Title
#macos
Bradley Kemp

Bradley Kemp

08/26/2020, 2:02 PM
Me neither 🙂 But yes, now that I run the queries via
osqueryi
I see a lot of symlink loop errors so very likely this is bailing out half way, even with the
or path like '/Users/%%'
“fix”
f

fritz

08/26/2020, 2:04 PM
If you can tell me more about what specific use-case you are trying to accomplish I can try to help you write a more performant/reliable query.
Bradley Kemp

Bradley Kemp

08/26/2020, 2:07 PM
I was just spiking out how much of these OSX incident response scripts could be implemented with OSQuery: https://github.com/jbradley89/osx_incident_response_scripting_and_analysis Most stuff is really easily handled (launch daemons, running processes, etc) but looks like the “get me the modified times of all files” part isn’t a good fit for OSQuery
f

fritz

08/26/2020, 2:07 PM
True, hashing or checking the mtime of all files is not going to be its forte
2:08 PM
if you want to go down that rabbit hole you are better off trying to build FIM rules and use the
file_events
table.
2:09 PM
Glancing at your provided link it looks like there are pre-defined paths to monitor:https://github.com/jbradley89/osx_incident_response_scripting_and_analysis/blob/master/chapter4/collection_filesystem.sh
2:10 PM
Which would make writing a serviceable query much more achievable
2:11 PM
Ah, I misread, this is the list of files being actually collected for content inspection
2:11 PM
you can disregard my previous comment in that case.
Bradley Kemp

Bradley Kemp

08/26/2020, 2:13 PM
Yup. I think you’re probably right though, a
%%
glob is a bit overkill anyway: a list of better-scoped folders of interest would be a more achievable goal