Channels
  • harveywells

    harveywells

    2 years ago
    👋 Has anyone else upgraded to macOS Catalina yet? After upgrading
    /var/log/osquery
    was gone 😠 . Curious if anyone else has experienced this. I *think* I've seen this in the past but unfortunately don't have any notes 😞
  • sundsta

    sundsta

    2 years ago
    I haven’t yet, but macOS updates routinely wipe
    /etc
    , or at least portions of it
  • obelisk

    obelisk

    2 years ago
    Yes I’ve had this issue with Catalina, there are also some tables that do not work the same way in Catalina (notably file which cannot access many user data directories). I believe there are some gatekeeper tables as well that read from plists which are now restricted even from root. The solution is to use MDM to allow osquery Full Disk Access. If anyone needs help with this, feel free to ping me 😃
    As for the directory thing, I’ve just been manually creating it on my test systems 😃 but if I remember correctly, you can change the logging path with a flag
  • harveywells

    harveywells

    2 years ago
    @obelisk thanks for chiming in here. Do you have a list of affected tables? How did you come to notice the changes in behavior?
  • obelisk

    obelisk

    2 years ago
    I had a Mojave system and a Catalina system next to each other and I went through every table. Tables that read system plists I also knew were likely to break to a paid more attention to them. I think file, preferences and gatekeeper_approved_apps were the notable ones (they all rely on reading from the file system). Also user_interaction_events needs some extra work to make functional again even in Mojave. To fix it, push an MDM profile that grants the PostEvent permission. 😃
  • harveywells

    harveywells

    2 years ago
    @obelisk thanks again for your comments here. I'm creating a test TCC profile for a handful of Catalina computers. osquery needs Full Disk Access (All Files permission) and the PostEvents permission as well?
  • obelisk

    obelisk

    2 years ago
    It needs post event if you want to use the user_interaction_events table
  • harveywells

    harveywells

    2 years ago
    thank you @obelisk