https://github.com/osquery/osquery logo
Join Slack
Powered by
Assuming i otherwise have eventing enabled, and ca...
# general
j
Assuming i otherwise have eventing enabled, and can pull user_events and es_process_events and auditd is set up right… is there a reason socket_events might be completely unpopulated? (This is on macOS)
s
Do you have 
--audit_allow_sockets
?
j
Yup!
Process_open_sockets is not empty, so I’d assume there would be sockets events
Do socket events require process events? (I have those off in favor of es_process_events)
s
What hardware specifically? x86? M1/M2? Bare metal or VM?
j
M1, physical
My audit_control file right now (for testing) has flags:all and naflags:all so that shouldn’t be limiting it
I can grab user_events, but weirdly only OpenSSH events show up for that, not other auth events
s
socket_events
should not depend on 
process_events
. But I'm noticing this too
oh wait, giving 
--audit_allow_config
makes it work
j
Interesting, do you lack an /etc/security/audit_control file?
s
Admittedly I'm less familiar with OpenBSM, I think you were mentioning earlier that you should've configured it via file I assume (and I guess you avoided to pass 
--audit_allow_config
)?
I do have that file
j
Do you get anything with 
pgrep auditd
?
s
yep
j
Ok, so you re enabled it at some point
Or jamf did :P
s
I guess I should try on a VM too to avoid messing with my host, since indeed there something using it. But I did start with an audit_control that did not include the socket_events so it makes sense that without the flag, the pipe is not configured to get those events. Though in your case you have audit_control with everything enabled, but you do not pass that last flag correct?
j
Yeah
But i can try it both ways
s
So, testing in the VM, the issue is that you need to restart the whole system if you change 
audit_control
, otherwise 
auditd
won't pick up the change.
Or you might have to disable SIP to then be able to properly restart 
auditd
without restarting the system
it was mentioned here
b
Yeah as another data point, running with 
--audit_allow_config
(and the various other flags) works for us to collect both 
socket_events
and 
es_process_events
. Just make sure to be on latest version with this fix https://github.com/osquery/osquery/issues/8076 otherwise there are sporadic crashes
j
Ok thank you :) will keep trying
Is the scnetwork publisher needed here?
I think this just uses openbsm as the publisher
I know that this won’t work with osqueryi, i am checking all of this by sending queries via fleet to osqueryd
b
You should be able to test with osqueryi:
Copy code
sudo osqueryi --disable_audit=false --disable_events=false --disable_endpointsecurity=false --audit_allow_sockets=true --audit_allow_config=true
(I haven't looked into how to get things working without --audit_allow_config though)
s
My tests have been with 
osqueryi
. events do work with the shell, it's just that expiration behaves slightly differently (and only looks at the value in the 
events_expiry
flag). The link I provided above mentions that you can edit 
audit_control
, but then you need to reboot yourself.
👍 1
Which is what I did too
j
Yeah, i have a “I’m holding it wrong” problem here somewhere
What’s weird is 
select * from osquery_events
shows there are thousands of openbsm events, and 22 subscriptions
Unfortunately, i don’t think i can access that store directly
s
What’s weird is 
select * from osquery_events
shows there are thousands of openbsm events, and 22 subscriptions
I think this is a shortcoming/bug of the implementation. As far I can see the 
process_events
table itself is always active, it's just that `audit_allow_process_events`controls the configuration only
this is not the case for the socket_events one, where it would also ignore the socket_events
process_events is basically missing a check to avoid enabling the table if 
audit_allow_process_events
is false
so since you've externally enabled the events, osquery is receiving them and handing them to the table
j
Hmmm
s
but that's unrelated with the problem you're having
when you said "Unfortunately, i don’t think i can access that store directly" what did you meant?
j
Oh, accessing the openbsm publisher
4 Views
Open in Slack
PreviousNext
Powered by