Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
l
Lawrence D'Anna
04/29/2020, 9:43 PMdoes osquery have a table for Mac OS
os_log()m
Mike Myers
05/04/2020, 9:15 PMI think that goes to the Unified Log System, so, no. Because reading from that would require an API (Apple provides none) or forking execution to call the Apple CLI utility (osquery design philosophy is to not fork or spawn other processes)
But we did create an osquery extension to read it https://github.com/trailofbits/osquery-extensions/tree/master/darwin_unified_log
l
Lawrence D'Anna
05/04/2020, 9:18 PMthanks 🙂
OSLog.framework doesn’t have whats needed?
https://developer.apple.com/documentation/oslog
:awesome: 1
m
Mike Myers
05/04/2020, 9:44 PMoh what's this, is this new? I see
macOS 10.15+l
Lawrence D'Anna
05/04/2020, 9:45 PMyea, first appeared in 10.15 i think
m
Mike Myers
05/04/2020, 9:48 PMI see the earliest examples I can find from around November 2019, that's cool, I will go update our issue on this. An osquery table is now possible in core. Although it looks like there might be an entitlement required, which means code-signing etc