Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Has anyone looked at EndpointSecurity in 10.15 yet?

not yet; is there documentation for this API yet? <https://developer.apple.com/documentation/endpointsecurity>

Ok I watched the WWDC presentation, looked at the Xcode beta 5 macOS SDK, and checked out the documentation that does exist. It looks like this API is tied to Entitlements, which the system will deny unless you are an app bundle (osquery is not built in an app bundle)

Beyond that there may be a need for an approval step from Apple.

Ah right, interesting. Makes sense they’re pushing it through app store if that’s already got certain controls in place for approvals etc

I did find this demo <https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba>

Nice find! Maybe one of us with a 10.15 beta VM will test with it

Image 8-13-19 at 9.43 PM.jpg

<@UA2K15L05> <@U7DT2E8B0> I managed to write my own demo in c++ yesterday and this works against the current ß5 — I have made some notes/thoughts, but will be brief here:

• The functionality of this is really cool, and enables monitoring of all kinds of stuff from userspace!
• On certain kind of events (`auth`), the client can decide whether to `allow` or `deny` those — example of `deny` on `mount` below
• Lacking in documentation, but headers are commented and helpful
• Buggy right now, I think there might be a few race conditions in `endpointsecurityd`. In some instances there is a performance drag too. And an odd kernel panic too.
• Will require codesigning and entitlements, production release will require a provisioning cert from Apple
• There are a total of 44 events currently, but subscription is capped at 16. Subscribing to more than a handful of events seriously degrades the performance of the machine and the cpu is at 99%
• Can be a firehose, the events are granular, and the challenge will be to collate these

Oh, that's really cool that you looked into that already. It sounds like it has the same challenges we've seen with other auditing frameworks: having to minimize collection

EndpointSecurity framework does have `mute` APIs, which can mute by `path`, `path_prefix` or `path_literal`. That might help a bit. Although I haven’t been able to use them — there is a known issue in beta 5
`Using APIs related to muting by paths and path prefixes might cause the kernel to panic. (53517643)`

I guess this can wait until the APIs are stable :laughing: . The bigger obstacle for osquery seems to be the need to be a SystemExtension in a notarized app bundle. We may want to take a baby step by notarizing the `.pkg` during our releases, but that's a separate discussion