Title
#macos
Hugh (Zercurity)

Hugh (Zercurity)

05/13/2020, 1:10 PM
On 4.3.0 there is the new
screenlock
table
terracatta

terracatta

05/13/2020, 1:20 PM
FYI this table only works when osquery is run from a user context (you can still run it as root, but not via
launchctl asuser 0
1:20 PM
sadly, there is no way around this because of how the underlying API works
Hugh (Zercurity)

Hugh (Zercurity)

05/13/2020, 1:21 PM
good to know, thanks 👍
terracatta

terracatta

05/13/2020, 1:23 PM
the other thing to note is even if you run osquery with the right user id context, that user must be currently logged in otherwise the query still won't work
a

Artem

05/13/2020, 2:41 PM
@terracatta so, will this table work via next version of kolide fleet using osquery with root priveleges on endpoints?
2:41 PM
Thank you for previous answer!
s

seph

05/13/2020, 3:05 PM
I suspect the data is stored in a keychain, or similar protected context. So unless the user is logged in, the data is inaccessible. (At least, that’s how the undocumented APIs seem)
a

Artem

05/14/2020, 11:43 AM
Got it! Thanks!