Title
#macos
harveywells

harveywells

10/16/2019, 7:50 PM
๐Ÿ‘‹ Has anyone else upgraded to macOS Catalina yet? After upgrading
/var/log/osquery
was gone ๐Ÿ˜  . Curious if anyone else has experienced this. I think I've seen this in the past but unfortunately don't have any notes ๐Ÿ˜ž
sundsta

sundsta

10/16/2019, 7:54 PM
I havenโ€™t yet, but macOS updates routinely wipe
/etc
, or at least portions of it
obelisk

obelisk

10/19/2019, 2:07 AM
Yes Iโ€™ve had this issue with Catalina, there are also some tables that do not work the same way in Catalina (notably file which cannot access many user data directories). I believe there are some gatekeeper tables as well that read from plists which are now restricted even from root. The solution is to use MDM to allow osquery Full Disk Access. If anyone needs help with this, feel free to ping me ๐Ÿ˜ƒ
2:08 AM
As for the directory thing, Iโ€™ve just been manually creating it on my test systems ๐Ÿ˜ƒ but if I remember correctly, you can change the logging path with a flag
harveywells

harveywells

10/21/2019, 3:14 PM
@obelisk thanks for chiming in here. Do you have a list of affected tables? How did you come to notice the changes in behavior?
obelisk

obelisk

10/21/2019, 3:49 PM
I had a Mojave system and a Catalina system next to each other and I went through every table. Tables that read system plists I also knew were likely to break to a paid more attention to them. I think file, preferences and gatekeeper_approved_apps were the notable ones (they all rely on reading from the file system). Also user_interaction_events needs some extra work to make functional again even in Mojave. To fix it, push an MDM profile that grants the PostEvent permission. ๐Ÿ˜ƒ
harveywells

harveywells

10/29/2019, 3:43 PM
@obelisk thanks again for your comments here. I'm creating a test TCC profile for a handful of Catalina computers. osquery needs Full Disk Access (All Files permission) and the PostEvents permission as well?
obelisk

obelisk

10/29/2019, 3:52 PM
It needs post event if you want to use the user_interaction_events table
harveywells

harveywells

10/29/2019, 3:56 PM
thank you @obelisk
obelisk

obelisk

10/29/2019, 4:02 PM
Anytime! If you have any further issues let me know.