https://github.com/osquery/osquery logo
Powered by
Title
g

grant seltzer

03/13/2020, 12:43 PM
Does anyone know if there’s a way to do a query that’ll tell you if a macbook lid is closed? or if the screensaver is running/sleeping?
s

seph

03/13/2020, 12:46 PM
I know I’ve found a way to get the length of time a machine has been awake for. (Though I forget where I found that)
Though that’s not really the same as lid closed
g

grant seltzer

03/13/2020, 12:50 PM
Yea that’s the 
uptime
table
I’m looking around seeing if there’s a file that gets created when the lid is closed or something
s

seph

03/13/2020, 12:50 PM
Uptime is time since boot. There’s another plae to query time since sleep.
But that’s not the same as whether or not it’s locked
g

grant seltzer

03/13/2020, 12:55 PM
oh interesting! yea I misread
I’ll keep looking and update here if you’re curious
Ah ok, found this nice command:
pmset -g log|grep -e " Sleep  " -e " Wake  "
Now how to expose that through osquery
s

seph

03/13/2020, 1:02 PM
I know I found something in it already. Maybe in nvram or a plist somewhere
g

grant seltzer

03/13/2020, 1:06 PM
interesting, maybe screen/battery saver has a plist file
f

fritz

03/13/2020, 1:07 PM
the screensaver time is in the power management plist
i'll nab you a query i wrote for that
osquery> SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.PowerManagement.plist';
+---------------------+---------------------------------+-------+------------------------------------------------------+
| key                 | subkey                          | value | path                                                 |
+---------------------+---------------------------------+-------+------------------------------------------------------+
| SystemPowerSettings | Update DarkWakeBG Setting       | 1     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Display Sleep Uses Dim          | 1     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | DarkWakeBackgroundTasks         | 1     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Wake On LAN                     | 1     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | System Sleep Timer              | 10    | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Disk Sleep Timer                | 10    | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Automatic Restart On Power Loss | 0     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | GPUSwitch                       | 2     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Display Sleep Timer             | 10    | /Library/Preferences/com.apple.PowerManagement.plist |
+---------------------+---------------------------------+-------+------------------------------------------------------+
Bear in mind any plist can be overwritten by managed_policies etc. and is not the safest point of reference
This also does not answer your original question
which is whether the lid is closed or the screensaver is currently active
g

grant seltzer

03/13/2020, 1:16 PM
Interesting, so these are just settings right?
Still useful! thank you!
f

fritz

03/13/2020, 1:17 PM
That's correct @grant seltzer
Unfortunately these prefs do not seem to be captured in the standard 
preferences
table so plists are your best option
If you ever want to search for plists that encode settings/preferences my workflow is typically to use FSMonitor.app and then while it is running adjust a given setting:
g

grant seltzer

03/13/2020, 1:23 PM
Hm, what exactly am I looking at here?
Why would a plist file not encode settings?
f

fritz

03/13/2020, 1:25 PM
You are looking at the output of FSMonitor an app that monitors all File System events while recording.
I changed my Energy Saver settings while recording in FSMonitor to see the files that were touched.
Which led me to 
com.applePowerManagement.plist
There is a way to retrieve lid state from the terminal using 
ioreg
you can run the following: 
ioreg -r -k AppleClamshellState -d 4 | grep AppleClamshellState  | head -1
🆒 1
g

grant seltzer

03/13/2020, 4:25 PM
ah cool, that one was really helpful, thank you!
I can’t use osquery to shell out and run that command, can I?
s

seph

03/13/2020, 4:26 PM
Not in core, no.
You can write a plugin.
g

grant seltzer

03/13/2020, 4:29 PM
I suppose that’s a good thing lol
Thank you!
t

theopolis

03/13/2020, 8:33 PM
It might be a good idea to explore creating a table that gives you all of the ioreg properties for a given node name
f

fritz

03/13/2020, 8:41 PM
@theopolis That is an awesome idea!
Vs. a dozen tables with the same underlying approach
😮squery: 1
a

allister

03/15/2023, 1:22 AM
Pardon the thread necromancy, but I bikeshedded on this in the meantime 
/usr/sbin/ioreg -r -k AppleClamshellState -d 4 | /usr/bin/awk '/ClamshellS/ {print $4}'
s

seph

03/15/2023, 1:24 AM
Kolide launcher ships an ioreg table (it’s an exec) if make not be suitable for all environments.
11 Views
#macosJoin Slack
Powered by