ehrhardt
06/23/2021, 7:04 AMseph
zwass
select * from hash where path = '/Users/zwass/Downloads/foo.txt'
and it seems like it may be a Fleet issue.ehrhardt
06/23/2021, 6:41 PMseph
ehrhardt
06/23/2021, 6:54 PMselect * from hash where path = '/Users/ehrhardt/Downloads/test.txt
from fleet and got no hash resultsseph
ehrhardt
06/23/2021, 6:58 PMseph
ehrhardt
06/23/2021, 7:03 PMseph
ehrhardt
06/23/2021, 7:07 PMseph
ehrhardt
06/23/2021, 7:35 PMHurricaneHrndz
06/23/2021, 10:55 PM2021-06-23 15:48:27.928967-0600 0xb194 Default 0x8a3b 152 0 tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.21
2021-06-23 15:48:27.929056-0600 0x8395 Info 0x8a3b 141 0 sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8903907250> { count = 4, transaction: 0, voucher = 0x0, contents =
"auth_value" => <uint64: 0xf25afd6076682bd3>: 0
"result" => <bool: 0x7fff870f80c0>: false
"auth_version" => <uint64: 0xf25afd6076683bd3>: 1
"auth_reason" => <uint64: 0xf25afd6076682bd3>: 0
}
2021-06-23 15:48:27.929201-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] auid = -1; routing based on euid (0) instead
2021-06-23 15:48:27.929351-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] SEND: 0/7 synchronous to com.apple.tccd: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929484-0600 0x8395 Default 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] send_message_with_reply_sync(): user tccd unavailable, sending 0x7f89039052e0 to system tccd
2021-06-23 15:48:27.929649-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] SEND: 1/7 synchronous to com.apple.tccd.system: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929849-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] REQUEST: tccd_uid=0, sender_pid=141, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.929944-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] REQUEST_MSG: msgID=141.22, msg={
service="kTCCServiceSystemPolicyDownloadsFolder"
TCCD_MSG_SPI_VERSION=2 (0x2)
user_tccd_unavailable=true
function="TCCAccessRequest"
TCCD_MSG_MESSAGE_OPTION_REQUEST_RECORD_UPGRADE_POLICY_POLICY_KEY=1 (0x1)
TCCD_MSG_REQUEST_TYPE_KEY=0 (0x0)
TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_RIGHTS_MASK_KEY=5 (0x5)
TCC_MSG_REQUEST_AUTHORIZATION_SUBJECT_CREDENTIAL_DICTIONARY_KEY={
TCCD_MSG_CREDENTIAL_AUTHENTICATOR_TYPE_KEY=1 (0x1)
TCCD_MSG_CREDENTIAL_AUTHENTICATOR_AUDIT_TOKEN_KEY={pid:743, auid:-1, euid:0}
}
TCCD_MSG_MESSAGE_OPTION_REQUEST_USAGE_STRING_POLICY_KEY=2 (0x2)
TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_POLICY_KEY=2 (0x2)
TCCD_MSG_ID="141.22"
}
2021-06-23 15:48:27.930298-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.930586-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.930638-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] per-user tccd is unavailable; handling in system tccd; service: kTCCServiceSystemPolicyDownloadsFolder
2021-06-23 15:48:27.930673-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] handle_TCCAccessRequest: incoming client: 141, for: <private>
2021-06-23 15:48:27.931127-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.931421-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.931462-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_CTX: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder, preflight=yes, query=1,
2021-06-23 15:48:27.931492-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=141.22, attribution={responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/b
in/osqueryd}, accessing={identifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd}, },
2021-06-23 15:48:27.932859-0600 0xb9e4 Debug 0x8a3c 152 0 tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: starting for: /bin/sh
2021-06-23 15:48:27.933073-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: /bin/sh[141]: from cache: = /bin/sh, type 1 (198/304)
2021-06-23 15:48:27.933166-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_SUBJECT: msgID=141.22, subject=/bin/sh,
2021-06-23 15:48:27.933249-0600 0xb9e4 Error 0x8a3c 152 0 tccd: [com.apple.TCC:access] Refusing TCCAccessRequest for service kTCCServiceSystemPolicyDownloadsFolder from client Sub:{/bin/sh}Resp:{identifier=osqueryd, pid=134, auid=0, euid=0, res
ponsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd} in background session
2021-06-23 15:48:27.933361-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_RESULT: msgID=141.22, authValue=0, authReason=5, authVersion=1, error=(null),
2021-06-23 15:48:27.933471-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] REPLY_MSG: msg={
auth_value=0 (0x0)
result=false
auth_version=1 (0x1)
auth_reason=5 (0x5)
}
2021-06-23 15:48:27.933504-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.933606-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8902408e90> { count = 4, transaction: 0, voucher = 0x0, contents =
"auth_value" => <uint64: 0xf25afd6076682bd3>: 0
"result" => <bool: 0x7fff870f80c0>: false
"auth_version" => <uint64: 0xf25afd6076683bd3>: 1
"auth_reason" => <uint64: 0xf25afd6076687bd3>: 5
}
2021-06-23 15:48:27.933719-0600 0xb194 Debug 0x8a3c 152 0 tccd: [com.apple.TCC:access] register with resolver: binary:file:///usr/local/bin/osqueryd, bundle file:///usr/local/bin/ -- failed: isApp:0
seph
SystemPolicyAllFiles
for those. I think it’s a super set/usr/sbin/spctl -a -vvv -t install --ignore-cache /usr/local/bin/osqueryd
show?HurricaneHrndz
06/24/2021, 2:07 AM/usr/local/bin/osqueryd: accepted
source=Notarized Developer ID
origin=Developer ID Application: Theodore Reed (B89LNTUADM)
"/usr/local/bin/osqueryd" => {
"kTCCServiceSystemPolicyAllFiles" => {
"Allowed" => 1
"CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
"CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
"Identifier" => "/usr/local/bin/osqueryd"
"IdentifierType" => "path"
"StaticCode" => 1
}
"kTCCServiceSystemPolicyDownloadsFolder" => {
"Allowed" => 1
"CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
"CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
"Identifier" => "/usr/local/bin/osqueryd"
"IdentifierType" => "path"
"StaticCode" => 1
}
}
seph
MDMoverride
is. But, so far, this looks fine? /usr/local/bin/osqueryd
is signed by B89LNTUADM
which looks like what you’ve got in your policyHurricaneHrndz
06/24/2021, 1:48 PMseph
HurricaneHrndz
06/29/2021, 9:48 PMseph