Skip to content

Latest commit

 

History

History
89 lines (64 loc) · 4.82 KB

README.md

File metadata and controls

89 lines (64 loc) · 4.82 KB

system_policy

osquery table extension that allows querying of information from the macOS private SystemPolicy.framework.

Introduction

Beginning with macOS 10.13 Apple started enforcing certain system policies. One of those policies is the requirement that loaded kernel extensions need to be approved by the user. These system policies are also reponsible for keeping track of what 32-bit applications have been run. As announced at the 2018 WWDC, macOS 10.14 will be the last version of macOS to support 32-bit applications. This information can be viewed in the System Information application.

This information is just stored in sqlite databases located in /var/db/SystemPolicyConfiguration/. You can actually query this information yourself from the command line but it does require root access.

sudo sqlite3 /var/db/SystemPolicyConfiguration/ExecPolicy 'select * from legacy_exec_history_v4'

In order to provide a more convienant method to get this information this osquery table plugin was created. It does not require any special privileges because just like the System Information application it uses the SystemPolicy.framework to talk directly to syspolicyd to get this information. By making this an osquery extension it allows us to query this information uniformly across an entire fleet of macOS machines.

Extension Overview

This table extension provides two new read only tables with the following layout:

kext_policy

Data only returned on macOS 10.13 and higher

Column Type Description
developer_name TEXT Name of the developer who signed the kext
application_name TEXT Name of the application that tried to load the kext
application_path TEXT Path to the application that tried to load the kext
team_id TEXT The Team ID from the code signing blob
bundle_id TEXT The Bundle ID of the kext
allowed INTEGER Whether the kext has been user/mdm approved or not
reboot_required INTEGER If the kext requires a reboot
modified INTEGER Unknown

legacy_exec_history

Data only returned on macOS 10.14 and higher

Column Type Description
exec_path TEXT Path of the application if it was executed directly
mmap_path TEXT Path of the application if it was loaded into memory
signing_id TEXT The Signing ID from the code signing blob
team_id TEXT The Team ID from the code signing blob
cd_hash TEXT The primary CD Hash from the code signing blob
responsible_path TEXT Path of the application that launched or mmaped this application
developer_name TEXT Name from the signing certificate
last_seen TEXT The timestamp of the last time the applications was used

Building

Since this project makes use of the new modules functionality Go 1.11 or above will be required to compile. It should compile on all versions of macOS. Building is as simple as the following:

git clone https://github.com/knightsc/system_policy.git 
cd system_policy
go build

Testing

To test this code, start an osquery shell and find the path of the osquery extension socket:

osqueryi --nodisable_extensions
osquery> select value from osquery_flags where name = 'extensions_socket';
+-----------------------------------+
| value                             |
+-----------------------------------+
| /Users/USERNAME/.osquery/shell.em |
+-----------------------------------+

Then start the Go extension and have it communicate with osqueryi via the extension socket that you retrieved above:

./system_policy -socket /Users/USERNAME/.osquery/shell.em

Alternatively, you can also autoload your extension when starting an osquery shell:

osqueryi --extension ./system_policy

Installing

Installation of this extension should be similar to any other osquery extension. Start by reviewing the Using Extensions guide from the osquery project.

Essentially you will want to rename the binary to system_policy.ext (or use the pre-built release version) and put it somewhere on your machine with the correct permissions. You can then add an entry for this extension in your autoload file.