https://github.com/osquery/osquery logo
Powered by
Title
a

allister

05/27/2022, 4:46 PM
strike that, it's osquery that's not healthy. But I finally devised the right way to test it 
SELECT CASE
           WHEN
                  (SELECT count(*)
                   FROM plist
                   WHERE path = "/Library/Application Support/com.apple.TCC/MDMOverrides.plist") > 0 THEN
                  (SELECT value
                   FROM plist
                   WHERE path = "/Library/Application Support/com.apple.TCC/MDMOverrides.plist"
                   AND KEY = "com.crowdstrike.falcon.Agent"
                   AND subkey = "kTCCServiceSystemPolicyAllFiles/Allowed")
            ELSE "couldn't read"
       END cs_fda_status;
1 means enabled, 0 disabled, NO RESULT means profile/matching key not present, "couldn't read" means no FDA for osqueryd itself
s

seph

05/27/2022, 8:13 PM
There are several ways to achieve this. Eyeballing it, this seems reasonable enough, though you can do it without subselects
4 Views
#macosJoin Slack
Powered by