-2

I am customizing the plist file to start osquery through my code. I have taken the osqueryd file and renamed it to testosqueryd now through my plist, io.testosquery.agent.plist. I am just loading testosqueryd. It is osquery is loading but. But now I am using es_process_events table in my code to get process events. But according to documentation from osquery it requires full disk access.

https://osquery.readthedocs.io/en/stable/deployment/process-auditing/

As I am going to install osquery silently I need to give full disk access automatically.

codesign -dr - /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd Executable=/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd designated => identifier "io.osquery.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "3522FA9PXF"

According to documentation above should be the output of

codesign -dr -

but problem is it is pointing to io.osquery.agent but my plist name is io.testosquery.agent. In my scenario I also have to support coexistence of osquery as well as testosquey.

Can anyone help me how to silently install customized osquery with full disk access functionality implementation.

User0987
  • 91
  • 1
  • 6

2 Answers2

2

The one can't enable FDA automatically, and it is made so by Apple intent. You may show some popup and open System Preferences, but it is up to the user to grant the FDA for your app or not.

Only user with his actions (or some vulnerabilities :) ) can do this.

For all of the silent installed for admin purposes stuff the officical (and only supported) way is to connect the device to some MDM server, which could manage some things like this, however last time I checked this was the way only for a big USA-registered companies.

Other option, is to disable SIP on a target mac, but I don't think it is the way you want too.

Arthur Bulakaiev
  • 1,207
  • 8
  • 17
0

As Arthur says, you cannot do this automatically. Except through an MDM.

But, I think there are a lot of oddities in your question. Forgive list form, but:

  1. io.osquery.agent is the bundle id. You'd have to resign things to have that work. I'm not sure what plist means here
  2. Osquery isn't going to work if you rename the binary itself. That's baked in pretty deeply
seph
  • 813
  • 6
  • 16