I m trying to read ` Library Application Support com apple T osquery #macos

I'm trying to read `/Library/Application Support/c...

oneiroi

10/18/2024, 1:11 PM

I'm trying to read

/Library/Application Support/com.apple.TCC/TCC.db

via osquery; is anyone still doing this and if so how are you approaching doing so? My reason for query I'm trying to enumerate if an application has a given permission on the target endpoint, this should be possible through inspection of this file, however my test system is throwing

Operation not permitted

any help appreciated thanks

oneiroi

10/18/2024, 1:14 PM

May just broken since Catalina 😞 (REF: https://osquery.slack.com/archives/C08VA3XQU/p1612388283040600)

☝️ 1

10/18/2024, 1:48 PM

this was my private method years ago but it was broken when ATTACH was blocked in the code.

oneiroi

10/18/2024, 1:50 PM

Indeed see this changed the behaviour in > 4.6.0 🤔

10/18/2024, 1:52 PM

i was bummed

oneiroi

10/22/2024, 10:12 AM

Ok, so I kept pulling at this 🧵 refusing to accept that this was "just broken" , whilst sure the

ATTACH

syntax has been patched out in > 4.6.0, continuing in my refusal to accept this as being the new norm Lead me to this blog post from @fritz (thank you!) which in turn links to how to build custom osquery tables using atc . I'm not 100% on this but this may allow access to the TCC.db (I'm going to keep pulling at the 🧵 and see), I'll also be using this to perform the experiment.

oneiroi

10/22/2024, 10:22 AM

Bah, closer I feel but still seeing errors

W1022 11:15:11.491048 -379981248 auto_constructed_tables.cpp:57] ATC Table: Error Code: 1 Could not generate data: Could not prepare database for path /Library/Application Support/com.apple.TCC/TCC.db

still have a gut feeling this is the right cirection to be heading in just missing perhaps the final piece

oneiroi

10/22/2024, 12:52 PM

🤔 looks like fleet has a table

oneiroi

10/22/2024, 12:55 PM

Indeed GH pr for related work is here

oneiroi

10/22/2024, 1:04 PM

Uses

fleetd

instead

oneiroi

10/22/2024, 1:41 PM

(fleetd being a premium product )

oneiroi

10/24/2024, 4:39 PM

Oh, yeah, it's me again ... Soooooo looks like I've found a way through ATC to read TCC.db There's still work to be done as some of the columns have changed; this however is working "ish" section from my ATC.json file

Copy code

...
{
  "auto_table_construction": {
    "tcc_system_entries": {
      "query": "SELECT service, client, auth_value, last_modified FROM access;",
      "path": "/Library/Application Support/com.apple.TCC/TCC.db",
      "columns": [
        "service",
        "client",
        "auth_value",
        "last_modified"
      ],
      "platform": "darwin"
    },
...

Results in :

Copy code

~/osqueryi --config_path /tmp/atc/tcc.json --json                            
Using a virtual database. Need help, type '.help'
osquery> select * from tcc_system_entries limit 1;
[
  {"auth_value":"2","client":"com.objective-see.blockblock","last_modified":"1686399016","path":"/Library/Application Support/com.apple.TCC/TCC.db","service":"kTCCServiceEndpointSecurityClient"}
]
osquery> ^C

Converting the last_modified unix timestamp to something readable and denoting what auth_value means are going to be my next steps on this. UPDATE: because I forgot about the --json flag:

Copy code

~/osqueryi --config_path /tmp/atc/tcc.json       
Using a virtual database. Need help, type '.help'
osquery> select * from tcc_system_entries limit 1;
+-----------------------------------+------------------------------+------------+---------------+---------------------------------------------------+
| service                           | client                       | auth_value | last_modified | path                                              |
+-----------------------------------+------------------------------+------------+---------------+---------------------------------------------------+
| kTCCServiceEndpointSecurityClient | com.objective-see.blockblock | 2          | 1686399016    | /Library/Application Support/com.apple.TCC/TCC.db |
+-----------------------------------+------------------------------+------------+---------------+---------------------------------------------------+

So getting closer finally

oneiroi

10/24/2024, 4:57 PM

auth_value

can be one of denied(0), unknown(1), allowed(2), or limited(3) so by using

CASE

SQL syntax we can map this to something useful.

oneiroi

10/24/2024, 4:57 PM

SELECT service, client, auth_value, last_modified, CASE auth_value WHEN 0 THEN 'denied' WHEN 1 THEN 'unknown' WHEN 2 THEN 'allowed' WHEN 3 THEN 'limited' ELSE 'undefined' END AS auth_status FROM your_table_name;

🆗 🤞 let's see if this gets us anywhere ...

oneiroi

10/24/2024, 5:02 PM

Closer still but the

CASE

syntax isn't behaving as expected it seems:

Copy code

osquery> select * from tcc_system_entries limit 1;
+-----------------------------------+------------------------------+------------+---------------------+---------------------------------------------------+
| service                           | client                       | auth_value | last_modified_date  | path                                              |
+-----------------------------------+------------------------------+------------+---------------------+---------------------------------------------------+
| kTCCServiceEndpointSecurityClient | com.objective-see.blockblock | 2          | 2023-06-10 12:10:16 | /Library/Application Support/com.apple.TCC/TCC.db |
+-----------------------------------+------------------------------+------------+---------------------+---------------------------------------------------+

oneiroi

10/24/2024, 5:08 PM

Looks like I need to dust off some SQLfu to get this to where it's needed 🤔

oneiroi

10/24/2024, 5:23 PM

🤦‍♂️ or I should just ensure the ATC configuration actually maps to the columns being stated in the

CASE

statement

Copy code

{
  "auto_table_construction": {
    "tcc_system_entries": {
      "query": "SELECT service, client, auth_value, datetime(last_modified, 'unixepoch') AS last_modified_date, CASE auth_value WHEN 0 THEN 'denied' WHEN 1 THEN 'unknown' WHEN 2 THEN 'allowed' WHEN 3 THEN 'limited' ELSE 'undefined' END AS auth_status FROM access;",
      "path": "/Library/Application Support/com.apple.TCC/TCC.db",
      "columns": [
        "service",
        "client",
        "auth_status",
        "last_modified_date"
      ],
      "platform": "darwin"
    },
...

Results in:

Copy code

osquery> select * from tcc_system_entries limit 1;
+-----------------------------------+------------------------------+-------------+---------------------+---------------------------------------------------+
| service                           | client                       | auth_status | last_modified_date  | path                                              |
+-----------------------------------+------------------------------+-------------+---------------------+---------------------------------------------------+
| kTCCServiceEndpointSecurityClient | com.objective-see.blockblock | allowed     | 2023-06-10 12:10:16 | /Library/Application Support/com.apple.TCC/TCC.db |
+-----------------------------------+------------------------------+-------------+---------------------+---------------------------------------------------+

Knew ATC was the path to getting to read TCC.db once again.

10/24/2024, 5:25 PM

very cool

5 Views

Open in Slack

Previous Next