Compatibility Notes:
The steps below were written up for an Apple MacBook Pro M2 CPU running macOS 14 Sonoma, and a Lenovo running Windows 11. These steps should work for Intel and Windows 10 devices but may need adaptation due to OS differences that change preference names or locations.
How long does this take?
The steps below look like a lot but only because they have been written to pass the novice user test. It should not take more than 5-7 minutes to get set up.
| kolide-ubuntu@kolide-ubuntu:~/Downloads$ gsettings | |
| Usage: | |
| gsettings --version | |
| gsettings [--schemadir SCHEMADIR] COMMAND [ARGS…] | |
| Commands: | |
| help Show this information | |
| list-schemas List installed schemas | |
| list-relocatable-schemas List relocatable schemas | |
| list-keys List keys in a schema |
This table is built around the wscapi which communicates with Microsoft's Windows Security Center service.
Windows Security Center is a security reporting dashboard available on Windows 10 devices which notifies users when the configuration of their device (eg. Firewall Off) exposes them to risk. These categories are often composite items populated and scored based on one or more underlying settings.
For example, the Firewall state is a composite of several Windows Firewall Profiles: Domain, Public and Private. We can inspect what the WSC output is when each is modified:
+-----------+-----------------+-----------------+------------------+
| wsc_state | domain_firewall | public_firewall | private_firewall |
+-----------+-----------------+-----------------+------------------+
| WITH | |
| split_date AS | |
| (SELECT *, | |
| Split(installed_on, '/', 0) AS month, | |
| Split(installed_on, '/', 1) AS day, | |
| Split(installed_on, '/', 2) AS year | |
| FROM patches), | |
| leading_zeroes AS ( | |
| SELECT *, | |
| (SELECT local_time FROM time) AS local_time, |
| WITH bi_flags AS ( | |
| SELECT value AS 'flags', | |
| SUBSTR(parent, 6) AS bundle_identifier, | |
| '/Users/' || SPLIT(path, '/', 1) AS directory | |
| FROM kolide_plist | |
| WHERE path LIKE '/Users/%/Library/Preferences/com.apple.ncprefs.plist' | |
| AND query = 'apps/#bundle-id/flags'), | |
| bi_path AS ( | |
| SELECT value AS 'path', | |
| SUBSTR(parent, 6) AS bundle_identifier |
| osquery> select key, subkey, value from plist where path = '/Library/Preferences/com.apple.SoftwareUpdate.plist'; | |
| +----------------------------------+-----------------+----------------------+ | |
| | key | subkey | value | | |
| +----------------------------------+-----------------+----------------------+ | |
| | LastResultCode | | 0 | | |
| | LastAttemptSystemVersion | | 10.15 (19A602) | | |
| | SkipLocalCDN | | 0 | | |
| | LastUpdatesAvailable | | 1 | | |
| | AutomaticallyInstallMacOSUpdates | | 1 | | |
| | LastRecommendedUpdatesAvailable | | 1 | |
| { | |
| "auto_table_construction": { | |
| "tcc_system_entries": { | |
| "query": "SELECT service, client, allowed, prompt_count, last_modified FROM access;", | |
| "path": "/Library/Application Support/com.apple.TCC/TCC.db", | |
| "columns": [ | |
| "service", | |
| "client", | |
| "allowed", | |
| "prompt_count", |
| { | |
| "auto_table_construction": { | |
| "quarantine_items": { | |
| "query": "SELECT LSQuarantineEventIdentifier as id, LSQuarantineAgentName as agent_name, LSQuarantineAgentBundleIdentifier as agent_bundle_identifier, LSQuarantineTypeNumber as type, LSQuarantineDataURLString as data_url,LSQuarantineOriginURLString as origin_url, LSQuarantineSenderName as sender_name, LSQuarantineSenderAddress as sender_address, LSQuarantineTimeStamp as timestamp from LSQuarantineEvent", | |
| "path": "/Users/%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2", | |
| "columns": [ | |
| "id", | |
| "type", | |
| "agent_name", | |
| "agent_bundle_identifier", |
| Operator | Description | |
|---|---|---|
| == | equal | |
| != | not equal | |
| < | less than (available for numeric values and dates only) | |
| > | greater than (available for numeric values and dates only) | |
| <= | less than or equal (available for numeric values and dates only) | |
| >= | greater than or equal (available for numeric values and dates only) | |
| InRange(attributeName,minValue,maxValue) | numeric values within the range of minValue through maxValue in the specified attributeName |