Hi I compiled the osquery extensions from trailofbits and I osquery #extensions

Hi! I compiled the osquery extensions from trailof...

Sebastiaan

12/18/2020, 3:25 PM

Hi! I compiled the osquery extensions from trailofbits, and I have been trying to use the darwin_unified_log one. It loads correctly (seen with -verbose), but when I query the table it should generate, the table is always empty, can anyone help me out with this one?

Mike Myers

12/18/2020, 6:41 PM

@Garret do you have the macOS extensions built? Is this something you can confirm?

Garret

12/18/2020, 7:35 PM

I have the extension built, let me fire up my vm

Garret

12/18/2020, 8:29 PM

ooooh. okay, it definitely does not work, and looking at the code, I don’t think it’s ever worked, there’s a pretty clear logic error in there 😬

Mike Myers

12/18/2020, 8:30 PM

I'll open an issue

Mike Myers

12/18/2020, 8:33 PM

https://github.com/trailofbits/osquery-extensions/issues/67

Garret

12/18/2020, 8:47 PM

kk. it looks like it got broken back in march when the code was updated to use the DynamicTableRowHolder

Garret

12/18/2020, 8:48 PM

rather than copying from

new_entries

entries

at line 197 of system_log.cpp, now it copies from

entries

entries

Stefano Bonicatti

12/18/2020, 8:59 PM

oups :S

grahamgilbert

12/19/2020, 12:21 AM

unified log is in the macadmins extension btw https://github.com/macadmins/osquery-extension

🆒 1

Sebastiaan

12/22/2020, 1:02 PM

@Mike Myers I am sorry for the late response, I just saw that there were answers on this message.

Mike Myers

12/22/2020, 6:05 PM

that's ok, we don't yet have a fix published

Open in Slack

Previous Next