Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
f
fritz
03/01/2021, 10:00 PM@Mike Myers curious about your thoughts pertaining to a comment i posted on the Safari Extensions issue: https://github.com/osquery/osquery/issues/6498
I found what I believe to be a better datasource.
m
Mike Myers
03/01/2021, 10:08 PMhmm on my system it seems like my current user can't read it?
mmyers@MMyers-MBP13 ~/P/E/o/o/build> cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
cat: /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist: Operation not permitted
mmyers@MMyers-MBP13 ~/P/E/o/o/build [1]> ls -la ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
-rw-r--r--@ 1 mmyers staff 463 Nov 18 08:39 /Users/mmyers/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plistI'll test your query in a VM
f
fritz
03/01/2021, 10:10 PMInteresting, are you running as root or regular user?
m
Mike Myers
03/01/2021, 10:11 PMon my host macOS I run as a standard user
f
fritz
03/01/2021, 10:11 PMwhoops just reread your pasted block of text, what happens when you try to read with sudo?
m
Mike Myers
03/01/2021, 10:12 PMI'll know in a minute (VM starting)
f
fritz
03/01/2021, 10:13 PMI am now wondering how many other tables cannot be queried outside of standard user context.
I can't think of one off-hand...
m
Mike Myers
03/01/2021, 10:13 PMI see that the file doesn't exist if you don't have any extensions yet
one moment
oh yea there are several tables that don't return full or any results, when run as standard user
ok, on the 10.15 VM, that file is readable no problem (admin user)
although, the query you mentioned doesn't seem to parse it
mmyers@mmyerss-Mac ~ % sudo osqueryi
Password:
Using a virtual database. Need help, type '.help'
osquery> WITH
...> app_extensions_flat AS (
...> SELECT * FROM plist
...> WHERE path LIKE '/Applications/%.app/Contents/PlugIns/%Extension.appex/Contents/Info.plist'),
...> app_extension_pivot AS (
...> SELECT
...> SPLIT(path, '/', 1) AS extension_parent_app,
...> MAX(CASE WHEN key = 'CFBundleIdentifier' THEN value END) AS bundle_identifier,
...> MAX(CASE WHEN key = 'CFBundleDisplayName' THEN value END) AS display_name,
...> MAX(CASE WHEN key = 'NSHumanReadableDescription' THEN value END) AS description,
...> MAX(CASE WHEN key = 'CFBundleShortVersionString' THEN value END) AS bundle_short_version,
...> MAX(CASE WHEN key = 'CFBundleVersion' THEN value END) AS bundle_version,
...> MAX(CASE WHEN key = 'NSHumanReadableCopyright' THEN value END) AS copyright
...> FROM app_extensions_flat
...> GROUP BY path),
...> human_accounts AS (
...> SELECT username, uid, directory FROM users WHERE SUBSTR(uuid,0,8) != 'FFFFEEE'),
...> safari_raw AS (
...> SELECT
...> username, uid,
...> MAX(CASE WHEN subkey = 'Enabled' THEN value END) AS enabled,
...> MAX(CASE WHEN subkey LIKE '%Level' THEN value END) AS level,
...> MAX(CASE WHEN subkey LIKE '%Has Injected Content' THEN value END) AS has_injected_content,
...> REGEX_SPLIT(key,' \(', 0) AS bundle_identifier,
...> REGEX_MATCH(key,'\((.*?)\)', 1) AS extension_id
...> FROM plist JOIN human_accounts ha ON directory = '/Users/' || SPLIT(path,'/',1)
...> WHERE path LIKE '/Users/%/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist'
...> GROUP BY key, path),
...> -- Remove nulls
...> safari_extensions_plist AS (
...> SELECT * FROM safari_raw WHERE enabled NOT NULL)
...> SELECT * FROM safari_extensions_plist LEFT JOIN app_extension_pivot USING(bundle_identifier);
osquery>mmyers@mmyerss-Mac ~ % cat ~/Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/Extensions.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
<key>com.adguard.safari.AdGuard.AdvancedBlocking (TC3Q7MAJXF)</key>
<dict>
<key>WebsiteAccess</key>
<dict>
<key>Allowed Domains</key>
<array/>
<key>Has Injected Content</key>
<true/>
<key>Level</key>
<string>All</string>
</dict>
</dict>
<key>com.adguard.safari.AdGuard.Extension (TC3Q7MAJXF)</key>
<dict>
<key>WebsiteAccess</key>
<dict>
<key>Allowed Domains</key>
<array/>
<key>Has Injected Content</key>
<true/>
<key>Level</key>
<string>All</string>
</dict>
</dict>
</dict>
</plist>f
fritz
03/01/2021, 10:18 PMahhhh
I bet it is TCC related
m
Mike Myers
03/01/2021, 10:19 PMmaybe a Big Sur change. I'll try the macOS 11 VM
f
fritz
03/01/2021, 10:19 PMThis was on catalina
But i have Full Disk Access for terminal
I wonder if that is the blocker
m
Mike Myers
03/01/2021, 10:21 PMlike if I gave
Terminalyep that was it, I can view that file now from CLI tools
f
fritz
03/01/2021, 10:23 PMyeah, so this file must be in one of the tcc protected directories
Which isn't terrifically surprising.
This is going to increasingly become the case I suspect for some of these buried plists.
m
Mike Myers
03/01/2021, 10:24 PMif it's common to add that permission to
osquerydf
fritz
03/01/2021, 10:27 PMWe typically recommend customers grant osqueryd FDA perms since without them the agent is prevented from accessing various directories. I am unsure what other vendors and osquery admins are doing with regards to recommendations.
m
Mike Myers
03/01/2021, 10:28 PMI had planned to add a section to the official docs, under macOS and Deployment
➕ 1
f
fritz
03/01/2021, 10:29 PMThat's a great idea
m
Mike Myers
03/01/2021, 10:29 PMstill, I don't seem to get results with this query. Perhaps I am doing something wrong? Trying it in osqueryi, but it's a big multi-line query and I wonder if it worked.
f
fritz
03/01/2021, 10:32 PMThat is weird....
What's mostly weird to me about that is you have the plist on disk and verified it has data inside
m
Mike Myers
03/01/2021, 10:39 PMI'll re-run with
--verbosef
fritz
03/01/2021, 10:39 PMI gotta go start dinner, but I will be back around later.
🆗 1
m
Mike Myers
03/01/2021, 10:42 PMYea, no results. Whether or not I am running
osqueryicatMaybe compare the contents of my plist file to what yours has
Specifically you mentioned that there was an
enabledyea that was it — I left feedback in the issue on GitHub
f
fritz
03/02/2021, 1:37 AMI wonder if the enabled key is not created until you have disabled an extension for the first time...
that sounds like some standard stupid apple behavior
:apple-rainbow: 1