👋 Has anyone else upgraded to macOS Catalina yet? After upgrading

/var/log/osquery

was gone 😠 . Curious if anyone else has experienced this. I think I've seen this in the past but unfortunately don't have any notes 😞

I haven’t yet, but macOS updates routinely wipe

/etc

, or at least portions of it

Yes I’ve had this issue with Catalina, there are also some tables that do not work the same way in Catalina (notably file which cannot access many user data directories). I believe there are some gatekeeper tables as well that read from plists which are now restricted even from root. The solution is to use MDM to allow osquery Full Disk Access. If anyone needs help with this, feel free to ping me :)

@obelisk thanks for chiming in here. Do you have a list of affected tables? How did you come to notice the changes in behavior?

I had a Mojave system and a Catalina system next to each other and I went through every table. Tables that read system plists I also knew were likely to break to a paid more attention to them. I think file, preferences and gatekeeper_approved_apps were the notable ones (they all rely on reading from the file system). Also user_interaction_events needs some extra work to make functional again even in Mojave. To fix it, push an MDM profile that grants the PostEvent permission. :)

@obelisk thanks again for your comments here. I'm creating a test TCC profile for a handful of Catalina computers. osquery needs Full Disk Access (All Files permission) and the PostEvents permission as well?

It needs post event if you want to use the user_interaction_events table

thank you @obelisk

Anytime! If you have any further issues let me know.