https://github.com/osquery/osquery logo
#fleet
Title
# fleet
m

mikermcneil

01/28/2023, 12:17 AM
Hey y'all, I've been playing around with some queries, and I think the docs for the
xprotect_meta
table might be wrong: https://fleetdm.com/tables/xprotect_meta
min_version
- The minimum allowed plugin version.
But when I query some Macs, I see "com.viewanysearch", which looks pretty sketchy, with its minimum version listed as "any". Should this actually say:
min_version
- The minimum banned plugin version
It might also be that we just have insufficient schema here. Like rather than "any", min_version should only be set if the type of ban is for an extension or plugin BELOW a specific version, rather than a ban of an extension or plugin altogether (e.g. this
com.anysearch
thing which is presumably effectively a virus)
Went ahead and tracked an issue here about it: https://github.com/fleetdm/fleet/issues/9545
z

zwass

01/28/2023, 12:39 AM
Maybe better for #macos channel?
It does seem like the docs should say "minimum blocked plugin version"
m

mikermcneil

01/28/2023, 12:54 AM
Seems like it should be the opposite though, right? I would think "minimum ALLOWED plugin version" If it was a block, I would think "maximum banned version" e.g. if com.anysearch has a vulnerability ≤v4.0.2, then we'd want to allow only versions above that version. (Not ban) But if com.anysearch is inherently something that should be blocked, then it should be banned at any version (and no version should be allowed- not any version)
z

zwass

01/28/2023, 12:55 AM
Apple doesn't document this but people's analysis generally seems to be that this is a blocklist of safari extensions based on known malware. I think the reason for a minimum version is because of some extensions that have started out good but then later introduced malware.
Although the file on my machine doesn't actually set a version for any of these, so it might be just that the versions are used in a separate part of that file.
m

mikermcneil

01/28/2023, 12:57 AM
Ah, I see so then
min_version
is actually min_version blocked Looks like it's set for some other random things like flash player and Java:
z

zwass

01/28/2023, 12:58 AM
Since it's not documented, we can only speculate. They don't seem to set any versions for
ExtensionBlacklist
entries (which is where the
anysearch
is). They do set it for
PluginBlacklist
where it might actually be correct as documented.
[This analysis}(https://nixhacker.com/security-protection-in-macos-2/) agrees with that interpretation that for some of these plugins it's a minimum required version.
m

mikermcneil

01/28/2023, 1:00 AM
👍 k, got it. Thanks! I'll unroll all those goodies into the issue so someone can grab it and run with it. If you're a contributor reading this and want to take a pass at updating the docs, feel free to jump in! (You can actually make the edit in the browser on fleetdm.com/tables/xprotect_meta by hitting the "Edit this page" button. For tips on formatting, see the other tables)
z

zwass

01/28/2023, 1:00 AM
Arguably these could be separate tables since it's not sure that the columns apply across all the types.