For osquery 5, does it / will it require a System Extension to interface with the Endpoint Security API ?
09/15/2021, 6:56 PM
There's no system extension. The osquery binary is now packaged inside a .app bundle that has the appropriate entitlement to interface with the ES API. You shouldn't need to push a profile to allow that, though do note that you may need to update your Full Disk Access profile given the change in osquery install path.
09/15/2021, 7:03 PM
Cool. It was a little jarring to see the .app and no system extension 🙂
Crowdstrike, santa, et all use the SystemExtension since they need to take action I guess vs read only on osquery