Channels
#macos
Title
# macos
s
Seth Hanford
10/04/2021, 6:10 PMI’m testing a deployment of Osquery 5.0.1 on Mac OS 10.15. Under osquery 4.9 I was able to attach an ATC to the /Users/%/Library/Safari/History.db via Full Disk Access. Under the new scheme (https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#automatically-granting-permissions-silent-installs) my safari_browser_history ATC fails to return any results. ATC config hasn’t changed, and my other ATCs for Chrome, Firefox, etc. continue to work, though of course those History DBs are in another path. Is there something more that needs to be configured to re-establish this access?
s
sharvil
10/04/2021, 6:13 PMCan you add
--verboseAnd it seems that you are using a PPPC profile? Mind sharing that?
s
Seth Hanford
10/04/2021, 6:16 PMsure; i’m deploying through Fleet, so I’ll have to take a minute to get the ATC locally to feed into osqueryi and make it verbose
PPPC:
Copy code
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>identifier "io.osquery.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "3522FA9PXF"</string>
<key>Identifier</key>
<string>io.osquery.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>And when running osqueryi, I connect to the osqueryd socket that holds the ATCs; the safari one doesn’t throw any errors:
Copy code
osquery_enterprise shanford$ sudo osqueryi --verbose
Password:
I1004 11:26:59.352649 96513472 init.cpp:357] osquery initialized [version=5.0.1]
I1004 11:26:59.353475 96513472 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /var/osquery/extensions.load
I1004 11:26:59.353616 96513472 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x7f86497044b8) to thread: 0x70000bb0a000 (0x7f86497043c0) in process 23375
I1004 11:26:59.353642 96513472 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x7f86497045c8) to thread: 0x70000bb8d000 (0x7f86497048b0) in process 23375
I1004 11:26:59.353660 96513472 auto_constructed_tables.cpp:97] Removing stale ATC entries
I1004 11:26:59.353729 196661248 interface.cpp:299] Extension manager service starting: /Users/shanford/.osquery/shell.em
I1004 11:26:59.353819 96513472 init.cpp:618] Error reading config: config file does not exist: /var/osquery/osquery.conf
Using a virtual database. Need help, type '.help'
osquery> .mode line
osquery> .connect /var/osquery/osquery.em
Connected to extension socket /var/osquery/osquery.em for debugging
[*]osquery> select * from safari_browser_history;
[*]osquery> select * from chrome_browser_history limit 1;
path = /Users/shanford/Library/Application Support/Google/Chrome/Default/HistoryI’ve reverted to Osquery 4.9.0 and the ATC no longer works there either. It seems that this could be related to the recent Safari 15 update
👍 2
s
sharvil
10/04/2021, 6:50 PMYeah, I don't see any obvious errors in the logs or the PPPC profile
s
seph
10/04/2021, 7:20 PM
How did you grant FDE access? Did the codesigning and/or path change impact this?
s
Seth Hanford
10/04/2021, 7:35 PMFDE access was granted through the above PPPC via JAMF per the online docs
p
puffycid
10/05/2021, 3:26 AMjust to confirm u not able to attach the ATC table to the safari history.db file?
is config file correct?
i just updated safari to version 15 and it seems to work fine?
Copy code
osquery> select * from safari_history;
path = /Users/puffycid/Library/Safari/History.db
id = 94
url = <https://www.google.com/search?client=safari&rls=en&q=safari+15+history&ie=UTF-8&oe=UTF-8>
domain_expansion = google
visit_count = 2
daily_visit_counts = d
weekly_visit_counts =
autocomplete_triggers =
should_recompute_derived_visit_counts = 0
visit_count_score = 100
status_code = 0
osquery> select * from safari_history;
path = /Users/puffycid/Library/Safari/History.db
id = 94
url = <https://www.google.com/search?client=safari&rls=en&q=safari+15+history&ie=UTF-8&oe=UTF-8>
domain_expansion = google
visit_count = 2
daily_visit_counts = d
weekly_visit_counts =
autocomplete_triggers =
should_recompute_derived_visit_counts = 0
visit_count_score = 100
status_code = 0
path = /Users/puffycid/Library/Safari/History.db
id = 95
url = <https://www.google.com/search?q=safari+15+forensics&client=safari&rls=en&ei=y8NbYfP7DZGu5NoP2N6aiAc&ved=0ahUKEwizjc_Cp7LzAhURF1kFHVivBnEQ4dUDCA0&uact=5&oq=safari+15+forensics&gs_lcp=Cgdnd3Mtd2l6EAMyBQghEKABOgcIABBHELADOgUIABCABDoJCAAQyQMQFhAeOgcIIRAKEKABSgQIQRgAUKtZWJZhYKRiaARwAngAgAFpiAHEBZIBAzguMZgBAKABAcgBCMABAQ&sclient=gws-wiz>
domain_expansion = google
visit_count = 2
daily_visit_counts = d
weekly_visit_counts =
autocomplete_triggers =
should_recompute_derived_visit_counts = 0
visit_count_score = 100
status_code = 0
path = /Users/puffycid/Library/Safari/History.db
id = 96
url = <https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/>
domain_expansion =
visit_count = 1
daily_visit_counts = d
weekly_visit_counts =
autocomplete_triggers =
should_recompute_derived_visit_counts = 0
visit_count_score = 100
status_code = 0s
Seth Hanford
10/05/2021, 10:55 AMNo, this is on me. I had a trailing comma in my SELECT from a recent change to the ATC. It broke the table quietly. So I wasn’t correctly remembering when my last successful query was vs. when I had changed the file
🍻 1
2 Views