Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detection of "CriticalUpdateInstall" on macos is inaccurate #27

Open
ubergeek42 opened this issue Aug 26, 2024 · 3 comments
Open

Detection of "CriticalUpdateInstall" on macos is inaccurate #27

ubergeek42 opened this issue Aug 26, 2024 · 3 comments

Comments

@ubergeek42
Copy link

I'm not sure what went wrong, but this query was not returning the proper information on my Sonoma 14.6.1 machine.

drata-agent/src/main/services/system-query/macos-system-query.service.ts

Lines 124 to 127 in e04e0c1

autoUpdateEnabled: await this.runQuery({
description: 'Is auto-update enabled on this machine?',
query: "SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.SoftwareUpdate.plist' AND key = 'CriticalUpdateInstall' UNION SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.commerce.plist' AND key = 'AutoUpdate' UNION SELECT * FROM plist WHERE path = '/Library/Managed Preferences/com.apple.SoftwareUpdate.plist' AND key = 'CriticalUpdateInstall' UNION SELECT * FROM plist WHERE path = '/Library/Managed Preferences/com.apple.commerce.plist' AND key = 'AutoUpdate'",
}),

I installed osquery and ran the query manually to see what it returned:

osquery> SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.SoftwareUpdate.plist' AND key = 'CriticalUpdateInstall' UNION SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.commerce.plist' AND key = 'AutoUpdate' UNION SELECT * FROM plist WHERE path = '/Library/Managed Preferences/com.apple.SoftwareUpdate.plist' AND key = 'CriticalUpdateInstall' UNION SELECT * FROM plist WHERE path = '/Library/Managed Preferences/com.apple.commerce.plist' AND key = 'AutoUpdate'
    ...> ;
+------------+--------+-------+-----------------------------------------------+
| key        | subkey | value | path                                          |
+------------+--------+-------+-----------------------------------------------+
| AutoUpdate |        | 1     | /Library/Preferences/com.apple.commerce.plist |
+------------+--------+-------+-----------------------------------------------+

Hmm, no CriticalUpdateInstall response. Querying the first plist directly returned:

osquery> SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.SoftwareUpdate.plist';
+----------------------------------------+--------+----------------+-----------------------------------------------------+
| key                                    | subkey | value          | path                                                |
+----------------------------------------+--------+----------------+-----------------------------------------------------+
| LastSuccessfulDate                     |        | 1724686731     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastAttemptSystemVersion               |        | 14.6.1 (23G93) | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| AutomaticallyInstallMacOSUpdates       |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastUpdatesAvailable                   |        | 0              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| OneTimeForceScanEnabled                |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastRecommendedUpdatesAvailable        |        | 0              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastAttemptBuildVersion                |        | 14.6.1 (23G93) | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| RecommendedUpdates                     |        |                | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastFullSuccessfulDate                 |        | 1724686720     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastRecommendedMajorOSBundleIdentifier |        |                | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| PrimaryLanguages                       |        | en             | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| PrimaryLanguages                       |        | en-US          | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastSessionSuccessful                  |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastBackgroundSuccessfulDate           |        | 1724630235     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastResultCode                         |        | 2              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
+----------------------------------------+--------+----------------+-----------------------------------------------------+

So it's not a query issue. I then went and toggle on and off all the checkboxes in system settings related to updates, then ran the above query again.

osquery> SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.SoftwareUpdate.plist';
+----------------------------------------+--------+----------------+-----------------------------------------------------+
| key                                    | subkey | value          | path                                                |
+----------------------------------------+--------+----------------+-----------------------------------------------------+
| LastResultCode                         |        | 2              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| AutomaticCheckEnabled                  |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastAttemptSystemVersion               |        | 14.6.1 (23G93) | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| AutomaticallyInstallMacOSUpdates       |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastUpdatesAvailable                   |        | 0              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| OneTimeForceScanEnabled                |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastRecommendedUpdatesAvailable        |        | 0              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastAttemptBuildVersion                |        | 14.6.1 (23G93) | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| AutomaticDownload                      |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| CriticalUpdateInstall                  |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| RecommendedUpdates                     |        |                | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastFullSuccessfulDate                 |        | 1724689330     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastRecommendedMajorOSBundleIdentifier |        |                | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| PrimaryLanguages                       |        | en             | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| PrimaryLanguages                       |        | en-US          | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastSessionSuccessful                  |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| ConfigDataInstall                      |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastBackgroundSuccessfulDate           |        | 1724630235     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastSuccessfulDate                     |        | 1724689337     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
+----------------------------------------+--------+----------------+-----------------------------------------------------+

Hey, look at that, CriticalUpdateInstall is present now, and the Drata check is passing (it had started failing a few days ago, probably related to the new compliance check for gatekeeper/xprotect).

I unfortunately did not check the other plist files to see what they contained, and I'm not sure how to get it into the broken state my machine was in (I suspect OS upgrades and never touching the settings directly). But at least it seems that looking for CriticalUpdateInstall is not a true reflection of whether the functionality is actually enabled or not.
@tabrezm
Copy link

tabrezm commented Sep 10, 2024

Confirmed, everyone in our company has this setting enabled via the GUI (default) but CriticalUpdateInstall is unset. Given how widespread this is, my guess is it's not a "broken" state. Drata should modify their agent to assume unset == enabled.

@dburkart
Copy link

We are hitting this as well at my company.

@mnrdrata
Copy link
Contributor

mnrdrata commented Oct 7, 2024
edited
Loading

Please contact our support team as we have a workaround command for this specific issue on MacOS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dburkart @ubergeek42 @tabrezm @mnrdrata and others