From 66dd003f7d6ca52ae917407451de76fa942dc0e0 Mon Sep 17 00:00:00 2001 From: Rachael Shaw Date: Thu, 28 Mar 2024 13:23:48 -0500 Subject: [PATCH] Add TCC tables with all available data (#17935) Add more complete versions of the TCC tables to canary team (research for #16899) Also added queries to run on the canary team. --- ...t-software-permissions-system.queries.yaml | 5 +++ ...ect-software-permissions-user.queries.yaml | 5 +++ it-and-security/teams/workstations-canary.yml | 32 +++++++++++++++++-- 3 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 it-and-security/lib/collect-software-permissions-system.queries.yaml create mode 100644 it-and-security/lib/collect-software-permissions-user.queries.yaml diff --git a/it-and-security/lib/collect-software-permissions-system.queries.yaml b/it-and-security/lib/collect-software-permissions-system.queries.yaml new file mode 100644 index 0000000000..0f576ffcf7 --- /dev/null +++ b/it-and-security/lib/collect-software-permissions-system.queries.yaml @@ -0,0 +1,5 @@ +- name: Collect software permissions (system) + description: "Research for #16899" + query: SELECT * from tcc_system; + interval: 3600 # 1 hour + platform: darwin \ No newline at end of file diff --git a/it-and-security/lib/collect-software-permissions-user.queries.yaml b/it-and-security/lib/collect-software-permissions-user.queries.yaml new file mode 100644 index 0000000000..b8b0e7c75b --- /dev/null +++ b/it-and-security/lib/collect-software-permissions-user.queries.yaml @@ -0,0 +1,5 @@ +- name: Collect software permissions (user) + description: "Research for #16899" + query: SELECT * from tcc_user; + interval: 3600 # 1 hour + platform: darwin \ No newline at end of file diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml index e5ad3636eb..e2550b4b88 100644 --- a/it-and-security/teams/workstations-canary.yml +++ b/it-and-security/teams/workstations-canary.yml @@ -26,14 +26,40 @@ agent_options: platforms: darwin: auto_table_construction: - tcc: + tcc_system: path: /Library/Application Support/com.apple.TCC/TCC.db - query: 'select service, client, auth_value, auth_reason from access' + query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access' columns: - service - client + - client_type - auth_value - auth_reason + - auth_version + - csreq + - policy_id + - indirect_object_identifier + - indirect_object_identifier_type + - indirect_object_code_identity + - flags + - last_modified + tcc_user: + path: /Users/%/Library/Application Support/com.apple.TCC/TCC.db + query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access' + columns: + - service + - client + - client_type + - auth_value + - auth_reason + - auth_version + - csreq + - policy_id + - indirect_object_identifier + - indirect_object_identifier_type + - indirect_object_code_identity + - flags + - last_modified controls: enable_disk_encryption: true macos_settings: @@ -92,3 +118,5 @@ queries: - path: ../lib/collect-failed-login-attempts.queries.yml - path: ../lib/collect-usb-devices.queries.yml - path: ../lib/collect-vs-code-extensions.queries.yml + - path: ../lib/collect-software-permissions-system.queries.yml + - path: ../lib/collect-software-permissions-user.queries.yml