How to List Launchd Entries Across All Macs
Using Kolide, you can easily view and query Mac Launchd Entries across your fleet.
Introduction
launchd is a component of macOS has two main tasks. The first is to assist in fully booting up macOS, and the second is to automatically load apps and services and ensure they remain running.
Kolide's agent uses launchd to ensure that Kolide can communicate with your
device as soon as possible after it boots.
What Mac Launchd Entry Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Mac Launchd Entries from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Mac Launchd Entries Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| disabled | Boolean |
Skip loading this daemon or agent on boot |
|
| groupname | Text |
Run this daemon or agent as this group |
|
| inetd_compatibility | Text |
Run this daemon or agent as it was launched from inetd |
|
| keep_alive | Text |
Should the process be restarted if killed |
|
| label | Text |
Daemon or agent service name |
|
| name | Text |
File name of plist (used by launchd) |
|
| on_demand | Text |
Deprecated key, replaced by keep_alive |
|
| path | Text |
Path to daemon or agent plist |
|
| process_type | Text |
Key describes the intended purpose of the job |
|
| program | Text |
Path to target program |
|
| program_arguments | Text |
Command line arguments passed to program |
|
| queue_directories | Text |
Similar to watch_paths but only with non-empty directories |
|
| root_directory | Text |
Key used to specify a directory to chroot to before launch |
|
| run_at_load | Text |
Should the program run on launch load |
|
| start_interval | Text |
Frequency to run in seconds |
|
| start_on_mount | Text |
Run daemon or agent every time a filesystem is mounted |
|
| stderr_path | Text |
Pipe stderr to a target path |
|
| stdout_path | Text |
Pipe stdout to a target path |
|
| username | Text |
Run this daemon or agent as this username |
|
| watch_paths | Text |
Key that launches daemon or agent if path is modified |
|
| working_directory | Text |
Key used to specify a directory to chdir to before launch |
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT
name, program_arguments, COUNT(*) AS frequency
FROM mac_launchd_entries
WHERE label NOT ILIKE 'com.apple.%'
AND run_at_load = '1'
AND keep_alive = '1'
GROUP BY name, program_arguments
ORDER BY frequency DESC| name | frequency | program_arguments |
|---|---|---|
| com.googlecode.munki.app_usage_monitor.plist | 13 | /usr/local/munki/app_usage_monitor |
| com.kolide.corp.osquery.plist | 10 | /usr/local/kolide-corp/bin/osqueryd --flagfile=/etc/kolide-corp/kolide.flags |
| com.focusrite.ControlServer.plist | 9 | /Applications/Focusrite Control.app/Contents/Library/LoginItems/FocusriteControlServer.app/Contents/MacOS/FocusriteControlServer daemon |
| homebrew.mxcl.postgresql.plist | 7 | /opt/homebrew/opt/postgresql/bin/postgres -D /opt/homebrew/var/postgres |
| com.mice.360Daemon.plist | 5 | /Library/Application Support/MICE/360Daemon.app/Contents/MacOS/360Daemon |
Why Should I Collect Mac Launchd Entries?
Due to the capabilities of launchd to start various 3rd party services/processes when a device is booted, it is a frequent target of attack for malware authors. Configuring a malicious process with a launchd entry which has persistence mechanisms enabled such as: keep_alive = true or run_at_load = true allows the malware to run, and restart itself without the user's awareness.
For these reasons it is a good practice for Security and IT teams to review and audit the software configured in launchd to identify potential malware infections or undesirable software persistence mechanisms.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
launchd configuration provides basic information (path of software, program arguments, etc.) about some software installed on your device. This could potentially include software used for personal or sensitive reasons, for example:
- eCigarette-Vaporizer-Control.app
- Adult-Toy-Control.app
- Fertility-Window-Tracker.app
- Torrenting-Software.app
When you use Kolide to list Mac Launchd Entry data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
