Hey all I am having issues using fleet to carve a ...
# generale
ehrhardt
06/23/2021, 7:04 AMHey all I am having issues using fleet to carve a file from a user's Downloads directory on OSX 10.15.7. I have tested both osquery 4.4.0 and 4.8.0. I have configured the PPPC profile per https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#automatically-granting-permissions-silent-installs. Is there something special required for fleet carving from Downloads?
s
seph
06/23/2021, 11:37 AM
I think programs need Full Disk Access to be able to read most user files, I think Downlods is part of that. But that should be the profile you installed
seph
06/23/2021, 11:38 AM
The policy quoted there looks like an example and probably work work for you
seph
06/23/2021, 11:39 AM
You might also want to isolate if this is a fleet or a permissions problem. If it's a permissions issue, it will also manifest if you to do other things with those files. (Like calculate a hash)
z
zwass
06/23/2021, 3:24 PM
Agreed with everything Seph said above. Feel free to join us over in #C01DXJL16D8 if you find you are able to access downloads via something like
select * from hash where path = '/Users/zwass/Downloads/foo.txt'e
ehrhardt
06/23/2021, 6:41 PMthe issue is fleet access vs osquery access. scheduled queries on the Downloads directory return hashes where fleet queries do not. Is there a PPPC I need for fleet that is different from osqueryd?
s
seph
06/23/2021, 6:51 PM
What is a fleet query? If that's a distributed query, that's part of core osquery and it should behave identically.
e
ehrhardt
06/23/2021, 6:54 PMI ran the equivalent of
select * from hash where path = '/Users/ehrhardt/Downloads/test.txtehrhardt
06/23/2021, 6:54 PMI have a scheduled query running that can see the file
s
seph
06/23/2021, 6:55 PM
That doesn't make much sense to me. Those should both be running inside osquery, which has whatever permissions it has.
e
ehrhardt
06/23/2021, 6:58 PMI understand but this is what I am seeing
s
seph
06/23/2021, 7:02 PM
It looks like you're starting to debug it over on #fleet, that seems like a fine place too
seph
06/23/2021, 7:02 PM
Is it the same osquery process for both? Any launcher or orbit here?
e
ehrhardt
06/23/2021, 7:03 PMit is the same process
s
seph
06/23/2021, 7:05 PM
Hrm. The same profile and permissions should apply to both. It’s all the same osquery running
e
ehrhardt
06/23/2021, 7:07 PMok so it looks like there is a /bin/sh bundle that needs permission
s
seph
06/23/2021, 7:12 PM
That seems weird.
seph
06/23/2021, 7:12 PM
I would be leery of granting /bin/sh permissions
seph
06/23/2021, 7:13 PM
I wonfer if you can drop osquery into verbose mode, and compare things
e
ehrhardt
06/23/2021, 7:35 PMif I run osqueryd as root or a local user that wouldn't use the desired PPPC
ehrhardt
06/23/2021, 9:43 PMso it looks like it is a permissions with the Downloads folder issue but not getting my PPPC to work properly
h
HurricaneHrndz
06/23/2021, 10:55 PMYes so to add this is the log we are getting from TCC
HurricaneHrndz
06/23/2021, 10:55 PM Copy code
2021-06-23 15:48:27.928967-0600 0xb194 Default 0x8a3b 152 0 tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.21
2021-06-23 15:48:27.929056-0600 0x8395 Info 0x8a3b 141 0 sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8903907250> { count = 4, transaction: 0, voucher = 0x0, contents =
"auth_value" => <uint64: 0xf25afd6076682bd3>: 0
"result" => <bool: 0x7fff870f80c0>: false
"auth_version" => <uint64: 0xf25afd6076683bd3>: 1
"auth_reason" => <uint64: 0xf25afd6076682bd3>: 0
}
2021-06-23 15:48:27.929201-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] auid = -1; routing based on euid (0) instead
2021-06-23 15:48:27.929351-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] SEND: 0/7 synchronous to com.apple.tccd: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929484-0600 0x8395 Default 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] send_message_with_reply_sync(): user tccd unavailable, sending 0x7f89039052e0 to system tccd
2021-06-23 15:48:27.929649-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] SEND: 1/7 synchronous to com.apple.tccd.system: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929849-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] REQUEST: tccd_uid=0, sender_pid=141, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.929944-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] REQUEST_MSG: msgID=141.22, msg={
service="kTCCServiceSystemPolicyDownloadsFolder"
TCCD_MSG_SPI_VERSION=2 (0x2)
user_tccd_unavailable=true
function="TCCAccessRequest"
TCCD_MSG_MESSAGE_OPTION_REQUEST_RECORD_UPGRADE_POLICY_POLICY_KEY=1 (0x1)
TCCD_MSG_REQUEST_TYPE_KEY=0 (0x0)
TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_RIGHTS_MASK_KEY=5 (0x5)
TCC_MSG_REQUEST_AUTHORIZATION_SUBJECT_CREDENTIAL_DICTIONARY_KEY={
TCCD_MSG_CREDENTIAL_AUTHENTICATOR_TYPE_KEY=1 (0x1)
