-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ATC example update #8178
base: master
Are you sure you want to change the base?
ATC example update #8178
Conversation
@@ -568,6 +568,8 @@ Taking the `tcc_system_entries` ATC table as an example, which controls which pe | |||
|
|||
`$ sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db` | |||
|
|||
Note that if you receive an error on the above, TCC.db is a protected file and requires Full Disk Access. You may be required to add this to `Terminal` (or `iTerm`, or any other terminal emulator) in order to allow `sqlite3` and `osqueryi` to open this file. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hrm. This is correct, but I'm hesitant to recommend people grant FDA to terminal without a lot more context about whether it's a good idea or not. I wonder if we can find another sqlite file for the example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Poking around my machine, mabye ~/Library/Application Support/FaceTime/FaceTime.sqlite3
?
Or maybe we should walk them through making a file with sqlite directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree on principle, the thing is that this table is really helpful for an example for folks doing corporate security which makes it a fantastic ATC example.
I showed this to a co-worker and they instantly wanted to begin using OSQuery on as many MacOS endpoints as possible.
Are there any examples of note/warning blocks elsewhere in the docs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(As a side note I think this is extra fun because enabling it means that terminal/iterm actually shows up in the query with kTCCServiceSystemPolicyAllFiles)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Though are some compelling reasons. Maybe we can put a caveat here, about how they might want to disable FDA after the exercise? I'm not sure, what do you think makes the most sense?
Probably also worth updating the SQL for the table creation. It's using the old macOS format. Though you can't make SQL compatible with both old and new without abusing the quoting bug compatibility. |
Covers #8177