Proposed added content: Why should I care about EFI? Summarize: https://duo.com/blog/the-apple-of-your-efi-mac-firmware-security-research Last month Duo Security published a report on a major vulnerability resulting in over 4% of Mac devices worldwide not receiving critical patches. Quick summary of what the EFI is and why it is important and critical to keep secure. What is the specific risk of to my Mac devices with the recently announced EFI vulnerability? What EFI versions are included in the published vulnerability? How do I determine if my devices are affected? If my devices are affected how do I secure my devices and fix this issue?

As a system administrator, I’ve often written bash or python scripts that query some other utility and then attempt to parse the value I need with grep awk sed and regular expressions. This task is tedious, and often needs to be adjusted as output isn’t consistent across OS versions.

Discover Queries @ Kolide.com

Adding osquery to my daily workflow has reduced the number of one-off scripts I write to collect system information. In my previous blog post I showed you how a query can be run by connecting the Go SDK to the osqueryd daemon. Today I want to show you how you can use the osqueryi shell as part of your daily workflow.

For this example, I am interested in retrieving the EFI version of a macOS host. Knowing the EFI version of your hosts can come in handy, especially when there is a known security vulnerability but it can also be hard to parse with just bash.

If you’re using osquery, getting the EFI version is a simple query:

SELECT version from platform info;

Running the query in the osqueryi shell will print the output in an ASCII table, which is nice if we’re just exploring the data. But it’s a bit harder to parse from a script. Luckily, osqueryi has a few useful modes for printing output, so we can choose the one convenient for us.

.mode MODE Set output mode where MODE is one of:

csv Comma-separated values

column Left-aligned columns see .width

line One value per line

list Values delimited by .separator string

pretty Pretty printed SQL results (default)

Besides giving us a common query language and a wide range of tables to instrument our systems, osquery lets us JOIN the tables to get structured data from different tables. I can query multiple tables to get a structured JSON response, and pass it to jq or to a server with curl .

Osquery also has an ecosystem of tools to help us understand this data across our fleet. osqueryd enables us to schedule the query as part of a query pack and then monitor it through our log aggregation pipeline. Ad-hoc analysis is made easy by tools such as Kolide Fleet, which can instantaneously return results from any online hosts.

To learn more about remote querying osquery agents, check out our article Managing Osquery with Kolide Launcher and Fleet. For a more in-depth introduction to macOS instrumentation, see Monitoring macOS hosts with osquery.