osquery-extension icon indicating copy to clipboard operation
osquery-extension copied to clipboard

Published 20 hours ago verified publisher icon macadmins

`/usr/bin/profiles show -type enrollment` not being throttled

Open getvictor opened this issue 10 months ago • 3 comments

The code intent is to throttle access to profiles show -type enrollment command: https://github.com/macadmins/osquery-extension/blob/5461c453ddbf857704d33cdeae1bc6b0429dca6a/tables/mdm/mdm.go#L202

However, this never happens because the file it checks is never created:

/private/var/db/ConfigurationProfiles/Settings/.cloudConfigTimerCheck

Also, the latest manpage states that the limit is 10 times per 23 hours, so the throttling can be reduced to <3 hours per request.

image

getvictor avatar Jan 15 '25 23:01 getvictor

@getvictor So how should we measure this?

grahamgilbert avatar Jun 25 '25 04:06 grahamgilbert

If this isn't causing issues, maybe it is simplest to remove the code that pretends to throttle the access?

getvictor avatar Jul 03 '25 21:07 getvictor

If the code isn't working, and someone queries this table more than 10 times in a 23 hour period, or calls profiles show 10 times elsewhere and then tries this table, it will fail.

grahamgilbert avatar Jul 03 '25 23:07 grahamgilbert