Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
e
ehrhardt
06/23/2021, 7:04 AMHey all I am having issues using fleet to carve a file from a user's Downloads directory on OSX 10.15.7. I have tested both osquery 4.4.0 and 4.8.0. I have configured the PPPC profile per https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#automatically-granting-permissions-silent-installs. Is there something special required for fleet carving from Downloads?
s
seph
06/23/2021, 11:37 AMI think programs need Full Disk Access to be able to read most user files, I think Downlods is part of that. But that should be the profile you installed
The policy quoted there looks like an example and probably work work for you
You might also want to isolate if this is a fleet or a permissions problem. If it's a permissions issue, it will also manifest if you to do other things with those files. (Like calculate a hash)
z
zwass
06/23/2021, 3:24 PMAgreed with everything Seph said above. Feel free to join us over in #fleet if you find you are able to access downloads via something like
select * from hash where path = '/Users/zwass/Downloads/foo.txt'e
ehrhardt
06/23/2021, 6:41 PMthe issue is fleet access vs osquery access. scheduled queries on the Downloads directory return hashes where fleet queries do not. Is there a PPPC I need for fleet that is different from osqueryd?
s
seph
06/23/2021, 6:51 PMWhat is a fleet query? If that's a distributed query, that's part of core osquery and it should behave identically.
e
ehrhardt
06/23/2021, 6:54 PMI ran the equivalent of
select * from hash where path = '/Users/ehrhardt/Downloads/test.txtI have a scheduled query running that can see the file
s
seph
06/23/2021, 6:55 PMThat doesn't make much sense to me. Those should both be running inside osquery, which has whatever permissions it has.
e
ehrhardt
06/23/2021, 6:58 PMI understand but this is what I am seeing
s
seph
06/23/2021, 7:02 PMIt looks like you're starting to debug it over on #fleet, that seems like a fine place too
Is it the same osquery process for both? Any launcher or orbit here?
e
ehrhardt
06/23/2021, 7:03 PMit is the same process
s
seph
06/23/2021, 7:05 PMHrm. The same profile and permissions should apply to both. It’s all the same osquery running
e
ehrhardt
06/23/2021, 7:07 PMok so it looks like there is a /bin/sh bundle that needs permission
s
seph
06/23/2021, 7:12 PMThat seems weird.
I would be leery of granting /bin/sh permissions
I wonfer if you can drop osquery into verbose mode, and compare things
e
ehrhardt
06/23/2021, 7:35 PMif I run osqueryd as root or a local user that wouldn't use the desired PPPC
so it looks like it is a permissions with the Downloads folder issue but not getting my PPPC to work properly
h
HurricaneHrndz
06/23/2021, 10:55 PM2021-06-23 15:48:27.928967-0600 0xb194 Default 0x8a3b 152 0 tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.21
2021-06-23 15:48:27.929056-0600 0x8395 Info 0x8a3b 141 0 sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8903907250> { count = 4, transaction: 0, voucher = 0x0, contents =
"auth_value" => <uint64: 0xf25afd6076682bd3>: 0
"result" => <bool: 0x7fff870f80c0>: false
"auth_version" => <uint64: 0xf25afd6076683bd3>: 1
"auth_reason" => <uint64: 0xf25afd6076682bd3>: 0
}
2021-06-23 15:48:27.929201-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] auid = -1; routing based on euid (0) instead
2021-06-23 15:48:27.929351-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] SEND: 0/7 synchronous to com.apple.tccd: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929484-0600 0x8395 Default 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] send_message_with_reply_sync(): user tccd unavailable, sending 0x7f89039052e0 to system tccd
2021-06-23 15:48:27.929649-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] SEND: 1/7 synchronous to com.apple.tccd.system: request: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder,
2021-06-23 15:48:27.929849-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] REQUEST: tccd_uid=0, sender_pid=141, sender_uid=0, sender_auid=-1, function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.929944-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] REQUEST_MSG: msgID=141.22, msg={
service="kTCCServiceSystemPolicyDownloadsFolder"
TCCD_MSG_SPI_VERSION=2 (0x2)
user_tccd_unavailable=true
function="TCCAccessRequest"
TCCD_MSG_MESSAGE_OPTION_REQUEST_RECORD_UPGRADE_POLICY_POLICY_KEY=1 (0x1)
TCCD_MSG_REQUEST_TYPE_KEY=0 (0x0)
TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_RIGHTS_MASK_KEY=5 (0x5)
TCC_MSG_REQUEST_AUTHORIZATION_SUBJECT_CREDENTIAL_DICTIONARY_KEY={
TCCD_MSG_CREDENTIAL_AUTHENTICATOR_TYPE_KEY=1 (0x1)
TCCD_MSG_CREDENTIAL_AUTHENTICATOR_AUDIT_TOKEN_KEY={pid:743, auid:-1, euid:0}
}
TCCD_MSG_MESSAGE_OPTION_REQUEST_USAGE_STRING_POLICY_KEY=2 (0x2)
TCCD_MSG_MESSAGE_OPTION_REQUEST_PROMPT_POLICY_KEY=2 (0x2)
TCCD_MSG_ID="141.22"
}
2021-06-23 15:48:27.930298-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.930586-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.930638-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] per-user tccd is unavailable; handling in system tccd; service: kTCCServiceSystemPolicyDownloadsFolder
