ATC example update #8178
ATC example update #8178
Conversation
| @@ -568,6 +568,8 @@ Taking the `tcc_system_entries` ATC table as an example, which controls which pe | |||
|
|
|||
| `$ sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db` | |||
|
|
|||
| Note that if you receive an error on the above, TCC.db is a protected file and requires Full Disk Access. You may be required to add this to `Terminal` (or `iTerm`, or any other terminal emulator) in order to allow `sqlite3` and `osqueryi` to open this file. | |||
There was a problem hiding this comment.
Hrm. This is correct, but I'm hesitant to recommend people grant FDA to terminal without a lot more context about whether it's a good idea or not. I wonder if we can find another sqlite file for the example.
There was a problem hiding this comment.
Poking around my machine, mabye ~/Library/Application Support/FaceTime/FaceTime.sqlite3 ?
Or maybe we should walk them through making a file with sqlite directly.
There was a problem hiding this comment.
I agree on principle, the thing is that this table is really helpful for an example for folks doing corporate security which makes it a fantastic ATC example.
I showed this to a co-worker and they instantly wanted to begin using OSQuery on as many MacOS endpoints as possible.
Are there any examples of note/warning blocks elsewhere in the docs?
There was a problem hiding this comment.
(As a side note I think this is extra fun because enabling it means that terminal/iterm actually shows up in the query with kTCCServiceSystemPolicyAllFiles)
There was a problem hiding this comment.
Though are some compelling reasons. Maybe we can put a caveat here, about how they might want to disable FDA after the exercise? I'm not sure, what do you think makes the most sense?
|
Probably also worth updating the SQL for the table creation. It's using the old macOS format. Though you can't make SQL compatible with both old and new without abusing the quoting bug compatibility. |
Covers #8177