Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
b
Brandon Mesa
10/27/2022, 7:40 PMSeeing this event now:
-> % tail -f /var/log/osquery/osqueryd.INFO
Log file created at: 2022/10/27 15:14:11
Running on machine: Brandons-MacBook-Pro-2.local
Running duration (h:mm:ss): 0:00:00
Log line format: [IWEF]yyyymmdd hh:mm:ss.uuuuuu threadid file:line] msg
I1027 15:14:11.117659 -267033344 eventfactory.cpp:156] Event publisher not enabled: endpointsecurity: EndpointSecurity client lacks user TCC permissionss
sharvil
10/27/2022, 7:42 PMSadly ventura changed this.. 😕 It doesn't inherit the permission on Monterey to Ventura upgrade
you will have to go to system prefs and give FDA permissions again and reboot 😞
Apple is aware of this too I am told -- @Brandon Mesa https://twitter.com/thomasareed/status/1585665754770604033?s=46&t=gWvT1Nf8OLhIHP5pL8l2sg (for a bit more context)
b
Brandon Mesa
10/27/2022, 7:51 PMThanks @sharvil !
s
sharvil
10/27/2022, 8:09 PMAnd even more context: https://www.wired.com/story/apple-macos-ventura-bug-security-tools/
hey @Brandon Mesa, just a further update, Apple has updated their release notes for macOS 13.1 beta acknowledging this issue (https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes), but Apple hasn't provided any more info on fixing it at their end sadly..
Endpoint Security
Known Issues
• Applications using Endpoint Security extensions might lose Full Disk Access authorization, impacting their ability to function. This issue doesn’t affect MDM-enabled extensions. (100857507)
• Workaround: Removing and re-adding Full Disk Access in Settings for these extensions might resolve the issue.
b
Brandon Mesa
11/02/2022, 2:50 PMuh oh, thanks @sharvil!