Title
#macos
b

Brandon

11/20/2020, 8:23 PM
just sanity check to ensure that we have a decent collection for our osquery deployments over macos. I would love to get the process auditing working
--force=true
--host_identifier=hostname
--verbose=true
--tls_dump=true
--tls_hostname=___SITE____
--tls_server_certs=__PATH_TO_CERTS__
--enroll_secret_path=__PATH_TO_SECRET___
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--disable_events=false
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_process_events=true
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
Magneto

Magneto

12/01/2020, 10:42 PM
did you enable the process events via the OpenBSM config file?
b

Brandon

12/03/2020, 11:08 PM
i did not. How would I go about that? Is it just a flag?
4:17 PM
you need to edit the file in
/etc/security
and reboot
4:17 PM
(apologies for the delayed response)