Brandon Mesa

07/27/2022, 8:44 PM
Hey all, I'm having some issues with getting EndpointSecurity to work with launchd/plist. this is my plist file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
I run
sudo launchctl load /var/osquery/io.osquery.agent.plist
followed by
sudo launchctl start io.osquery.agent.plist
. The process starts & i get other results from fim & snapshot queries, however the EndpointSecurity events do not get generated. Additionally, If I run the daemon directly with the following, the endpointsecurity events get logged
sudo /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd --config_path=/private/var/osquery/osquery.conf --disable_events=false --disable_endpointsecurity=false --enable_file_events=true
Anyone seen this before or see any red flags with my launchd approach?
8:54 PM
Resolved: osqueryd needed full disk access. previously, only the terminal application had full disk access.


07/28/2022, 4:45 AM
Yep! We have tried to document this here: https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#full-disk-access Please let us know if those can be improved!