https://github.com/osquery/osquery logo
#general
Title
# general
e

ehrhardt

06/23/2021, 7:04 AM
Hey all I am having issues using fleet to carve a file from a user's Downloads directory on OSX 10.15.7. I have tested both osquery 4.4.0 and 4.8.0. I have configured the PPPC profile per https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#automatically-granting-permissions-silent-installs. Is there something special required for fleet carving from Downloads?
s

seph

06/23/2021, 11:37 AM
I think programs need Full Disk Access to be able to read most user files, I think Downlods is part of that. But that should be the profile you installed
The policy quoted there looks like an example and probably work work for you
You might also want to isolate if this is a fleet or a permissions problem. If it's a permissions issue, it will also manifest if you to do other things with those files. (Like calculate a hash)
z

zwass

06/23/2021, 3:24 PM
Agreed with everything Seph said above. Feel free to join us over in #fleet if you find you are able to access downloads via something like
select * from hash where path = '/Users/zwass/Downloads/foo.txt'
and it seems like it may be a Fleet issue.
e

ehrhardt

06/23/2021, 6:41 PM
the issue is fleet access vs osquery access. scheduled queries on the Downloads directory return hashes where fleet queries do not. Is there a PPPC I need for fleet that is different from osqueryd?
s

seph

06/23/2021, 6:51 PM
What is a fleet query? If that's a distributed query, that's part of core osquery and it should behave identically.
e

ehrhardt

06/23/2021, 6:54 PM
I ran the equivalent of
select * from hash where path = '/Users/ehrhardt/Downloads/test.txt
from fleet and got no hash results
I have a scheduled query running that can see the file
s

seph

06/23/2021, 6:55 PM
That doesn't make much sense to me. Those should both be running inside osquery, which has whatever permissions it has.
e

ehrhardt

06/23/2021, 6:58 PM
I understand but this is what I am seeing
s

seph

06/23/2021, 7:02 PM
It looks like you're starting to debug it over on #fleet, that seems like a fine place too
Is it the same osquery process for both? Any launcher or orbit here?
e

ehrhardt

06/23/2021, 7:03 PM
it is the same process
s

seph

06/23/2021, 7:05 PM
Hrm. The same profile and permissions should apply to both. It’s all the same osquery running
e

ehrhardt

06/23/2021, 7:07 PM
ok so it looks like there is a /bin/sh bundle that needs permission
s

seph

06/23/2021, 7:12 PM
That seems weird.
I would be leery of granting /bin/sh permissions
I wonfer if you can drop osquery into verbose mode, and compare things
e

ehrhardt

06/23/2021, 7:35 PM
if I run osqueryd as root or a local user that wouldn't use the desired PPPC
so it looks like it is a permissions with the Downloads folder issue but not getting my PPPC to work properly
h

