https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
h

harveywells

09/30/2020, 6:19 PM
đź‘‹ Hi all. Has anyone tested osquery 
3.3.2
with Big Sur?
a

alessandrogario

10/01/2020, 11:03 AM
Hey @harveywells! Is there any chance you can upgrade to a newer release? That version is extremely old and is missing many bugfixes
Copy code
commit 5188ce5288abe0e323b8e8bd364f452134a62d00 (tag: 3.3.2)
Author: packetzero <20775507+packetzero@users.noreply.github.com>
Date:   Mon Oct 29 16:24:29 2018 -0500

    update aws-sdk-cpp 1.4.55 on windows (#5255)
There are also some security vulnerabilities that have been fixed too
c

cdown512

10/01/2020, 5:43 PM
I’ve started initial testing with it. So far so good.
h

harveywells

10/02/2020, 3:21 PM
@alessandrogario yup we’re in the process of planning that work now, just wanted to add this as a data point to flesh out the timeline
@cdown512 thank you.
c

cdown512

10/02/2020, 3:38 PM
Seeing a couple issues with some of our queries. But not sure if those are OS related or not. Points in code where they fall have not changed in master.
For instance….
Copy code
I1001 14:55:42.517997 303308288 preferences.cpp:318] Cannot find/read defaults plist from path: /Library/Preferences/SystemConfiguration/com.apple.nat.plist
when querying sharing_preferences
Copy code
foos-Mac:~ foo$ ls -l /Library/Preferences/SystemConfiguration/com.apple.nat.plist
ls: /Library/Preferences/SystemConfiguration/com.apple.nat.plist: No such file or directory
^^ Big Sur. need to check same on older OS’s
not finding that file in Catalina either, so likely unrelated to OS update
h

harveywells

10/02/2020, 3:54 PM
Nice find
c

cdown512

10/02/2020, 4:01 PM
doesn’t prevent the query from executing. it’s an INFO line. just defined const that doesn’t seem to exist
triggering this log line when querying the wifi_networks table on a Big Sur VM that is not getting triggered by the same query on a Catalina VM:
Copy code
I1001 14:55:12.495281 135151104 <http://wifi.mm:131]|wifi.mm:131]> Key not found : KnownNetworks
Copy code
@autoreleasepool {
    auto plist = (__bridge CFDictionaryRef)[NSDictionary
        dictionaryWithContentsOfFile:@(kAirPortPreferencesPath.c_str())];
    if (plist == nullptr || CFDictionaryGetCount(plist) == 0) {
      return {};
    }
    auto cfkey = CFStringCreateWithCString(
        kCFAllocatorDefault, key.c_str(), kCFStringEncodingUTF8);
    CFTypeRef networks = CFDictionaryGetValue(plist, cfkey);
    CFRelease(cfkey);
    if (networks == nullptr) {
      VLOG(1) << "Key not found : " << key;
      return {};
    }

    if (CFGetTypeID(networks) == CFArrayGetTypeID()) {
      auto count = CFArrayGetCount((CFArrayRef)networks);
      for (CFIndex i = 0; i < count; i++) {
        parseNetworks(
            (CFDictionaryRef)CFArrayGetValueAtIndex((CFArrayRef)networks, i),
            results);
      }
    } else if (CFGetTypeID(networks) == CFDictionaryGetTypeID()) {
      auto count = CFDictionaryGetCount((CFDictionaryRef)networks);
      std::vector<const void*> keys(count);
      std::vector<const void*> values(count);
      CFDictionaryGetKeysAndValues(
          (CFDictionaryRef)networks, keys.data(), values.data());
      for (CFIndex i = 0; i < count; i++) {
        parseNetworks((CFDictionaryRef)values[i], results);
      }
    }
  }
routine seems unchanged in current master branch from 3.3.1
Copy code
// Check if we are running on OS X 10.9, where the key in plist is different
Status getKnownNetworksKey(std::string& key) {
  auto qd = SQL::selectAllFrom("os_version");
  if (qd.size() != 1) {
    return Status(-1, "Couldn't determine OS X version");
  }

  key = (qd.front().at("major") == "10" && qd.front().at("minor") == "9")
            ? "RememberedNetworks"
            : "KnownNetworks";
  return Status(0, "ok");
}
maybe it’s having issues determining the version properly since this is a beta Dev preview
os_version table version column is populated with “10.16”
4 Views
Powered by