Does anyone know if there s a way to do a query that ll tell osquery #macos

Does anyone know if there’s a way to do a query th...

grant seltzer

03/13/2020, 12:43 PM

Does anyone know if there’s a way to do a query that’ll tell you if a macbook lid is closed? or if the screensaver is running/sleeping?

seph

03/13/2020, 12:46 PM

I know I’ve found a way to get the length of time a machine has been awake for. (Though I forget where I found that)

seph

03/13/2020, 12:47 PM

Though that’s not really the same as lid closed

grant seltzer

03/13/2020, 12:50 PM

Yea that’s the

uptime

table

grant seltzer

03/13/2020, 12:50 PM

I’m looking around seeing if there’s a file that gets created when the lid is closed or something

seph

03/13/2020, 12:50 PM

Uptime is time since boot. There’s another plae to query time since sleep.

seph

03/13/2020, 12:51 PM

But that’s not the same as whether or not it’s locked

grant seltzer

03/13/2020, 12:55 PM

oh interesting! yea I misread

grant seltzer

03/13/2020, 12:56 PM

I’ll keep looking and update here if you’re curious

grant seltzer

03/13/2020, 12:59 PM

Ah ok, found this nice command:

grant seltzer

03/13/2020, 12:59 PM

pmset -g log|grep -e " Sleep  " -e " Wake  "

grant seltzer

03/13/2020, 1:00 PM

Now how to expose that through osquery

seph

03/13/2020, 1:02 PM

I know I found something in it already. Maybe in nvram or a plist somewhere

grant seltzer

03/13/2020, 1:06 PM

interesting, maybe screen/battery saver has a plist file

fritz

03/13/2020, 1:07 PM

the screensaver time is in the power management plist

fritz

03/13/2020, 1:08 PM

i'll nab you a query i wrote for that

fritz

03/13/2020, 1:11 PM

Copy code

osquery> SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.PowerManagement.plist';
+---------------------+---------------------------------+-------+------------------------------------------------------+
| key                 | subkey                          | value | path                                                 |
+---------------------+---------------------------------+-------+------------------------------------------------------+
| SystemPowerSettings | Update DarkWakeBG Setting       | 1     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Display Sleep Uses Dim          | 1     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | DarkWakeBackgroundTasks         | 1     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Wake On LAN                     | 1     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | System Sleep Timer              | 10    | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Disk Sleep Timer                | 10    | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Automatic Restart On Power Loss | 0     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | GPUSwitch                       | 2     | /Library/Preferences/com.apple.PowerManagement.plist |
| AC Power            | Display Sleep Timer             | 10    | /Library/Preferences/com.apple.PowerManagement.plist |
+---------------------+---------------------------------+-------+------------------------------------------------------+

fritz

03/13/2020, 1:11 PM

Bear in mind any plist can be overwritten by managed_policies etc. and is not the safest point of reference

fritz

03/13/2020, 1:11 PM

This also does not answer your original question

fritz

03/13/2020, 1:12 PM

which is whether the lid is closed or the screensaver is currently active

grant seltzer

03/13/2020, 1:16 PM

Interesting, so these are just settings right?

grant seltzer

03/13/2020, 1:16 PM

Still useful! thank you!

fritz

03/13/2020, 1:17 PM

That's correct @grant seltzer

fritz

03/13/2020, 1:18 PM

Unfortunately these prefs do not seem to be captured in the standard

preferences

table so plists are your best option

fritz

03/13/2020, 1:19 PM

If you ever want to search for plists that encode settings/preferences my workflow is typically to use FSMonitor.app and then while it is running adjust a given setting:

grant seltzer

03/13/2020, 1:23 PM

Hm, what exactly am I looking at here?

grant seltzer

03/13/2020, 1:23 PM

Why would a plist file not encode settings?

fritz

03/13/2020, 1:25 PM

You are looking at the output of FSMonitor an app that monitors all File System events while recording.

fritz

03/13/2020, 1:26 PM

I changed my Energy Saver settings while recording in FSMonitor to see the files that were touched.

fritz

03/13/2020, 1:26 PM

Which led me to

com.applePowerManagement.plist

fritz

03/13/2020, 1:26 PM

There is a way to retrieve lid state from the terminal using

ioreg

you can run the following:

Copy code

ioreg -r -k AppleClamshellState -d 4 | grep AppleClamshellState  | head -1

🆒 1

grant seltzer

03/13/2020, 4:25 PM

ah cool, that one was really helpful, thank you!

grant seltzer

03/13/2020, 4:26 PM

I can’t use osquery to shell out and run that command, can I?

seph

03/13/2020, 4:26 PM

Not in core, no.

seph

03/13/2020, 4:26 PM

You can write a plugin.

grant seltzer

03/13/2020, 4:29 PM

I suppose that’s a good thing lol

grant seltzer

03/13/2020, 4:29 PM

Thank you!

theopolis

03/13/2020, 8:33 PM

It might be a good idea to explore creating a table that gives you all of the ioreg properties for a given node name

fritz

03/13/2020, 8:41 PM

@theopolis That is an awesome idea!

fritz

03/13/2020, 8:42 PM

Vs. a dozen tables with the same underlying approach

osquery 1

allister

03/15/2023, 1:22 AM

Pardon the thread necromancy, but I bikeshedded on this in the meantime

Copy code

/usr/sbin/ioreg -r -k AppleClamshellState -d 4 | /usr/bin/awk '/ClamshellS/ {print $4}'

seph

03/15/2023, 1:24 AM

Kolide launcher ships an ioreg table (it’s an exec) if make not be suitable for all environments.

13 Views

Open in Slack

Previous Next