osquery-extension

README

macadmins-extension

Usage

For testing, you can load the extension with osqueryi.

By default, osquery does not want to load extensions not owned by root. You can either change the ownership of macadmins_extension.ext to root, or run osquery with the --allow_unsafe flag.

osqueryi --extension /path/to/macadmins_extension.ext

For production deployment, you should refer to the osquery documentation.

Tables

Table	Description	Platforms	Notes
alt_system_info	Alternative system_info table	macOS	This table is an alternative to the built-in system_info table in osquery, which triggers an Allow "osquery" to find devices on local networks? prompt on macOS 15.0. On versions other than 15.0, this table falls back to the built-in system_info table. Note: this table returns an empty cpu_subtype field. See #58 for more details.
authdb	macOS Authorization database	macOS	Use the constraint name to specify a right name to query, otherwise all rights will be returned.
file_lines	Read an arbitrary file	Linux / macOS / Windows	Use the constraint path and last to specify the file to read lines from
filevault_users	Information on the users able to unlock the current boot volume when encrypted with Filevault	macOS
google_chrome_profiles	Profiles configured in Google Chrome.	Linux / macOS / Windows
macos_profiles	High level information on installed profiles enrollment	macOS
mdm	Information on the device's MDM enrollment	macOS	Code based on work by Kolide. Due to changes in macOS 12.3, the output of profiles show -type enrollment can only be generated once a day. If you are running this command with another tool, you should set the PROFILES_SHOW_ENROLLMENT_CACHE_PATH environment variable to the path you are caching this. The cache file should be json with the keys dep_capable and rate_limited present, both booleans representing whether the device is capable of DEP enrollment and whether the response from profiles show -type enrollment is being rate limited or not.
munki_info	Information from the last Munki run	macOS	Code based on work by Kolide
munki_installs	Items Munki is managing	macOS	Code based on work by Kolide
network_quality	Output from the networkQuality binary	macOS	This binary is only present on macOS 12
puppet_facts	Puppet facts	Linux / macOS / Windows
puppet_info	Information on the last Puppet run	Linux / macOS / Windows
puppet_logs	Logs from the last Puppet run	Linux / macOS / Windows
puppet_state	State of every resource Puppet is managing	Linux / macOS / Windows
sofa_security_release_info	The information on the security release the device is running from Sofa	macOS	Use the url constraint to specify a data source other than https://sofafeed.macadmins.io/v1/macos_data_feed.json . By default this table will return vulnerability data for the running operating system. For historical data, use the os_version predicate (e.g select * from sofa_security_release_info where os_version="14.4.0";)
sofa_unpatched_cves	The CVEs that are unpatched on the device from Sofa	macOS	Use the url constraint to specify a data source other than https://sofafeed.macadmins.io/v1/macos_data_feed.json. By default this table will return all unpatched vulnerability data. For historical data, use the os_version predicate (e.g select * from sofa_unpatched_cves where os_version="14.4.0";)
unified_log	Results from macOS' Unified Log	macOS	Use the constraints predicate and last to limit the number of results you pull, or this will not be very performant at all. Use level with a value of info to include info level messages. Use level with a value of debug to include info and debug level messages. (select * from unified_log where last="1h" and level="debug" and predicate='processImagePath contains "mdmclient"';)
wifi_network	Table to get the current wifi network name since the Osquery wifi_info table no longer does this. Includes the rest of the working fields in wifi_info.	macOS	See osquery issue #8220

Development

• Install Go 1.21 (either directly from go.dev or via GVM)
  • gvm install go1.21
• Install Bazelisk