Title
#general
e

ehrhardt

06/23/2021, 7:04 AM
Hey all I am having issues using fleet to carve a file from a user's Downloads directory on OSX 10.15.7. I have tested both osquery 4.4.0 and 4.8.0. I have configured the PPPC profile per https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#automatically-granting-permissions-silent-installs. Is there something special required for fleet carving from Downloads?
s

seph

06/23/2021, 11:37 AM
I think programs need Full Disk Access to be able to read most user files, I think Downlods is part of that. But that should be the profile you installed
11:38 AM
The policy quoted there looks like an example and probably work work for you
11:39 AM
You might also want to isolate if this is a fleet or a permissions problem. If it's a permissions issue, it will also manifest if you to do other things with those files. (Like calculate a hash)
zwass

zwass

06/23/2021, 3:24 PM
Agreed with everything Seph said above. Feel free to join us over in #fleet if you find you are able to access downloads via something like
select * from hash where path = '/Users/zwass/Downloads/foo.txt'
and it seems like it may be a Fleet issue.
e

ehrhardt

06/23/2021, 6:41 PM
the issue is fleet access vs osquery access. scheduled queries on the Downloads directory return hashes where fleet queries do not. Is there a PPPC I need for fleet that is different from osqueryd?
s

seph

06/23/2021, 6:51 PM
What is a fleet query? If that's a distributed query, that's part of core osquery and it should behave identically.
e

ehrhardt

06/23/2021, 6:54 PM
I ran the equivalent of
select * from hash where path = '/Users/ehrhardt/Downloads/test.txt
from fleet and got no hash results
6:54 PM
I have a scheduled query running that can see the file
s

seph

06/23/2021, 6:55 PM
That doesn't make much sense to me. Those should both be running inside osquery, which has whatever permissions it has.
e

ehrhardt

06/23/2021, 6:58 PM
I understand but this is what I am seeing
s

seph

06/23/2021, 7:02 PM
It looks like you're starting to debug it over on #fleet, that seems like a fine place too
7:02 PM
Is it the same osquery process for both? Any launcher or orbit here?
e

ehrhardt

06/23/2021, 7:03 PM
it is the same process
s

seph

06/23/2021, 7:05 PM
Hrm. The same profile and permissions should apply to both. It’s all the same osquery running
e

ehrhardt

06/23/2021, 7:07 PM
ok so it looks like there is a /bin/sh bundle that needs permission
s

seph

06/23/2021, 7:12 PM
That seems weird.
7:12 PM
I would be leery of granting /bin/sh permissions
7:13 PM
I wonfer if you can drop osquery into verbose mode, and compare things
e

ehrhardt

06/23/2021, 7:35 PM
if I run osqueryd as root or a local user that wouldn't use the desired PPPC
9:43 PM
so it looks like it is a permissions with the Downloads folder issue but not getting my PPPC to work properly
h

