Me neither slightly smiling face But yes now that I run the

Question

Me neither slightly smiling face But yes now that I run the queries via `osqueryi` I see a lot of symlink loop errors so very likely this is bailing out half way even with the `or path like Users ` fix

fritz · Answer

If you can tell me more about what specific use case you are trying to accomplish I can try to help you write a more performant reliable query

Bradley Kemp · Answer

I was just spiking out how much of these OSX incident response scripts could be implemented with OSQuery <https github com jbradley89 osx incident response scripting and analysis> Most stuff is really easily handled launch daemons running processes etc but looks like the get me the modified times of all files part isn t a good fit for OSQuery

fritz · Answer

True hashing or checking the mtime of all files is not going to be its forte

fritz · Answer

if you want to go down that rabbit hole you are better off trying to build FIM rules and use the `file events` table

fritz · Answer

Glancing at your provided link it looks like there are pre defined paths to monitor <https github com jbradley89 osx incident response scripting and analysis blob master chapter4 collection filesystem sh>

fritz · Answer

Which would make writing a serviceable query much more achievable

fritz · Answer

Ah I misread this is the list of files being actually collected for content inspection

fritz · Answer

you can disregard my previous comment in that case

fritz · Answer

It looks like you are more trying to address <https github com jbradley89 osx incident response scripting and analysis blob master chapter4 file walker py>

Bradley Kemp · Answer

Yup I think you re probably right though a ` ` glob is a bit overkill anyway a list of better scoped folders of interest would be a more achievable goal