Brandon Mesa
07/27/2022, 8:44 PM<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>io.osquery.agent</string>
<key>ProgramArguments</key>
<array>
<string>/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd</string>
<string>--config_path=/private/var/osquery/osquery.conf</string>
<string>--disable_events=false</string>
<string>--disable_endpointsecurity=false</string>
<string>--enable_file_events=true</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>ThrottleInterval</key>
<integer>60</integer>
</dict>
</plist>
I run sudo launchctl load /var/osquery/io.osquery.agent.plist
followed by sudo launchctl start io.osquery.agent.plist
. The process starts & i get other results from fim & snapshot queries, however the EndpointSecurity events do not get generated.
Additionally, If I run the daemon directly with the following, the endpointsecurity events get logged sudo /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd --config_path=/private/var/osquery/osquery.conf --disable_events=false --disable_endpointsecurity=false --enable_file_events=true
Anyone seen this before or see any red flags with my launchd approach?sharvil
07/28/2022, 4:45 AM