2021-06-23 15:48:27.930673-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] handle_TCCAccessRequest: incoming client: 141, for: <private>
2021-06-23 15:48:27.931127-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sa
ndboxd
2021-06-23 15:48:27.931421-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] AttributionChain: responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd}, accessing={ident
ifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd},
2021-06-23 15:48:27.931462-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_CTX: msgID=141.22, function=TCCAccessRequest, service=kTCCServiceSystemPolicyDownloadsFolder, preflight=yes, query=1,
2021-06-23 15:48:27.931492-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=141.22, attribution={responsible={identifier=osqueryd, pid=134, auid=0, euid=0, responsible_path=/bin/sh, binary_path=/usr/local/b
in/osqueryd}, accessing={identifier=osqueryd, pid=743, auid=0, euid=0, binary_path=/usr/local/bin/osqueryd}, requesting={identifier=com.apple.sandboxd, pid=141, auid=0, euid=0, binary_path=/usr/libexec/sandboxd}, },
2021-06-23 15:48:27.932859-0600 0xb9e4 Debug 0x8a3c 152 0 tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: starting for: /bin/sh
2021-06-23 15:48:27.933073-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: /bin/sh[141]: from cache: = /bin/sh, type 1 (198/304)
2021-06-23 15:48:27.933166-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_SUBJECT: msgID=141.22, subject=/bin/sh,
2021-06-23 15:48:27.933249-0600 0xb9e4 Error 0x8a3c 152 0 tccd: [com.apple.TCC:access] Refusing TCCAccessRequest for service kTCCServiceSystemPolicyDownloadsFolder from client Sub:{/bin/sh}Resp:{identifier=osqueryd, pid=134, auid=0, euid=0, res
ponsible_path=/bin/sh, binary_path=/usr/local/bin/osqueryd} in background session
2021-06-23 15:48:27.933361-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] AUTHREQ_RESULT: msgID=141.22, authValue=0, authReason=5, authVersion=1, error=(null),
2021-06-23 15:48:27.933471-0600 0xb9e4 Info 0x8a3c 152 0 tccd: [com.apple.TCC:access] REPLY_MSG: msg={
auth_value=0 (0x0)
result=false
auth_version=1 (0x1)
auth_reason=5 (0x5)
}
2021-06-23 15:48:27.933504-0600 0xb9e4 Default 0x8a3c 152 0 tccd: [com.apple.TCC:access] REPLY: (0) function=TCCAccessRequest, msgID=141.22
2021-06-23 15:48:27.933606-0600 0x8395 Info 0x8a3c 141 0 sandboxd: (TCC) [com.apple.TCC:access] RECV: synchronous reply <dictionary: 0x7f8902408e90> { count = 4, transaction: 0, voucher = 0x0, contents =
"auth_value" => <uint64: 0xf25afd6076682bd3>: 0
"result" => <bool: 0x7fff870f80c0>: false
"auth_version" => <uint64: 0xf25afd6076683bd3>: 1
"auth_reason" => <uint64: 0xf25afd6076687bd3>: 5
}
2021-06-23 15:48:27.933719-0600 0xb194 Debug 0x8a3c 152 0 tccd: [com.apple.TCC:access] register with resolver: binary:file:///usr/local/bin/osqueryd, bundle file:///usr/local/bin/ -- failed: isApp:0Yes so to add this is the log we are getting from TCC
Here is the mobile config that was uploaded to Jamf
s
seph
06/24/2021, 12:44 AMFWIW I don’t think you should need anything other than the
SystemPolicyAllFiles👍 1
What does
/usr/sbin/spctl -a -vvv -t install --ignore-cache /usr/local/bin/osquerydh
HurricaneHrndz
06/24/2021, 2:07 AM/usr/local/bin/osqueryd: accepted
source=Notarized Developer ID
origin=Developer ID Application: Theodore Reed (B89LNTUADM)And thank you for the assist
This is what got placed in the MDMoverride
"/usr/local/bin/osqueryd" => {
"kTCCServiceSystemPolicyAllFiles" => {
"Allowed" => 1
"CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
"CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
"Identifier" => "/usr/local/bin/osqueryd"
"IdentifierType" => "path"
"StaticCode" => 1
}
"kTCCServiceSystemPolicyDownloadsFolder" => {
"Allowed" => 1
"CodeRequirement" => "identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM"
"CodeRequirementData" => {length = 148, bytes = 0xfade0c00 00000094 00000001 00000006 ... 4e545541 444d0000 }
"Identifier" => "/usr/local/bin/osqueryd"
"IdentifierType" => "path"
"StaticCode" => 1
}
}s
seph
06/24/2021, 2:54 AMI don’t know what
MDMoverride/usr/local/bin/osquerydB89LNTUADMI’m definitely at a loss to tell why. I haven’t seen anything like this before
h
HurricaneHrndz
06/24/2021, 1:48 PMHmmm, if there is anymore information I can provide please let me know. Thanks once again
s
seph
06/26/2021, 11:52 AMI saw some more about this over on MacAdmins. As commented there…
Maybe a couple more things to try:
1. Manually grant osquery full disk permission through the Privacy control panel
2. How sure are you that the profile is installed? Try doing it manually outside the MDM?
h
HurricaneHrndz
06/29/2021, 9:48 PM@seph Thanks for looking into it … I made some headway and discovered someone had a wrapper script fo launchdaemon
s
seph
06/29/2021, 11:09 PMThat's probably why /bin/sh showed up. But it's all a bit 🤷 to me. I think you have some oddities in the local setup