Title
#macos
theopolis

theopolis

09/16/2020, 6:55 PM
You should be able to use
--audit_allow_config
and that will set the right audit rules for
process_events
and
socket_events
CptOfEvilMinions

CptOfEvilMinions

09/16/2020, 8:20 PM
@theopolis can I get some clarification on
--audit_allow_config
flag. The Linux section has the
--audit_allow_config
flag and and states if set to true it will modify the
/etc/audit.conf
, which I know is true. The current docs for Process auditing (link below) state that for macOS you have to modify
/etc/security/audit_controls
manually. I don’t see any indication from the docs that setting ``--audit_allow_config` to true will modify
/etc/security/audit_controls
. https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
theopolis

theopolis

09/16/2020, 8:24 PM
Sure, yeah we need to update the documentation for macOS to mention that
--audit_allow_config
is preferred and that editing the
audit_controls
file is a manual way to have more nuanced control over audit settings.
8:24 PM
The Linux section has the 
--audit_allow_config
 flag and and states if set to true it will modify the 
/etc/audit.conf
, which I know is true.
Quick clarification here, the flag does not edit the file contents. The flag tells osquery it is OK to configure audit via the netlink socket.
CptOfEvilMinions

CptOfEvilMinions

09/16/2020, 8:24 PM
Ahhhhhhh okay. I have been doing manually editing of the file all along. Thanks for the clarification!!!
theopolis

theopolis

09/16/2020, 8:25 PM
The flag should work the same way on macOS and on Linux. If enabled, it will use the runtime APIs to configure audit.
Keiran

Keiran

09/16/2020, 8:25 PM
Yea this really is a big help. I've been ruining audit_control regularly
theopolis

theopolis

09/16/2020, 8:26 PM
If you folks have some time, a pull request to update the documentation would be fantastic.
8:26 PM
😄
Keiran

Keiran

09/16/2020, 8:27 PM
@theopolis I should have some time next week. Should it be under the event section for macos where it mentions "--disable_audit=false --disable_events=false"
theopolis

theopolis

09/16/2020, 9:52 PM
Yeah wherever you think the next person such as yourself would reasonably look