https://github.com/osquery/osquery logo
Join Slack
Powered by
<@U09M563C7> do you have much insight or recollect...
# macos
f
@theopolis do you have much insight or recollection on the 
app_schemes
table (https://github.com/osquery/osquery/commit/55f270ff978ace1ae06f3b5171aa5758d2c528cb)? To the best of my ability it appears the data is not in line with the lshandlers info: My LSHandler Output: ('/Users/%/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist')
Copy code
+-------------------+-----------------+-------------------+--------------+--------------------------+-----------------+--------------------+
| installed_app     | handler_content | handler           | handler_role | handler_content_category | username        | description        |
+-------------------+-----------------+-------------------+--------------+--------------------------+-----------------+--------------------+
| Google <http://Chrome.app|Chrome.app> | public.html     | com.google.chrome | All          | content type             | fritz-imac      | Fritz Ifert-Miller |
| Google <http://Chrome.app|Chrome.app> | http            | com.google.chrome | All          | url scheme               | fritz-imac      | Fritz Ifert-Miller |
| Google <http://Chrome.app|Chrome.app> | https           | com.google.chrome | All          | url scheme               | fritz-imac      | Fritz Ifert-Miller |
| Google <http://Chrome.app|Chrome.app> | http            | com.google.chrome | All          | url scheme               | kolide-imac-pro | Kolide-iMac-Pro    |
| Google <http://Chrome.app|Chrome.app> | https           | com.google.chrome | All          | url scheme               | kolide-imac-pro | Kolide-iMac-Pro    |
| Google <http://Chrome.app|Chrome.app> | public.html     | com.google.chrome | All          | content type             | kolide-imac-pro | Kolide-iMac-Pro    |
+-------------------+-----------------+-------------------+--------------+--------------------------+-----------------+--------------------+
My 
app_schemes
output:
Copy code
osquery> SELECT * FROM app_schemes WHERE scheme IN ('https','http');
+--------+-----------------------------------------------+---------+----------+-----------+
| scheme | handler                                       | enabled | external | protected |
+--------+-----------------------------------------------+---------+----------+-----------+
| http   | /Applications/Safari.app                      | 1       | 0        | 1         |
| http   | /Applications/Google <http://Chrome.app|Chrome.app>               | 0       | 0        | 1         |
| http   | /Applications/Firefox.app                     | 0       | 0        | 1         |
| http   | /Applications/iTerm.app                       | 0       | 0        | 1         |
| http   | /Users/kolide-imac-pro/Applications/iTerm.app | 0       | 0        | 1         |
| https  | /Applications/Safari.app                      | 1       | 0        | 1         |
| https  | /Applications/Google <http://Chrome.app|Chrome.app>               | 0       | 0        | 1         |
| https  | /Applications/Firefox.app                     | 0       | 0        | 1         |
| https  | /Applications/iTerm.app                       | 0       | 0        | 1         |
| https  | /Users/kolide-imac-pro/Applications/iTerm.app | 0       | 0        | 1         |
+--------+-----------------------------------------------+---------+----------+-----------+
app_schemes
seems to indicate Safari is 
enabled
which I presume means it is the preferred handler for that type. However, Safari is not my default browser (screenshot below)
Open in Slack
PreviousNext
Powered by