HurricaneHrndz

06/23/2021, 10:55 PM
2021-06-23 15:48:27.928967-0600 0xb194     Default     0x8a3b               152    0    tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.21
2021-06-23 15:48:27.929056-0600 0x8395     Info        0x8a3b               141    0    sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8903907250> { count = 4, transaction: 0, voucher = 0x0, contents =
        "auth_value" => <uint64: 0xf25afd6076682bd3>: 0
        "result" => <bool: 0x7fff870f80c0>: false
        "auth_version" => <uint64: 0xf25afd6076683bd3>: 1
        "auth_reason" => <uint64: 0xf25afd6076682bd3>: 0
}
2021-06-23 15:48:27.929201-0600 0x8395     Info        0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] auid = -1; routing based on euid (0) instead
2021-06-23 15:48:27.929351-0600 0x8395     Info        0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] SEND: 0/7 synchronous to com.apple.tccd: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929484-0600 0x8395     Default     0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] send_message_with_reply_sync(): user tccd unavailable, sending 0x7f89039052e0 to system tccd
2021-06-23 15:48:27.929649-0600 0x8395     Info        0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] SEND: 1/7 synchronous to com.apple.tccd.system: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929849-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] REQUEST: tccd_uid=0, sender_pid=141, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.929944-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] REQUEST_MSG: msgID=141.22, msg={
        service="kTCCServiceSystemPolicyDownloadsFolder"
        TCCD_MSG_SPI_VERSION=2 (0x2)
        user_tccd_unavailable=true
        function="TCCAccessRequest"
        TCCD_MSG_MESSAGE_OPTION_REQUEST_RECORD_UPGRADE_POLICY_POLICY_KEY=1 (0x1)
        TCCD_MSG_REQUEST_TYPE_KEY=0 (0x0)
        TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_RIGHTS_MASK_KEY=5 (0x5)
        TCC_MSG_REQUEST_AUTHORIZATION_SUBJECT_CREDENTIAL_DICTIONARY_KEY={
                TCCD_MSG_CREDENTIAL_AUTHENTICATOR_TYPE_KEY=1 (0x1)
                TCCD_MSG_CREDENTIAL_AUTHENTICATOR_AUDIT_TOKEN_KEY={pid:743, auid:-1, euid:0}
        }
        TCCD_MSG_MESSAGE_OPTION_REQUEST_USAGE_STRING_POLICY_KEY=2 (0x2)
        TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_POLICY_KEY=2 (0x2)
        TCCD_MSG_ID="141.22"
}
2021-06-23 15:48:27.930298-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.930586-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.930638-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] per-user tccd is unavailable; handling in system tccd; service: kTCCServiceSystemPolicyDownloadsFolder
2021-06-23 15:48:27.930673-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] handle_TCCAccessRequest: incoming client: 141, for: <private>
2021-06-23 15:48:27.931127-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.931421-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.931462-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] AUTHREQ_CTX: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder, preflight=yes, query=1,
2021-06-23 15:48:27.931492-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=141.22, attribution={responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/b
in/osqueryd}, accessing={identifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd}, },
2021-06-23 15:48:27.932859-0600 0xb9e4     Debug       0x8a3c               152    0    tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: starting for: /bin/sh
2021-06-23 15:48:27.933073-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: /bin/sh[141]: from cache: = /bin/sh, type 1 (198/304)
2021-06-23 15:48:27.933166-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] AUTHREQ_SUBJECT: msgID=141.22, subject=/bin/sh,
2021-06-23 15:48:27.933249-0600 0xb9e4     Error       0x8a3c               152    0    tccd: [com.apple.TCC:access] Refusing TCCAccessRequest for service kTCCServiceSystemPolicyDownloadsFolder from client Sub:{/bin/sh}Resp:{identifier=osqueryd, pid=134, auid=0, euid=0, res
ponsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd} in background session
2021-06-23 15:48:27.933361-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] AUTHREQ_RESULT: msgID=141.22, authValue=0, authReason=5, authVersion=1, error=(null),
2021-06-23 15:48:27.933471-0600 0xb9e4     Info        0x8a3c               152    0    tccd: [com.apple.TCC:access] REPLY_MSG: msg={
        auth_value=0 (0x0)
        result=false
        auth_version=1 (0x1)
        auth_reason=5 (0x5)
}
2021-06-23 15:48:27.933504-0600 0xb9e4     Default     0x8a3c               152    0    tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.933606-0600 0x8395     Info        0x8a3c               141    0    sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8902408e90> { count = 4, transaction: 0, voucher = 0x0, contents =
        "auth_value" => <uint64: 0xf25afd6076682bd3>: 0
        "result" => <bool: 0x7fff870f80c0>: false
        "auth_version" => <uint64: 0xf25afd6076683bd3>: 1
        "auth_reason" => <uint64: 0xf25afd6076687bd3>: 5
}
2021-06-23 15:48:27.933719-0600 0xb194     Debug       0x8a3c               152    0    tccd: [com.apple.TCC:access] register with resolver: binary:file:///usr/local/bin/osqueryd, bundle file:///usr/local/bin/ -- failed: isApp:0
10:55 PM
Yes so to add this is the log we are getting from TCC
10:56 PM
Here is the mobile config that was uploaded to Jamf
s

seph

06/24/2021, 12:44 AM
FWIW I don’t think you should need anything other than the
SystemPolicyAllFiles
for those. I think it’s a super set
12:45 AM
What does
/usr/sbin/spctl -a -vvv -t install --ignore-cache /usr/local/bin/osqueryd
show?
h

HurricaneHrndz

06/24/2021, 2:07 AM
/usr/local/bin/osqueryd: accepted
source=Notarized Developer ID
origin=Developer ID Application: Theodore Reed (B89LNTUADM)
2:08 AM
And thank you for the assist
2:11 AM
This is what got placed in the MDMoverride
"/usr/local/bin/osqueryd" => {
    "kTCCServiceSystemPolicyAllFiles" => {
      "Allowed" => 1
      "CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
      "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
      "Identifier" => "/usr/local/bin/osqueryd"
      "IdentifierType" => "path"
      "StaticCode" => 1
    }
    "kTCCServiceSystemPolicyDownloadsFolder" => {
      "Allowed" => 1
      "CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
      "CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
      "Identifier" => "/usr/local/bin/osqueryd"
      "IdentifierType" => "path"
      "StaticCode" => 1
    }
  }
s

seph

06/24/2021, 2:54 AM
I don’t know what
MDMoverride
is. But, so far, this looks fine?
/usr/local/bin/osqueryd
is signed by
B89LNTUADM
which looks like what you’ve got in your policy
2:55 AM
I’m definitely at a loss to tell why. I haven’t seen anything like this before
h

HurricaneHrndz

06/24/2021, 1:48 PM
Hmmm, if there is anymore information I can provide please let me know. Thanks once again
s

seph

06/26/2021, 11:52 AM
I saw some more about this over on MacAdmins. As commented there… Maybe a couple more things to try:1. Manually grant osquery full disk permission through the Privacy control panel 2. How sure are you that the profile is installed? Try doing it manually outside the MDM?
h

HurricaneHrndz

06/29/2021, 9:48 PM
@seph Thanks for looking into it … I made some headway and discovered someone had a wrapper script fo launchdaemon
s

seph

06/29/2021, 11:09 PM
That's probably why /bin/sh showed up. But it's all a bit 🤷 to me. I think you have some oddities in the local setup