Good Morning Sophos Fam,
I'm just beginning to leverage SQL queries in the life of a Security Admin, and my question is when you receive a "Complete, no data sent" is it due to
- The device doesn't match the query parameters?
- Communication error between the device and Central/Sub Estate?
- Or the query was written poorly?
Here is the example query I wrote for our Mac environment to Audit Extensions where I received a "Complete, no data sent"
SELECT uid AS 'User', name AS 'NAME', null AS 'Browser', identifier AS 'ID', type AS 'Type', null AS 'update_url', path AS 'Path', version AS 'version', description AS 'Description' FROM firefox_addons UNION SELECT uid AS 'User', name AS 'NAME', null AS 'Browser', identifier AS 'ID', null AS 'Type', update_url AS 'Update URL', path AS 'Path', version as 'version', null as 'description' FROM safari_extensions UNION SELECT null AS 'User', uid AS 'Name', null AS 'Browser', identifier AS 'ID', profile AS 'Type', update_url AS 'Update URL', path AS 'Path', version AS 'version', description AS 'description' FROM chrome_extensions
* EDIT 12:40PM @ 07/08/2021
Building off the query from Chrome Extensions I went ahead and modified the query thusly
SELECT DISTINCT
ce.name name,
u.username username,
ce.version version,
ce.description description,
ce.locale locale,
ce.update_url update_url,
ce.path path,
ce.identifier id
FROM users u
LEFT JOIN chrome_extensions ce
ON ce.uid = u.uid
WHERE ce.name IS NOT NULL
UNION
SELECT DISTINCT
fa.name name,
u.username username,
fa.version version,
fa.description description,
fa.location Locale,
fa.source_url update_URL,
fa.path path,
fa.identifier id
FROM users u
LEFT JOIN firefox_addons fa
ON fa.uid = u.uid
WHERE fa.name IS NOT NULL
That query worked for Chrome and Firefox, However I am having a difficult time adding Safari Extension to the scan, specifically safari_extensions table
*Edit 2:18pm @ 07/08/2021
It looks like safari extensions table is not accessible natively anymore. Building off the data found in https://github.com/osquery/osquery/issues/6498 about Safari_extensions not working, I built the following query and it worked in my environment without issue.
/*
Created By: Billiam N
Created on:07/08/2021
Description: A query designed to audit extensions for the Mac environment for Chrome, Firefox, and Safari
Browser Column Value 1 = Chrome
Browser Column Value 2 = Firefox
Browser Column Value 3 = Safari
Query Performance: Slow
*/
WITH extensions_flat AS (SELECT * FROM plist WHERE path LIKE '/Applications/%.app/Contents/PlugIns/%.appex/Contents/Info.plist')
SELECT DISTINCT
'1' as browser,
ce.name name,
u.username username,
ce.version version,
ce.description description,
ce.locale locale,
ce.update_url update_url,
ce.path path,
ce.identifier id
FROM users u
LEFT JOIN chrome_extensions ce
ON ce.uid = u.uid
WHERE ce.name IS NOT NULL
UNION
SELECT DISTINCT
'2' as browser,
fa.name name,
u.username username,
fa.version version,
fa.description description,
fa.location Locale,
fa.source_url update_URL,
fa.path path,
fa.identifier id
FROM users u
LEFT JOIN firefox_addons fa
ON fa.uid = u.uid
WHERE fa.name IS NOT NULL
UNION
SELECT
'3' as browser,
MAX(CASE WHEN key = 'CFBundleDisplayName' THEN value END) name,
NULL username,
MAX(CASE WHEN key = 'CFBundleVersion' THEN value END) version,
MAX(CASE WHEN key = 'NSHumanReadableDescription' THEN value END) description,
NULL Locale,
NULL update_url,
NULL path,
NULL id
FROM
extensions_flat
GROUP BY path;
Conclusion:
Based on the Data, my limited knowledge of SQL and testing, it appears the Complete No data sent is either due to queries not matching schema or the table not existing. In my case being the OS natively disables accessing it.
RESOLVED
