https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi team! We are trying to use osquery with the `pw...
# fleet
b
Hi team! We are trying to use osquery with the 
pwd_policy
table and whenever we call the 
days_to_expiration
value, it always comes back empty, regardless of the host we query. Any ideas why?
👀 1
m
Hello @Billy H thanks for reaching out, sorry to hear your having trouble with that table. We should be able to take a look. Would you mind letting me know which version of Fleet your currently running?
b
Thanks @Matt Rebelo we are on fleet v4.70.1!
m
Excellent! Thanks for confirming. Are you expecting a password expiration, as in is one set for that host? Which may seem like an odd question, but macOS for example doesn't have password expiry on by default and would likely return an empty table.
b
Yes we have the password maximum age to 365 days via MDM config
m
Excellent! I know that seemed silly to ask, but I appreciate you checking! If possible could you double check the logs for this host? Feel free to DM them to me if you didn't want them visible publicly in this channel. Ultimately in the error logs we should be looking for something like the following 
get policyAttributeDaysUntilExpiration failed
That's the error that's supposed to be output when there's no value 
policyAttributeDaysUntilExpiration
and could indicate there is something wrong with the password expiration config.
b
hey matt, I can't find the string 
policyAttributeDaysUntilExpiration
any where in the logs, tried rerunning the query and researching for it but no luck
for context, all our accounts are local accounts and the password policy is set with a mdm config, with the following code:
Copy code
<key>maxPINAgeInDays</key>
<integer>365</integer>
I can confirm that the password policy is working, because the users are forced to change their passwords at that time, when running 
SELECT * FROM pwd_policy
in osquery the 
expires_every_n_days
field returns 365, and we can also see a countdown for the password rotation in our configuration of SupportApp that Root3 makes
m
Thanks for the update and additional info, I'm going to loop in our engineering team and double check if there is anything else we need to check here, or if we need to open up a potential bug report.
👍🏻 1
@Billy H thanks for your patience while we firgure this out. I've created a bug report so you can track, I'm still tidying it up so once its ready I'll send over a link so you can track its progress. The only other question I have, could you send the OS version for any host having this issue? I wanted to include it in the bug report. Thanks!
b
Sure thing! This is happening to the entire fleet of our hosts running macos 15.5
ty 1
m
https://github.com/fleetdm/fleet/issues/31346 Here's the link for the bug, let me know if there's anything else that needs to be added, you may see some updates in there, and I will do my best to keep an eye out if there's anything that might need your attention. Thanks again!
b
thank you! looks good to me
Hi @Matt Rebelo! So it looks like the team closed that bug request out as a documentation change instead of a code change. I understand why, but now I'm wondering, is there any way to retreive 
secondsUntilPasswordExpires
for each UID on the system with Osquery? https://developer.apple.com/documentation/opendirectory/odrecord/secondsuntilpasswordexpires I was able to find this because it looks like that is what the SupportApp by Root3 references to get the password expiration time: https://github.com/root3nl/SupportApp/blob/f596fa90a762990e035d00a06b1977e5897709b2/src/Support/UserInfo.swift#L160C58-L160C85
m
Hi @Billy H That is a great question, I'll have to do a little research and see what I can come up with regarding if its possible to retrieve the password expiration time with osquery. I'm not super familiar with the Support App but I will take a look. It's possible we may need to explore this as a feature request if its not currently possible. I'll keep you updated if I find anything.
b
Sounds good, thanks @Matt Rebelo!!
3 Views
Open in Slack
PreviousNext
Powered by