Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

How are rules like “*<https://k2.kolide.com/2228/checks/27/failures/60343614|Plain-text Github 2FA Recovery Codes Detected>”* implemented?
• it’s misfiring for my laptop, I have encrypted the file, but it still complains
• we might want to add custom rules of our own, is there a workflow for that?

Hi Martin, can you tell me how you encrypted the file?

I used sshenc, which uses ssh keys to do something similar to what gpg would do.

the result is an ASCII file with contents like:
```-- encrypted with <https://sshenc.sh/>
-- keys
-- key
Base64 encoded data```


We detect the github codes based on extended file attributes that are likely not impacted by your encryption process.

I def made a new file… the process is a bit like `openssl --flags flags &lt; file &gt; file.encrypted`

it's likely it copied the file and its extended attributes

let me see if I can find the command line for showing that

and show you how to remove those attributes

in your case you want to remove any extended attributes named `com.apple.metadata:kMDItemWhereFroms`

which can be done with `xattr -d metadata:kMDItemWhereFroms &lt;file&gt;`

ok well I would rename it slightly, the recheck will pass, and then it shouldn't be redetected

or you can just ignore the failure as well

yeah, I can ignore it. but I’m also learning about the system :slightly_smiling_face:

are the actual rules visible by admin? editable by admin?

Hi Martin, the rules are not all visible but you can kind of infer them from look at a device's osquery config by clicking into a device, choosing actions, and then choosing "View Osquery Config..." you can sometimes reference a check ID