Me neither :slightly_smiling_face: But yes, now th...
# macosb
Bradley Kemp
08/26/2020, 2:02 PMMe neither 🙂 But yes, now that I run the queries via
osqueryior path like '/Users/%%'f
fritz
08/26/2020, 2:04 PMIf you can tell me more about what specific use-case you are trying to accomplish I can try to help you write a more performant/reliable query.
b
Bradley Kemp
08/26/2020, 2:07 PMI was just spiking out how much of these OSX incident response scripts could be implemented with OSQuery: https://github.com/jbradley89/osx_incident_response_scripting_and_analysis
Most stuff is really easily handled (launch daemons, running processes, etc) but looks like the “get me the modified times of all files” part isn’t a good fit for OSQuery
f
fritz
08/26/2020, 2:07 PMTrue, hashing or checking the mtime of all files is not going to be its forte
fritz
08/26/2020, 2:08 PMif you want to go down that rabbit hole you are better off trying to build FIM rules and use the
file_eventsfritz
08/26/2020, 2:09 PMGlancing at your provided link it looks like there are pre-defined paths to monitor:
https://github.com/jbradley89/osx_incident_response_scripting_and_analysis/blob/master/chapter4/collection_filesystem.sh
fritz
08/26/2020, 2:10 PMWhich would make writing a serviceable query much more achievable
fritz
08/26/2020, 2:11 PMAh, I misread, this is the list of files being actually collected for content inspection
fritz
08/26/2020, 2:11 PMyou can disregard my previous comment in that case.
fritz
08/26/2020, 2:12 PMIt looks like you are more trying to address: https://github.com/jbradley89/osx_incident_response_scripting_and_analysis/blob/master/chapter4/file_walker.py
b
Bradley Kemp
08/26/2020, 2:13 PMYup. I think you’re probably right though, a
%%3 Views