search

drata / drata-agent

Apache License 2.0
12 stars 5 forks source link

Detection of "CriticalUpdateInstall" on macos is inaccurate #27

Open ubergeek42 opened 3 months ago

ubergeek42 commented 3 months ago

I'm not sure what went wrong, but this query was not returning the proper information on my Sonoma 14.6.1 machine.

https://github.com/drata/drata-agent/blob/e04e0c16c799cd058b23096e02a56195a30592ac/src/main/services/system-query/macos-system-query.service.ts#L124-L127

I installed osquery and ran the query manually to see what it returned:

osquery> SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.SoftwareUpdate.plist' AND key = 'CriticalUpdateInstall' UNION SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.commerce.plist' AND key = 'AutoUpdate' UNION SELECT * FROM plist WHERE path = '/Library/Managed Preferences/com.apple.SoftwareUpdate.plist' AND key = 'CriticalUpdateInstall' UNION SELECT * FROM plist WHERE path = '/Library/Managed Preferences/com.apple.commerce.plist' AND key = 'AutoUpdate'
    ...> ;
+------------+--------+-------+-----------------------------------------------+
| key        | subkey | value | path                                          |
+------------+--------+-------+-----------------------------------------------+
| AutoUpdate |        | 1     | /Library/Preferences/com.apple.commerce.plist |
+------------+--------+-------+-----------------------------------------------+

Hmm, no CriticalUpdateInstall response. Querying the first plist directly returned:

osquery> SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.SoftwareUpdate.plist';
+----------------------------------------+--------+----------------+-----------------------------------------------------+
| key                                    | subkey | value          | path                                                |
+----------------------------------------+--------+----------------+-----------------------------------------------------+
| LastSuccessfulDate                     |        | 1724686731     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastAttemptSystemVersion               |        | 14.6.1 (23G93) | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| AutomaticallyInstallMacOSUpdates       |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastUpdatesAvailable                   |        | 0              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| OneTimeForceScanEnabled                |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastRecommendedUpdatesAvailable        |        | 0              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastAttemptBuildVersion                |        | 14.6.1 (23G93) | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| RecommendedUpdates                     |        |                | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastFullSuccessfulDate                 |        | 1724686720     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastRecommendedMajorOSBundleIdentifier |        |                | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| PrimaryLanguages                       |        | en             | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| PrimaryLanguages                       |        | en-US          | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastSessionSuccessful                  |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastBackgroundSuccessfulDate           |        | 1724630235     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastResultCode                         |        | 2              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
+----------------------------------------+--------+----------------+-----------------------------------------------------+

So it's not a query issue. I then went and toggle on and off all the checkboxes in system settings related to updates, then ran the above query again.

osquery> SELECT * FROM plist WHERE path = '/Library/Preferences/com.apple.SoftwareUpdate.plist';
+----------------------------------------+--------+----------------+-----------------------------------------------------+
| key                                    | subkey | value          | path                                                |
+----------------------------------------+--------+----------------+-----------------------------------------------------+
| LastResultCode                         |        | 2              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| AutomaticCheckEnabled                  |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastAttemptSystemVersion               |        | 14.6.1 (23G93) | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| AutomaticallyInstallMacOSUpdates       |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastUpdatesAvailable                   |        | 0              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| OneTimeForceScanEnabled                |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastRecommendedUpdatesAvailable        |        | 0              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastAttemptBuildVersion                |        | 14.6.1 (23G93) | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| AutomaticDownload                      |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| CriticalUpdateInstall                  |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| RecommendedUpdates                     |        |                | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastFullSuccessfulDate                 |        | 1724689330     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastRecommendedMajorOSBundleIdentifier |        |                | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| PrimaryLanguages                       |        | en             | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| PrimaryLanguages                       |        | en-US          | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastSessionSuccessful                  |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| ConfigDataInstall                      |        | 1              | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastBackgroundSuccessfulDate           |        | 1724630235     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
| LastSuccessfulDate                     |        | 1724689337     | /Library/Preferences/com.apple.SoftwareUpdate.plist |
+----------------------------------------+--------+----------------+-----------------------------------------------------+

Hey, look at that, CriticalUpdateInstall is present now, and the Drata check is passing (it had started failing a few days ago, probably related to the new compliance check for gatekeeper/xprotect).

I unfortunately did not check the other plist files to see what they contained, and I'm not sure how to get it into the broken state my machine was in (I suspect OS upgrades and never touching the settings directly). But at least it seems that looking for CriticalUpdateInstall is not a true reflection of whether the functionality is actually enabled or not.

tabrezm commented 2 months ago

Confirmed, everyone in our company has this setting enabled via the GUI (default) but CriticalUpdateInstall is unset. Given how widespread this is, my guess is it's not a "broken" state. Drata should modify their agent to assume unset == enabled.

dburkart commented 2 months ago

We are hitting this as well at my company.

mnrdrata commented 1 month ago

Please contact our support team as we have a workaround command for this specific issue on MacOS.