I'm trying to detect when a Mac mounts a physical volume in read-only mode, so I can send a popup alert to the user about that. I've got the mount RO working, and I have a notification system in place. Its just the detection of new RO mounted volumes that I'm having trouble with. Looking through the default osquery tables, the

mounts

and

usb_devices

don't seem to show what I need, and I can't find an example of how to make the

disk_events

or

device_partitions

queries work. Am I barking up the wrong tree? Can osquery detect those kinds of file system events?

Have you tried

select * from disk_events

? If you're trying in

osqueryi

you will need

--disable_events=false

. afaict this provides the information you are looking for.

ah, i was working with

osqueryi

so that's probably it

You should have got a warning if you tried in

osqueryi

with events disabled.

i think i did see that error but didn't understand the errors. i'll investigate this path - thanks!

Nice, I think you'll be pleased soon 🙂