"Scopes" view of software

noahtalerman commented 6 months ago

Goal

User story
As a security engineer viewing software on a macOS and Windows Host details page,
I want to see what level of access (scopes/permissions) the apps have (ex. camera)
so that I can know what level of access apps have on my hosts.

Context

Requestor(s): @mikermcneil

Today, here's the agent configuration you can provide to construct a tcc table:

apiVersion: v1
kind: config
spec:
  agent_options:
    config:
      options:
        # ...
    overrides:
      platforms:
        darwin:
          auto_table_construction:
            tcc:
              path: /Library/Application Support/com.apple.TCC/TCC.db
              query: 'select service, client, auth_value, auth_reason from access'
              columns:
                - service
                - client
                - auth_value
                - auth_reason

With the agent configuration applied, here's an example query you can run to get information about camera access:

SELECT * FROM tcc WHERE service="kTCCServiceScreenCapture";

Changes

Product

[ ] UI changes: Figma wireframes
[ ] CLI usage changes: TODO
[ ] REST API changes:
- TODO: Draft PR
- Individual permissions look like:
```
{
"name":  "kTCCServiceMicrophone",
"displayName": "microphone"
}
```
  - Display names for known permissions are specified in this spreadsheet.
  - For any not specified, we'll infer a display name as follows: trim “kTCCService” from the beginning and separate the remaining PascalCased text with spaces, then lowercase. (ex. “kTCCServiceSomePermission” has display name “some permission”)
[ ] Permissions changes: TODO
[ ] Outdated documentation changes: (See draft PR)
[ ] Changes to paid features or tiers: TODO

Engineering

[ ] Database schema migrations: TODO
[ ] Load testing: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Step 1
Step 2
Step 3

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
[ ] QA (@____): Added comment to user story confirming successful completion of QA.

noahtalerman commented 6 months ago

Use TCC table to update the software page UI to show what the app can access

^ start with software inventory of individual host (on the host details page) because eg Adobe xd v3.1.1 can grant different scopes on different hosts, based on what the end user accepts Eg Full disk access Microphone Screen sharing Downloads folder

Kolide has written about this: https://www.kolide.com/blog/macos-catalina-osquery

noahtalerman commented 6 months ago

Kathy: You can use auto table construction (ATC) to query this table.

harrisonravazzolo commented 6 months ago

@ksatter - we talked about this last year but very keen to see this in prod :) we will use this data to 'nudge' users when they set up their mac, since it's the one thing we can't automate.

ksatter commented 6 months ago

@harrisonravazzolo I'm keen too!

edit - I misread your comment the first time :)

dherder commented 6 months ago

here's the overrides you can add to agent options to get this data:

overrides:
  platforms:
    darwin:
      auto_table_construction:
        tcc:
          path: /Library/Application Support/com.apple.TCC/TCC.db
          query: 'select service, client, auth_value, auth_reason from access'
          columns:
            - service
            - client
            - auth_value
            - auth_reason

and the sql to get some interesting stuff re: camera access:

SELECT * FROM tcc WHERE service="kTCCServiceScreenCapture";

noahtalerman commented 6 months ago

Thanks Dave!

During this 🎸Air guitar we learned that today you can use Auto table construction to construst a tcc table. You can use this table to query for information about applications' level of access.

We added instructions to the issue description here ("Context" section).

We think the next steps to getting this info into the UI are exposing this information as a supported table. This way, Fleet can query this table and surface this information in the UI/API.

noahtalerman commented 6 months ago

cc @mikermcneil ^^

bgirardeau-figma commented 6 months ago

Yeah this would be great!

It's helpful to collect the user TCC database as well. Indirect object identifier can also be useful for a couple permissions that are limited to particular apps (like sending Apple Events). When querying, generally should filter out auth_value = "0" as these are disabled permissions (they are visible apps but toggled off in System Preferences).

When correlating with apps table, client column generally matches bundle_identifier in apps table but every now and then it seems to be a path instead

I think this works on macOS 13 and 14, I can't remember if one of the columns changed on older macOS:

  "auto_table_construction": {
    "tcc_system_entries": {
      "query": "SELECT service, client, auth_value, auth_reason, indirect_object_identifier, last_modified FROM access;",
      "path": "/Library/Application Support/com.apple.TCC/TCC.db",
      "columns": [
        "service",
        "client",
        "auth_reason",
        "auth_value",
        "indirect_object_identifier",
        "last_modified"
      ],
      "platform": "darwin"
    },
    "tcc_user_entries": {
      "query": "SELECT service, client, auth_value, auth_reason, indirect_object_identifier, last_modified FROM access;",
      "path": "/Users/%/Library/Application Support/com.apple.TCC/TCC.db",
      "columns": [
        "service",
        "client",
        "auth_value",
        "auth_reason",
        "indirect_object_identifier",
        "last_modified"
      ],
      "platform": "darwin"
    }
  }

noahtalerman commented 6 months ago

Thanks @bgirardeau-figma!

Really helpful feedback re TCC database and correlating w/ apps.

build a first-class table for that info

Prioritized this one for the next design sprint which means we’re aiming to ship it ~6 weeks.

noahtalerman commented 5 months ago

Hey @rachaelshaw heads up, I updated the user story to clarify the goal of adding "scopes" to the Software table on the Host details page.

I assigned you and moved this story below the smaller issues.

We still want to add the osquery table but let's start w/ the UI design. The UI will help us inform what the table will look like (what columns, data format, etc.)

cc @mikermcneil

noahtalerman commented 5 months ago

Hey @mikermcneil heads up, we didn't get to this estimated in the last design sprint.

Plan is to prioritize it in the upcoming design sprint (4.49).

noahtalerman commented 5 months ago

Hey @bgirardeau-figma! Do you know how to get "scopes" for Windows programs?

FYI here's the latest Figma wireframes for what this will look like in the UI: https://www.figma.com/file/rZtJtM887fa1QXwgk9i2oG/%2316899-%22Scopes%22-view-of-software?type=design&node-id=2%3A130&mode=design&t=AHGiaqR8frTgK6Eq-1

Please let us know if you have any thoughts/feedback :)

rachaelshaw commented 4 months ago

@bgirardeau-figma @mikermcneil @dherder to get this shipped sooner, we pulled the new table into its own issue to start working on next sprint: https://github.com/fleetdm/fleet/issues/18222

fleetdm / fleet