andrew
07/20/2017, 10:17 PMselect (blocks_free * blocks_size) as free_bytes from mounts where device='/dev/disk1';
cheating?lvferdi
01/10/2018, 1:56 PM+---------+--------+--------------+------------------------------------------+-----------------+------------------+
| path | signed | identifier | cdhash | team_identifier | authority |
+---------+--------+--------------+------------------------------------------+-----------------+------------------+
| /bin/ls | 1 | <http://com.apple.ls|com.apple.ls> | b7aa5322870358c31ecec59439537f7282832edc | | Software Signing |
+---------+--------+--------------+------------------------------------------+-----------------+------------------+
My reading of this is that the signed field is “Is the software signed” not “Is the software signature valid” . Am I mistaken? Does a 1
in that column mean that it is signed and valid?groob
groob
clippy
06/03/2018, 2:39 AMterracatta
alessandrogario
Mark
09/13/2018, 2:53 PMad
(administrative) flag provides in audit_control
?Polycösm
09/15/2018, 4:52 PMatom
12/04/2018, 10:31 PMvaar
12/19/2018, 3:50 PMkenergy
12/28/2018, 10:03 PMgroob
jackjack
03/14/2019, 6:46 PMfile_events
table? Thanks!alessandrogario
sundsta
07/22/2019, 5:15 PMvaar
07/22/2019, 5:42 PMMark
07/25/2019, 2:31 PMalessandrogario
harveywells
10/16/2019, 7:50 PM/var/log/osquery
was gone 😠 . Curious if anyone else has experienced this. I think I've seen this in the past but unfortunately don't have any notes 😞theopolis
osqueryctl
tool depends on the old path.alessandrogario
Sal
01/16/2020, 3:29 PMseph
Seán O'Halloran
02/04/2020, 10:05 PMSELECT hash.path, file.btime, file.size, file.block_size, file.type, file.uid, file.inode, hash.md5 FROM file LEFT JOIN hash ON hash.path = file.path WHERE file.path LIKE "/Volumes/%%" AND file.path NOT LIKE "/Volumes/Macintosh%" AND file.path NOT LIKE "/Volumes/Recovery%" AND hash.path = file.path AND size>0;
The other half of the machines run the query locally, judging by entires in <http://osqueryd.INFO|osqueryd.INFO>
, but never find any results, even though I know they should.
Any idea how to even go about trouble-shooting this?Seán O'Halloran
02/07/2020, 5:41 PMosquery_schedule
query and it produced the following (for one of the null-result endpoints):
{
"@host_identifier": "<redacted>",
"name": "osquery_schedule",
"created": "2020-02-07T17:10:23.769858",
"action": "added",
"@timestamp": "2020-02-07T17:00:49",
"@version": 1,
"log_type": "result",
"columns": {
"system_time": "1627",
"interval": "900",
"blacklisted": "0",
"output_size": "",
"average_memory": "60030",
"last_executed": "1581094836",
"avg_user_time": "11",
"executions": "92",
"wall_time": "4",
"query": "WITH mounted_volumes AS (\\x0D\\x0A SELECT path \\x0D\\x0A FROM mounts \\x0D\\x0A LEFT JOIN block_devices ON mounts.device = block_devices.name \\x0D\\x0A WHERE block_devices.type=\"USB\" AND path LIKE '/Volumes/%')\\x0D\\x0A SELECT hash.path,\\x0D\\x0A hash.md5,\\x0D\\x0A file.filename,\\x0D\\x0A file.size,\\x0D\\x0A file.block_size,\\x0D\\x0A file.type,\\x0D\\x0A file.uid,\\x0D\\x0A file.inode\\x0D\\x0A FROM file\\x0D\\x0A LEFT JOIN hash USING (path) \\x0D\\x0A WHERE file.path IN (\\x0D\\x0A SELECT file.path \\x0D\\x0A FROM file, mounted_volumes \\x0D\\x0A WHERE file.path LIKE mounted_volumes.path || '/%' OR file.path LIKE mounted_volumes.path || '/%/%' OR file.path LIKE mounted_volumes.path || '/%/%/%');",
"avg_system_time": "17",
"user_time": "1065",
"name": "files_on_usb"
}
}
I also have a far simpler query that just tries to use the file
table to get the root of the Downloads folder, and I haven’t received any results for this either:
{
"@host_identifier": "<redacted>",
"name": "osquery_schedule",
"created": "2020-02-07T17:10:23.769858",
"action": "added",
"@timestamp": "2020-02-07T17:00:49",
"@version": 1,
"log_type": "result",
"columns": {
"system_time": "127",
"interval": "900",
"blacklisted": "0",
"output_size": "",
"average_memory": "87243",
"last_executed": "1581093928",
"avg_user_time": "0",
"executions": "90",
"wall_time": "1",
"query": "SELECT path,btime FROM file WHERE path like \"/Users/%/Downloads/%\";",
"avg_system_time": "1",
"user_time": "77",
"name": "downloads_folder"
}
}
straffin
02/11/2020, 9:44 PMdaworley
03/02/2020, 7:41 PMmounts
and usb_devices
don't seem to show what I need, and I can't find an example of how to make the disk_events
or device_partitions
queries work.
Am I barking up the wrong tree? Can osquery detect those kinds of file system events?sundsta
03/03/2020, 5:28 PM.pkg
from osquery.io on macOS 10.15, but it does not register the plist with launchctl. Additionally, attempting to start the service or check the configuration with osqueryctl
has a segfault. Has anyone here run into this?grant seltzer
03/13/2020, 12:43 PM