HurricaneHrndz

06/23/2021, 10:55 PM
Copy code
2021-06-23 15:48:27.928967-0600 0xb194     Default     0x8a3b               152    0    tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.21
2021-06-23 15:48:27.929056-0600 0x8395     Info        0x8a3b               141    0    sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8903907250> { count = 4, transaction: 0, voucher = 0x0, contents =
        "auth_value" => <uint64: 0xf25afd6076682bd3>: 0
        "result" => <bool: 0x7fff870f80c0>: false
        "auth_version" => <uint64: 0xf25afd6076683bd3>: 1
        "auth_reason" => <uint64: 0xf25afd6076682bd3>: 0
}
2021-06-23 15:48:27.929201-0600 0x8395     Info        0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] auid = -1; routing based on euid (0) instead
2021-06-23 15:48:27.929351-0600 0x8395     Info        0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] SEND: 0/7 synchronous to com.apple.tccd: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929484-0600 0x8395     Default     0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] send_message_with_reply_sync(): user tccd unavailable, sending 0x7f89039052e0 to system tccd
2021-06-23 15:48:27.929649-0600 0x8395     Info        0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] SEND: 1/7 synchronous to com.apple.tccd.system: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929849-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] REQUEST: tccd_uid=0, sender_pid=141, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.929944-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] REQUEST_MSG: msgID=141.22, msg={
        service="kTCCServiceSystemPolicyDownloadsFolder"
        TCCD_MSG_SPI_VERSION=2 (0x2)
        user_tccd_unavailable=true
        function="TCCAccessRequest"
        TCCD_MSG_MESSAGE_OPTION_REQUEST_RECORD_UPGRADE_POLICY_POLICY_KEY=1 (0x1)
        TCCD_MSG_REQUEST_TYPE_KEY=0 (0x0)
        TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_RIGHTS_MASK_KEY=5 (0x5)
        TCC_MSG_REQUEST_AUTHORIZATION_SUBJECT_CREDENTIAL_DICTIONARY_KEY={
                TCCD_MSG_CREDENTIAL_AUTHENTICATOR_TYPE_KEY=1 (0x1)
                TCCD_MSG_CREDENTIAL_AUTHENTICATOR_AUDIT_TOKEN_KEY={pid:743, auid:-1, euid:0}
        }
        TCCD_MSG_MESSAGE_OPTION_REQUEST_USAGE_STRING_POLICY_KEY=2 (0x2)
        TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_POLICY_KEY=2 (0x2)
        TCCD_MSG_ID="141.22"
}
2021-06-23 15:48:27.930298-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.930586-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.930638-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] per-user tccd is unavailable; handling in system tccd; service: kTCCServiceSystemPolicyDownloadsFolder
2021-06-23 15:48:27.930673-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] handle_TCCAccessRequest: incoming client: 141, for: <private>
2021-06-23 15:48:27.931127-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.931421-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.931462-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] AUTHREQ_CTX: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder, preflight=yes, query=1,
2021-06-23 15:48:27.931492-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=141.22, attribution={responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/b
in/osqueryd}, accessing={identifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd}, },
2021-06-23 15:48:27.932859-0600 0xb9e4     Debug       0x8a3c               152    0    tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: starting for: /bin/sh
2021-06-23 15:48:27.933073-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: /bin/sh[141]: from cache: = /bin/sh, type 1 (198/304)
2021-06-23 15:48:27.933166-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] AUTHREQ_SUBJECT: msgID=141.22, subject=/bin/sh,
2021-06-23 15:48:27.933249-0600 0xb9e4     Error       0x8a3c               152    0    tccd: [com.apple.TCC:access] Refusing TCCAccessRequest for service kTCCServiceSystemPolicyDownloadsFolder from client Sub:{/bin/sh}Resp:{identifier=osqueryd, pid=134, auid=0, euid=0, res
ponsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd} in background session
2021-06-23 15:48:27.933361-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] AUTHREQ_RESULT: msgID=141.22, authValue=0, authReason=5, authVersion=1, error=(null),
2021-06-23 15:48:27.933471-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] REPLY_MSG: msg={
        auth_value=0 (0x0)
        result=false
        auth_version=1 (0x1)
        auth_reason=5 (0x5)
}
2021-06-23 15:48:27.933504-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.933606-0600 0x8395     Info        0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8902408e90> { count = 4, transaction: 0, voucher = 0x0, contents =
        "auth_value" => <uint64: 0xf25afd6076682bd3>: 0
        "result" => <bool: 0x7fff870f80c0>: false
        "auth_version" => <uint64: 0xf25afd6076683bd3>: 1
        "auth_reason" => <uint64: 0xf25afd6076687bd3>: 5
}
2021-06-23 15:48:27.933719-0600 0xb194     Debug       0x8a3c               152    0    tccd: [com.apple.TCC:access] register with resolver: binary:file:///usr/local/bin/osqueryd, bundle file:///usr/local/bin/ -- failed: isApp:0
Yes so to add this is the log we are getting from TCC
Here is the mobile config that was uploaded to Jamf
s

seph

06/24/2021, 12:44 AM
FWIW I don’t think you should need anything other than the
SystemPolicyAllFiles
for those. I think it’s a super set
👍 1
What does
/usr/sbin/spctl -a -vvv -t install --ignore-cache /usr/local/bin/osqueryd
show?
h

HurricaneHrndz

06/24/2021, 2:07 AM
Copy code
/usr/local/bin/osqueryd: accepted
source=Notarized Developer ID
origin=Developer ID Application: Theodore Reed (B89LNTUADM)
And thank you for the assist
This is what got placed in the MDMoverride
Copy code
"/usr/local/bin/osqueryd" => {
    "kTCCServiceSystemPolicyAllFiles" => {
      "Allowed" => 1
      "CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
      "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
      "Identifier" => "/usr/local/bin/osqueryd"
      "IdentifierType" => "path"
      "StaticCode" => 1
    }
    "kTCCServiceSystemPolicyDownloadsFolder" => {
      "Allowed" => 1
      "CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
      "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
      "Identifier" => "/usr/local/bin/osqueryd"
      "IdentifierType" => "path"
      "StaticCode" => 1
    }
  }
s

seph

06/24/2021, 2:54 AM
I don’t know what
MDMoverride
is. But, so far, this looks fine?
/usr/local/bin/osqueryd
is signed by
B89LNTUADM
which looks like what you’ve got in your policy
I’m definitely at a loss to tell why. I haven’t seen anything like this before
h

HurricaneHrndz

06/24/2021, 1:48 PM
Hmmm, if there is anymore information I can provide please let me know. Thanks once again
s

seph

06/26/2021, 11:52 AM
I saw some more about this over on MacAdmins. As commented there… Maybe a couple more things to try: 1. Manually grant osquery full disk permission through the Privacy control panel 2. How sure are you that the profile is installed? Try doing it manually outside the MDM?
h

HurricaneHrndz

06/29/2021, 9:48 PM
@seph Thanks for looking into it … I made some headway and discovered someone had a wrapper script fo launchdaemon
s

seph

06/29/2021, 11:09 PM
That's probably why /bin/sh showed up. But it's all a bit 🤷 to me. I think you have some oddities in the local setup
28 Views