Add TCC tables with all available data (#17935)

Add more complete versions of the TCC tables to canary team (research for #16899) Also added queries to run on the canary team.
2026-05-23 17:08:53 +00:00 · 2024-03-28 13:23:48 -05:00 · 2024-03-28 13:23:48 -05:00 · 66dd003f7d
commit 66dd003f7d
parent 42c5bd5ca7
3 changed files with 40 additions and 2 deletions
--- a/it-and-security/lib/collect-software-permissions-system.queries.yaml
+++ b/it-and-security/lib/collect-software-permissions-system.queries.yaml
@ -0,0 +1,5 @@
+- name: Collect software permissions (system)
+  description: "Research for #16899"
+  query: SELECT * from tcc_system;
+  interval: 3600 # 1 hour
+  platform: darwin
--- a/it-and-security/lib/collect-software-permissions-user.queries.yaml
+++ b/it-and-security/lib/collect-software-permissions-user.queries.yaml
@ -0,0 +1,5 @@
+- name: Collect software permissions (user)
+  description: "Research for #16899"
+  query: SELECT * from tcc_user;
+  interval: 3600 # 1 hour
+  platform: darwin
--- a/it-and-security/teams/workstations-canary.yml
+++ b/it-and-security/teams/workstations-canary.yml
@ -26,14 +26,40 @@ agent_options:
      platforms:
        darwin:
          auto_table_construction:
-            tcc:
+            tcc_system:
              path: /Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, auth_value, auth_reason from access'
+              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
              columns:
                - service
                - client
+                - client_type
                - auth_value
                - auth_reason
+                - auth_version
+                - csreq
+                - policy_id
+                - indirect_object_identifier
+                - indirect_object_identifier_type
+                - indirect_object_code_identity
+                - flags
+                - last_modified
+            tcc_user:
+              path: /Users/%/Library/Application Support/com.apple.TCC/TCC.db
+              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
+              columns:
+                - service
+                - client
+                - client_type
+                - auth_value
+                - auth_reason
+                - auth_version
+                - csreq
+                - policy_id
+                - indirect_object_identifier
+                - indirect_object_identifier_type
+                - indirect_object_code_identity
+                - flags
+                - last_modified
 controls:
  enable_disk_encryption: true
  macos_settings:
@ -92,3 +118,5 @@ queries:
  - path: ../lib/collect-failed-login-attempts.queries.yml
  - path: ../lib/collect-usb-devices.queries.yml
  - path: ../lib/collect-vs-code-extensions.queries.yml
+  - path: ../lib/collect-software-permissions-system.queries.yml
+  - path: ../lib/collect-software-permissions-user.queries.yml