Contents

How to Check the EFI Version of a Mac With Osquery

This article has portions of it that discuss Kolide Fleet which was formally retired in November of 2020. For posterity, this post is still available, but we encourage you to read our Device Trust announcement.

As a system administrator, I’ve often written bash or python scripts that query some other utility and then attempt to parse the value I need with grep awk sed and regular expressions. This task is tedious, and often needs to be adjusted as output isn’t consistent across OS versions.

Adding osquery to my daily workflow has reduced the number of one-off scripts I write to collect system information. In my previous blog post I showed you how a query can be run by connecting the Go SDK to the osqueryd daemon. Today I want to show you how you can use the osqueryi shell as part of your daily workflow.

For this example, I am interested in retrieving the EFI version of a macOS host. Knowing the EFI version of your hosts can come in handy, especially when there is a known security vulnerability but it can also be hard to parse with just bash.

If you’re using osquery, getting the EFI version is a simple query:

SELECT version from platform info;

An image showing a terminal window with a query that reads "SELECT version FROM platform_info;" and returns the version

Running the query in the osqueryi shell will print the output in an ASCII table, which is nice if we’re just exploring the data. But it’s a bit harder to parse from a script. Luckily, osqueryi has a few useful modes for printing output, so we can choose the one convenient for us.

.mode MODE       Set output mode where MODE is one of:
                   csv      Comma-separated values
                   column   Left-aligned columns see .width
                   line     One value per line
                   list     Values delimited by .separator string
                   pretty   Pretty printed SQL results (default)

An image showing a terminal window with a query that reads "--list --header=false 'SELECT version FROM platform_info;" and returns the version information

Besides giving us a common query language and a wide range of tables to instrument our systems, osquery lets us JOIN the tables to get structured data from different tables. I can query multiple tables to get a structured JSON response, and pass it to jq or to a server with curl.

An image showing a terminal window with a query that reads " 'SELECT p.version, os.build, sys.hardware_model from platform_info p, os_version os, system_info sys;' |jq '.[]'" and returns build, hadware, and version information

Osquery also has an ecosystem of tools to help us understand this data across our fleet. osqueryd enables us to schedule the query as part of a query pack and then monitor it through our log aggregation pipeline. Ad-hoc analysis is made easy by tools such as Kolide Fleet, which can instantaneously return results from any online hosts.

An image showing the online host records in a table format with the headers of hostname, build, hardware_model, and version

To learn more about remote querying osquery agents, check out our article Managing Osquery with Kolide Launcher and Fleet. For a more in-depth introduction to macOS instrumentation, see Monitoring macOS hosts with osquery.

If you’d like to read more tutorial content like this, sign up for our biweekly newsletter.