Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
b
Bradley Kemp
08/26/2020, 2:02 PMMe neither 🙂 But yes, now that I run the queries via
osqueryior path like '/Users/%%'f
fritz
08/26/2020, 2:04 PMIf you can tell me more about what specific use-case you are trying to accomplish I can try to help you write a more performant/reliable query.
b
Bradley Kemp
08/26/2020, 2:07 PMI was just spiking out how much of these OSX incident response scripts could be implemented with OSQuery: https://github.com/jbradley89/osx_incident_response_scripting_and_analysis
Most stuff is really easily handled (launch daemons, running processes, etc) but looks like the “get me the modified times of all files” part isn’t a good fit for OSQuery
f
fritz
08/26/2020, 2:07 PMTrue, hashing or checking the mtime of all files is not going to be its forte
if you want to go down that rabbit hole you are better off trying to build FIM rules and use the
file_eventsGlancing at your provided link it looks like there are pre-defined paths to monitor:
https://github.com/jbradley89/osx_incident_response_scripting_and_analysis/blob/master/chapter4/collection_filesystem.sh
Which would make writing a serviceable query much more achievable
Ah, I misread, this is the list of files being actually collected for content inspection
you can disregard my previous comment in that case.
It looks like you are more trying to address: https://github.com/jbradley89/osx_incident_response_scripting_and_analysis/blob/master/chapter4/file_walker.py
b
Bradley Kemp
08/26/2020, 2:13 PMYup. I think you’re probably right though, a
%%