https://github.com/osquery/osquery logo
#general
Title
# general
l

Liam

08/07/2020, 9:06 AM
Does anyone have any examples of finding versions of command line tools and binaries such as git? We’re using
homebrew_packages
at the moment, but that misses out on things such as the AppleGit versions included in the Xcode CLI tools. I’m thinking the extension route might be the way to go, but just checking if anyone has solved this in an easier way?
s

seph

08/07/2020, 1:01 PM
Are they in the apps table?
👍 1
Ultimately this will depend on how these command line tools are installed.
t

theopolis

08/07/2020, 1:13 PM
How would you find the version without using osquery?
l

Liam

08/07/2020, 1:38 PM
Are they in the apps table?
Nope - for example, when installing the Xcode command line tools. Looking around that isn’t exposed anywhere in OSQuery - we’d get it from the cli by running
git --version
- but there doesn’t seem to be a footprint anywhere on the system that I can see.
s

seph

08/07/2020, 2:01 PM
Osquery generally talks to apis. Home brew, apps, etc. I don't think I've seen anything that does quiet what you're asking. Each tool would need its own logic.
For things that come via Xcode your night be able to check Xcode's version. But it's a bit indirect.
l

Liam

08/07/2020, 2:35 PM
That’s what I was expecting - essentially trying to get the data we’d need to do vulnerability detection and this was on the list of edge cases - thanks for the confirmation!
s

seph

08/07/2020, 3:46 PM
I think there’s a really deep rathole.
It’s “easy” to gather apps version. And homebrew ones. But it seems impossible to try to get all the possible binaries an end user installed.
g

Guillaume

08/10/2020, 2:26 AM
Yeah in that case it might make more sense to gather what can be gathered as installed, and then monitor processes. Won’t help you detect a vuln on an executable that is present but never executed, but maybe that’s not the worst thing ever (I don’t really know your use case)
4 Views