Title
#general
j

Jamie Windley

05/17/2019, 7:04 AM
What is the best way to log simple authentication events from Mac? I tried the table 'last' but it doesn't log success/failures and logs about 80 events per 'login'. I'm trying to look at 'user_events' but I am not sure it exists on Mac. Any guidance here?
packetzero

packetzero

05/17/2019, 1:56 PM
https://www.osquery.io/schema/3.3.2#process_events is based on open BSM audit on MacOS
1:56 PM
there should be some logon details from same stream. let me check
1:57 PM
user_events
j

Jamie Windley

05/17/2019, 3:07 PM
Thanks, I've enabled a query for selecting from user_events, but I am not getting anything back. Do you know of any particular settings that need to be modified? I've modified audit_control and am successfully getting results from process_events, just not user_events 😞
packetzero

packetzero

05/17/2019, 3:10 PM
yes, in /etc/security/auditd-control should have
flags:lo,aa
3:10 PM
and auditd should be running
j

Jamie Windley

05/17/2019, 3:12 PM
Yes, already have that as am successfully logging process_events. I need to check auditd but I presume it is running, if process_events is updating
packetzero

packetzero

05/17/2019, 3:13 PM
sudo praudit /dev/auditpipe
3:13 PM
then do a 'sudo ls' in another terminal
3:13 PM
you should see login details
j

Jamie Windley

05/17/2019, 3:19 PM
Nice, I can see those.
3:19 PM
Wonder why selecting from user_events is empty
packetzero

packetzero

05/17/2019, 3:22 PM
hmm... looking at the code, it might only be generating ssh events
3:22 PM
given the name of teh subscriber is OpenBSMSSHLoginSubscriber
3:23 PM
if you need more, your best bet is to create an issue on the osql fork https://github.com/osql/osql/issues
j

Jamie Windley

05/17/2019, 3:24 PM
Ok, thank you