Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ATC example update #8178

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+4 −0
Open

ATC example update #8178

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e9a9b3a
add note on TCC.db access for ATC example
chuckyz Nov 3, 2023
754d3c7
add note on TCC.db access for ATC example
chuckyz Nov 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/wiki/deployment/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,8 @@ Taking the `tcc_system_entries` ATC table as an example, which controls which pe

`$ sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db`

Note that if you receive an error on the above, TCC.db is a protected file and requires Full Disk Access. You may be required to add this to `Terminal` (or `iTerm`, or any other terminal emulator) in order to allow `sqlite3` and `osqueryi` to open this file.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hrm. This is correct, but I'm hesitant to recommend people grant FDA to terminal without a lot more context about whether it's a good idea or not. I wonder if we can find another sqlite file for the example.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Poking around my machine, mabye ~/Library/Application Support/FaceTime/FaceTime.sqlite3 ?

Or maybe we should walk them through making a file with sqlite directly.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree on principle, the thing is that this table is really helpful for an example for folks doing corporate security which makes it a fantastic ATC example.

I showed this to a co-worker and they instantly wanted to begin using OSQuery on as many MacOS endpoints as possible.

Are there any examples of note/warning blocks elsewhere in the docs?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(As a side note I think this is extra fun because enabling it means that terminal/iterm actually shows up in the query with kTCCServiceSystemPolicyAllFiles)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though are some compelling reasons. Maybe we can put a caveat here, about how they might want to disable FDA after the exercise? I'm not sure, what do you think makes the most sense?


The SQLite shell might feel familiar if you're used to `osqueryi`. That's because osquery uses syntax derived from SQLite for queries.

Let's see what tables exist in our local SQLite database.
Expand Down Expand Up @@ -618,6 +620,8 @@ Open a text editor and create a file named `atc_tables.json` using the columns,

You can test this locally before deploying to your fleet and add more columns as necessary: `/usr/local/bin/osqueryi --verbose --config_path atc_tables.json`

Per the note above, if this isn't working after deployment ensure that Full Disk Access is provided to your `osqueryd` process.

### Events

"Events" refers to the event-based tables.
Expand Down