What is the best way to log simple authentication ...
# generalj
Jamie Windley
05/17/2019, 7:04 AMWhat is the best way to log simple authentication events from Mac? I tried the table 'last' but it doesn't log success/failures and logs about 80 events per 'login'. I'm trying to look at 'user_events' but I am not sure it exists on Mac. Any guidance here?
p
packetzero
05/17/2019, 1:56 PMhttps://www.osquery.io/schema/3.3.2#process_events is based on open BSM audit on MacOS
packetzero
05/17/2019, 1:56 PMthere should be some logon details from same stream. let me check
packetzero
05/17/2019, 1:57 PMuser_events
j
Jamie Windley
05/17/2019, 3:07 PMThanks, I've enabled a query for selecting from user_events, but I am not getting anything back. Do you know of any particular settings that need to be modified? I've modified audit_control and am successfully getting results from process_events, just not user_events 😞
p
packetzero
05/17/2019, 3:10 PMyes, in /etc/security/auditd-control should have
flags:lo,aapacketzero
05/17/2019, 3:10 PMand auditd should be running
j
Jamie Windley
05/17/2019, 3:12 PMYes, already have that as am successfully logging process_events. I need to check auditd but I presume it is running, if process_events is updating
p
packetzero
05/17/2019, 3:13 PMsudo praudit /dev/auditpipe
packetzero
05/17/2019, 3:13 PMthen do a 'sudo ls' in another terminal
packetzero
05/17/2019, 3:13 PMyou should see login details
j
Jamie Windley
05/17/2019, 3:19 PMNice, I can see those.
Jamie Windley
05/17/2019, 3:19 PMWonder why selecting from user_events is empty
p
packetzero
05/17/2019, 3:22 PMhmm... looking at the code, it might only be generating ssh events
packetzero
05/17/2019, 3:22 PMgiven the name of teh subscriber is OpenBSMSSHLoginSubscriber
packetzero
05/17/2019, 3:23 PMif you need more, your best bet is to create an issue on the osql fork https://github.com/osql/osql/issues
j
Jamie Windley
05/17/2019, 3:24 PMOk, thank you
2 Views