TCCD_MSG_CREDENTIAL_AUTHENTICATOR_AUDIT_TOKEN_KEY={pid:743, auid:-1, euid:0}
}
TCCD_MSG_MESSAGE_OPTION_REQUEST_USAGE_STRING_POLICY_KEY=2 (0x2)
TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_POLICY_KEY=2 (0x2)
TCCD_MSG_ID="141.22"
}
2021-06-23 15:48:27.930298-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.930586-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.930638-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] per-user tccd is unavailable; handling in system tccd; service: kTCCServiceSystemPolicyDownloadsFolder
2021-06-23 15:48:27.930673-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] handle_TCCAccessRequest: incoming client: 141, for: <private>
2021-06-23 15:48:27.931127-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.931421-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.931462-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_CTX: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder, preflight=yes, query=1,
2021-06-23 15:48:27.931492-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=141.22, attribution={responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/b
in/osqueryd}, accessing={identifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd}, },
2021-06-23 15:48:27.932859-0600 0xb9e4 Debug 0x8a3c 152 0 tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: starting for: /bin/sh
2021-06-23 15:48:27.933073-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: /bin/sh[141]: from cache: = /bin/sh, type 1 (198/304)
2021-06-23 15:48:27.933166-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_SUBJECT: msgID=141.22, subject=/bin/sh,
2021-06-23 15:48:27.933249-0600 0xb9e4 Error 0x8a3c 152 0 tccd: [com.apple.TCC:access] Refusing TCCAccessRequest for service kTCCServiceSystemPolicyDownloadsFolder from client Sub:{/bin/sh}Resp:{identifier=osqueryd, pid=134, auid=0, euid=0, res
ponsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd} in background session
2021-06-23 15:48:27.933361-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_RESULT: msgID=141.22, authValue=0, authReason=5, authVersion=1, error=(null),
2021-06-23 15:48:27.933471-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] REPLY_MSG: msg={
auth_value=0 (0x0)
result=false
auth_version=1 (0x1)
auth_reason=5 (0x5)
}
2021-06-23 15:48:27.933504-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.933606-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8902408e90> { count = 4, transaction: 0, voucher = 0x0, contents =
"auth_value" => <uint64: 0xf25afd6076682bd3>: 0
"result" => <bool: 0x7fff870f80c0>: false
"auth_version" => <uint64: 0xf25afd6076683bd3>: 1
"auth_reason" => <uint64: 0xf25afd6076687bd3>: 5
}
2021-06-23 15:48:27.933719-0600 0xb194 Debug 0x8a3c 152 0 tccd: [com.apple.TCC:access] register with resolver: binary:file:///usr/local/bin/osqueryd, bundle file:///usr/local/bin/ -- failed: isApp:0HurricaneHrndz
06/23/2021, 10:56 PMHere is the mobile config that was uploaded to Jamf
s
seph
06/24/2021, 12:44 AM
FWIW I don’t think you should need anything other than the
SystemPolicyAllFiles👍 1
seph
06/24/2021, 12:45 AM
What does
/usr/sbin/spctl -a -vvv -t install --ignore-cache /usr/local/bin/osquerydh
HurricaneHrndz
06/24/2021, 2:07 AM Copy code
/usr/local/bin/osqueryd: accepted
source=Notarized Developer ID
origin=Developer ID Application: Theodore Reed (B89LNTUADM)HurricaneHrndz
06/24/2021, 2:08 AMAnd thank you for the assist
HurricaneHrndz
06/24/2021, 2:11 AMThis is what got placed in the MDMoverride
Copy code
"/usr/local/bin/osqueryd" => {
"kTCCServiceSystemPolicyAllFiles" => {
"Allowed" => 1
"CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
"CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
"Identifier" => "/usr/local/bin/osqueryd"
"IdentifierType" => "path"
"StaticCode" => 1
}
"kTCCServiceSystemPolicyDownloadsFolder" => {
"Allowed" => 1
"CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
"CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
"Identifier" => "/usr/local/bin/osqueryd"
"IdentifierType" => "path"
"StaticCode" => 1
}
}s
seph
06/24/2021, 2:54 AM
I don’t know what
MDMoverride/usr/local/bin/osquerydB89LNTUADMseph
06/24/2021, 2:55 AM
I’m definitely at a loss to tell why. I haven’t seen anything like this before
h
HurricaneHrndz
06/24/2021, 1:48 PMHmmm, if there is anymore information I can provide please let me know. Thanks once again
s
seph
06/26/2021, 11:52 AM
I saw some more about this over on MacAdmins. As commented there…
Maybe a couple more things to try:
1. Manually grant osquery full disk permission through the Privacy control panel
2. How sure are you that the profile is installed? Try doing it manually outside the MDM?
h
HurricaneHrndz
06/29/2021, 9:48 PM@seph Thanks for looking into it … I made some headway and discovered someone had a wrapper script fo launchdaemon
s
seph
06/29/2021, 11:09 PM
That's probably why /bin/sh showed up. But it's all a bit 🤷 to me. I think you have some oddities in the local setup
29 Views