Hello guys. Has anyone managed to enable `user_eve...
# generalk
KK
07/20/2023, 6:54 AMHello guys. Has anyone managed to enable
user_events Copy code
--audit_allow_config
--audit_allow_user_events
--disable_audit=false
--disable_events=falses
sharvil
07/20/2023, 8:39 AMthere are a couple of more flags needed
--enable_keyboard_events=true--enable_mouse_events=truek
KK
07/20/2023, 8:44 AMThanks for the quick response. By relevant macos permissions, would you be referring to the correct auditd configuration? I've modified mine to match the one suggested in the osquery docs. Just wondering if I missed out on any other macos settings
s
sharvil
07/20/2023, 8:47 AMNo, these are the “Input Monitoring” permissions in macOS system preference/settings, osquery will need to be on the allow list there iirc
k
KK
07/20/2023, 9:13 AMGave your suggestion a go, I see events under user_interaction_events rather than user_events
s
sharvil
07/20/2023, 9:43 AMah okay..I see, I think you might have to add relevant flags to your
/etc/security/audit_controlsharvil
07/20/2023, 9:44 AMand the
audit_usermansharvil
07/20/2023, 9:45 AMand just a heads up, this uses OpenBSM, and apple has deprecated it since the last few macOS releases, so while it sill works, it could also be broken/go away in the future release
k
KK
07/20/2023, 9:47 AMGotcha, I'll tinker around. Cheers!
s
sharvil
07/20/2023, 9:49 AMcool, let us know! I will try to poke around when I have time, but a few relevant links: https://man.freebsd.org/cgi/man.cgi?apropos=0&sektion=5&query=audit_control&manpath=FreeBSD+7.0-current&format=html and https://man.freebsd.org/cgi/man.cgi?query=audit_user&sektion=5&apropos=0&manpath=FreeBSD+13.2-RELEASE+and+Ports
3 Views