On 4.3.0 there is the new `screenlock` table
# macosh
Hugh (Zercurity)
05/13/2020, 1:10 PMOn 4.3.0 there is the new
screenlockt
terracatta
05/13/2020, 1:20 PM
FYI this table only works when osquery is run from a user context (you can still run it as root, but not via
launchctl asuser 0terracatta
05/13/2020, 1:20 PM
sadly, there is no way around this because of how the underlying API works
h
Hugh (Zercurity)
05/13/2020, 1:21 PMgood to know, thanks 👍
t
terracatta
05/13/2020, 1:23 PM
the other thing to note is even if you run osquery with the right user id context, that user must be currently logged in otherwise the query still won't work
😢 1
a
Artem
05/13/2020, 2:41 PM@terracatta so, will this table work via next version of kolide fleet using osquery with root priveleges on endpoints?
Artem
05/13/2020, 2:41 PMThank you for previous answer!
s
seph
05/13/2020, 3:05 PM
I suspect the data is stored in a keychain, or similar protected context. So unless the user is logged in, the data is inaccessible. (At least, that’s how the undocumented APIs seem)
a
Artem
05/14/2020, 11:43 AMGot it! Thanks!
13 Views