Does anyone have any examples of finding versions of command line tools and binaries such as git? We’re using

homebrew_packages

at the moment, but that misses out on things such as the AppleGit versions included in the Xcode CLI tools. I’m thinking the extension route might be the way to go, but just checking if anyone has solved this in an easier way?

Are they in the apps table?

How would you find the version without using osquery?

Are they in the apps table?

Nope - for example, when installing the Xcode command line tools. Looking around that isn’t exposed anywhere in OSQuery - we’d get it from the cli by running

git --version

- but there doesn’t seem to be a footprint anywhere on the system that I can see.

Osquery generally talks to apis. Home brew, apps, etc. I don't think I've seen anything that does quiet what you're asking. Each tool would need its own logic.

That’s what I was expecting - essentially trying to get the data we’d need to do vulnerability detection and this was on the list of edge cases - thanks for the confirmation!

I think there’s a really deep rathole.

Yeah in that case it might make more sense to gather what can be gathered as installed, and then monitor processes. Won’t help you detect a vuln on an executable that is present but never executed, but maybe that’s not the worst thing ever (I don’t really know your use case)