Library/CoreServices/SystemVersion.plist
?
o

oneiroi

07/12/2023, 2:01 PM
If that's what contains the RSR revisions, then, yes; though looks like my 13.4.1a got pulled if that is the correct path
thanks, I'll use that path for the time being.
s

seph

07/12/2023, 2:03 PM
That’s what’s running on the machine. I think, I don’t totally understand all the details
You could also try the 5.9.1 betas
o

oneiroi

07/12/2023, 2:07 PM
I see this GH PR Thread where this is also discussed back in may, a mute point right now as the RSR has been recalled, until such time we need to track the (b) (or whatever naming convention Apple finally settle on) 😓
s

seph

07/12/2023, 2:07 PM
Isn’t there a new RSR now?
But we merged a thing for this.
o

oneiroi

07/12/2023, 2:08 PM
Indeed, apple noted they are recalling the RSR in this and looking at my system right now, /System/Cryptexes/OS/System/Library/CoreServices/SystemVersion.plist is showing
Copy code
<string>macOS</string>
        <key>ProductUserVisibleVersion</key>
        <string>13.4.1</string>
        <key>ProductVersion</key>
        <string>13.4.1</string>
poor practise on Apples part IMHO; given the RSR was released originally to patch against exploit taking place in the wild, now until 
(b)
is released for reasons Apple have opted to remove the patch that was implemented; it's insane
s

seph

07/12/2023, 2:12 PM
I don’t understand what apple’s rollback has to do with how osquery reports what the machine is running
o

oneiroi

07/12/2023, 2:14 PM
Not sure anything in oquery would be affected, only any checks / queries anyone has implemented looking for 13.4.1a vs 13.4.1 of course; so if a query / pack is in place that checks for the "latest" 13.4.1a version that would start to fail.
s

seph

07/12/2023, 2:15 PM
Oh. Yes. I had “fun” with that yesturday
o

oneiroi

07/17/2023, 12:04 PM
13.4.1(c) is now out; I've been working on a query against the 
plist
table that uses `/System/Cryptexes/OS/System/Library/CoreServices/SystemVersion.plist`; though looks like this does not exist on macOS version 12.6.7 there is this plist file 
/System/Library/CoreServices/SystemVersion.plist
though sadly does not carry the 
ProductVersionExtra
was hoping to not need to introduce an 
IF
however seems that I may need to do so, as RSR's were introduced after 13.4.1 iirc thus to support both 12.6.x and 13.4.x versions in the query I don't see another approach, any thoughts on this ?
s

seph

07/17/2023, 12:06 PM
As I understand it 
/System/Library/CoreServices/SystemVersion.plist
will never have the RSR. If the RSR is installed, 
/System/Cryptexes/OS/System/Library/CoreServices/SystemVersion.plist
will be correct. Or you could just use osquery 5.9.1, we declared it stable last night, but haven’t updated the web site.
o

oneiroi

07/17/2023, 12:07 PM
awesome, I'll t.a.l at the updated osquery. Thanks!
g

grahamgilbert

07/17/2023, 3:11 PM
🦜 looking forward to ripping the table out of the macadmins extension
4 Views
Powered by