https://github.com/osquery/osquery logo
Powered by
Title
s

Seth Hanford

10/04/2021, 6:10 PM
I’m testing a deployment of Osquery 5.0.1 on Mac OS 10.15. Under osquery 4.9 I was able to attach an ATC to the /Users/%/Library/Safari/History.db via Full Disk Access. Under the new scheme (https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#automatically-granting-permissions-silent-installs) my safari_browser_history ATC fails to return any results. ATC config hasn’t changed, and my other ATCs for Chrome, Firefox, etc. continue to work, though of course those History DBs are in another path. Is there something more that needs to be configured to re-establish this access?
s

sharvil

10/04/2021, 6:13 PM
Can you add 
--verbose
flag to your query and paste the logs?
And it seems that you are using a PPPC profile? Mind sharing that?
s

Seth Hanford

10/04/2021, 6:16 PM
sure; i’m deploying through Fleet, so I’ll have to take a minute to get the ATC locally to feed into osqueryi and make it verbose
PPPC: 
<key>SystemPolicyAllFiles</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <integer>1</integer>
                        <key>CodeRequirement</key>
                        <string>identifier "io.osquery.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "3522FA9PXF"</string>
                        <key>Identifier</key>
                        <string>io.osquery.agent</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                        <key>StaticCode</key>
                        <integer>0</integer>
           </dict>
And when running osqueryi, I connect to the osqueryd socket that holds the ATCs; the safari one doesn’t throw any errors: 
osquery_enterprise shanford$ sudo osqueryi --verbose
Password:
I1004 11:26:59.352649 96513472 init.cpp:357] osquery initialized [version=5.0.1]
I1004 11:26:59.353475 96513472 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /var/osquery/extensions.load
I1004 11:26:59.353616 96513472 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x7f86497044b8) to thread: 0x70000bb0a000 (0x7f86497043c0) in process 23375
I1004 11:26:59.353642 96513472 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x7f86497045c8) to thread: 0x70000bb8d000 (0x7f86497048b0) in process 23375
I1004 11:26:59.353660 96513472 auto_constructed_tables.cpp:97] Removing stale ATC entries
I1004 11:26:59.353729 196661248 interface.cpp:299] Extension manager service starting: /Users/shanford/.osquery/shell.em
I1004 11:26:59.353819 96513472 init.cpp:618] Error reading config: config file does not exist: /var/osquery/osquery.conf
Using a virtual database. Need help, type '.help'
osquery> .mode line
osquery> .connect /var/osquery/osquery.em
Connected to extension socket /var/osquery/osquery.em for debugging
[*]osquery> select * from safari_browser_history;
[*]osquery> select * from chrome_browser_history limit 1;
           path = /Users/shanford/Library/Application Support/Google/Chrome/Default/History
I’ve reverted to Osquery 4.9.0 and the ATC no longer works there either. It seems that this could be related to the recent Safari 15 update
👍 2
s

sharvil

10/04/2021, 6:50 PM
Yeah, I don't see any obvious errors in the logs or the PPPC profile
s

seph

10/04/2021, 7:20 PM
How did you grant FDE access? Did the codesigning and/or path change impact this?
s

Seth Hanford

10/04/2021, 7:35 PM
FDE access was granted through the above PPPC via JAMF per the online docs
p

puffycid

10/05/2021, 3:26 AM
just to confirm u not able to attach the ATC table to the safari history.db file? is config file correct? i just updated safari to version 15 and it seems to work fine? 
osquery> select * from safari_history;
                                 path = /Users/puffycid/Library/Safari/History.db
                                   id = 94
                                  url = <https://www.google.com/search?client=safari&rls=en&q=safari+15+history&ie=UTF-8&oe=UTF-8>
                     domain_expansion = google
                          visit_count = 2
                   daily_visit_counts = d
                  weekly_visit_counts =
                autocomplete_triggers =
should_recompute_derived_visit_counts = 0
                    visit_count_score = 100
                          status_code = 0
osquery> select * from safari_history;
                                 path = /Users/puffycid/Library/Safari/History.db
                                   id = 94
                                  url = <https://www.google.com/search?client=safari&rls=en&q=safari+15+history&ie=UTF-8&oe=UTF-8>
                     domain_expansion = google
                          visit_count = 2
                   daily_visit_counts = d
                  weekly_visit_counts =
                autocomplete_triggers =
should_recompute_derived_visit_counts = 0
                    visit_count_score = 100
                          status_code = 0

                                 path = /Users/puffycid/Library/Safari/History.db
                                   id = 95
                                  url = <https://www.google.com/search?q=safari+15+forensics&client=safari&rls=en&ei=y8NbYfP7DZGu5NoP2N6aiAc&ved=0ahUKEwizjc_Cp7LzAhURF1kFHVivBnEQ4dUDCA0&uact=5&oq=safari+15+forensics&gs_lcp=Cgdnd3Mtd2l6EAMyBQghEKABOgcIABBHELADOgUIABCABDoJCAAQyQMQFhAeOgcIIRAKEKABSgQIQRgAUKtZWJZhYKRiaARwAngAgAFpiAHEBZIBAzguMZgBAKABAcgBCMABAQ&sclient=gws-wiz>
                     domain_expansion = google
                          visit_count = 2
                   daily_visit_counts = d
                  weekly_visit_counts =
                autocomplete_triggers =
should_recompute_derived_visit_counts = 0
                    visit_count_score = 100
                          status_code = 0

                                 path = /Users/puffycid/Library/Safari/History.db
                                   id = 96
                                  url = <https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/>
                     domain_expansion =
                          visit_count = 1
                   daily_visit_counts = d
                  weekly_visit_counts =
                autocomplete_triggers =
should_recompute_derived_visit_counts = 0
                    visit_count_score = 100
                          status_code = 0
i haven't done a deep dive into the db, but a quick glance on twitter/forensic/dfir chats i dont see anything related about db changes for version 15 (doesn't mean there aren't any changes) my device is not under MDM so not 100% sure if its related to that or something else?
s

Seth Hanford

10/05/2021, 10:55 AM
No, this is on me. I had a trailing comma in my SELECT from a recent change to the ATC. It broke the table quietly. So I wasn’t correctly remembering when my last successful query was vs. when I had changed the file
🍻 1
2 Views
#macosJoin Slack
Powered by