Title
#macos
Magneto

Magneto

01/27/2021, 7:02 PM
does anyone know the bundle identifier for the osqueryd binary on macOS? (trying to write a Full Disk Access MDM policy for it). It looks like it's just "osqueryd"; can anyone confirm?:
~ ❯ sudo /usr/bin/codesign -vvvv --display --entitlements - ~/Downloads/osqueryd                                                                                                                                                                                                   
Executable=/Users/user/Downloads/osqueryd
Identifier=osqueryd
Format=Mach-O thin (x86_64)
<snip>
Signature size=9077
Authority=Developer ID Application: Theodore Reed (B89LNTUADM)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Dec 16, 2020 at 10:34:40 PM
Info.plist=not bound
TeamIdentifier=B89LNTUADM
Runtime Version=10.14.0
Sealed Resources=none
Internal requirements count=1 size=168
Mike Myers

Mike Myers

01/27/2021, 9:45 PM
@theopolis is that intended? I know I've seen
com.facebook.osqueryd
elsewhere
9:49 PM
@Magneto I've created PPPC profiles before so if you need help with that lmk
Magneto

Magneto

01/27/2021, 9:55 PM
@Mike Myers I appreciate that, here's the one I wrote, mind taking a peek to ensure it looks good?
9:59 PM
Mmm. I think the certificate fields are wrong. Let me fix that.
Mike Myers

Mike Myers

01/27/2021, 9:59 PM
Optional, but you could add
<key>PayloadDescription</key>
			<string>Allow osquery agent to have Full Disk Access</string>
10:00 PM
Yea the tricky part is the
CodeRequirement
field
10:03 PM
I think the certificate fields are wrong.
Whatever this says, is what's needed for that field.
codesign -dr - /path/to/osqueryd
Everything after the *=> *characters, that is. No leading or trailing spaces.
Magneto

Magneto

01/27/2021, 10:08 PM
perfect, thanks
10:28 PM
looks like that's
identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM
10:35 PM
I do recall seeing com.facebook.osqueryd but I think that's just the
launchd
URI... I've gone through every release macOS build back to 3.3.2 and the identifier on the final binary is unchanged from
osqueryd
10:35 PM
cc @Mike Myers @theopolis
Mike Myers

Mike Myers

01/27/2021, 11:12 PM
ok then that's apparently how Teddy's been signing it
a

allister

01/28/2021, 12:24 AM
we should DEFINITELY have that in docs somewhere...
Mike Myers

Mike Myers

01/28/2021, 12:40 AM
An example "grant Full Disk Access" configuration profile? Yea that would be great, if @Magneto can file a documentation Pull Request I'm sure it would be accepted
Magneto

Magneto

01/28/2021, 12:42 AM
👍
s

seph

01/28/2021, 1:16 AM
It’s not proper docs, per se, but there’s a snippet in https://github.com/osquery/foundation/issues/61 and in https://github.com/autopkg/weswhet-recipes/blob/master/Kolide-Launcher/launcher.download.recipe#L71-L74 This will also change with osquery 5.0 (this will be the defining change of osquery 5.0)
Gavin

Gavin

01/28/2021, 1:50 AM
FYI This is a full raw profile for Launcher signed binaries & OsqueryD
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDescription</key>
			<string>Osquery + Kolide Launcher FDE</string>
			<key>PayloadDisplayName</key>
			<string>io.osquery.launcher.fde</string>
			<key>PayloadIdentifier</key>
			<string>A2E777C7-76EE-429E-AC2B-6C444C9906BD</string>
			<key>PayloadOrganization</key>
			<string>Example</string>
			<key>PayloadType</key>
			<string>com.apple.TCC.configuration-profile-policy</string>
			<key>PayloadUUID</key>
			<string>DDB83349-7AC0-40D8-AD46-699A7085600C</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Services</key>
			<dict>
				<key>SystemPolicyAllFiles</key>
				<array>
					<dict>
						<key>Allowed</key>
						<true/>
						<key>CodeRequirement</key>
						<string>identifier launcher and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = YZ3EM74M78</string>
						<key>Comment</key>
						<string></string>
						<key>Identifier</key>
						<string>/usr/local/launcher/bin/launcher</string>
						<key>IdentifierType</key>
						<string>path</string>
					</dict>
					<dict>
						<key>Allowed</key>
						<true/>
						<key>CodeRequirement</key>
						<string>identifier osqueryd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B89LNTUADM</string>
						<key>Comment</key>
						<string></string>
						<key>Identifier</key>
						<string>/usr/local/launcher/bin/osqueryd</string>
						<key>IdentifierType</key>
						<string>path</string>
					</dict>
				</array>
			</dict>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Kolide Launcher FDE</string>
	<key>PayloadDisplayName</key>
	<string>io.osquery.launcher.fde</string>
	<key>PayloadIdentifier</key>
	<string>io.osquery.launcher.fde</string>
	<key>PayloadOrganization</key>
	<string>Example</string>
	<key>PayloadType</key>
	<string>com.apple.TCC.configuration-profile-policy</string>
	<key>PayloadUUID</key>
	<string>D3F2BC82-B1FE-4A08-9ACD-DB72CFDD4F71</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>payloadScope</key>
	<string>system</string>
</dict>
</plist>
1:51 AM
Also https://github.com/jamf/PPPC-Utility is an amazing tool.
theopolis

theopolis

01/28/2021, 2:14 AM
This looks expected/accurate
2:14 AM
Can confirm that's my signing team name too 🙂