Me neither :slightly_smiling_face: But yes, now th...
# macos
Me neither 🙂 But yes, now that I run the queries via
I see a lot of symlink loop errors so very likely this is bailing out half way, even with the
or path like '/Users/%%'
If you can tell me more about what specific use-case you are trying to accomplish I can try to help you write a more performant/reliable query.
I was just spiking out how much of these OSX incident response scripts could be implemented with OSQuery: Most stuff is really easily handled (launch daemons, running processes, etc) but looks like the “get me the modified times of all files” part isn’t a good fit for OSQuery
True, hashing or checking the mtime of all files is not going to be its forte
if you want to go down that rabbit hole you are better off trying to build FIM rules and use the
Glancing at your provided link it looks like there are pre-defined paths to monitor:
Which would make writing a serviceable query much more achievable
Ah, I misread, this is the list of files being actually collected for content inspection
you can disregard my previous comment in that case.
Yup. I think you’re probably right though, a
glob is a bit overkill anyway: a list of better-scoped folders of interest would be a more achievable goal