You should be able to use

--audit_allow_config

and that will set the right audit rules for

process_events

and

socket_events

@theopolis can I get some clarification on

--audit_allow_config

flag. The Linux section has the

--audit_allow_config

flag and and states if set to true it will modify the

/etc/audit.conf

, which I know is true. The current docs for Process auditing (link below) state that for macOS you have to modify

/etc/security/audit_controls

manually. I don’t see any indication from the docs that setting ``--audit_allow_config` to true will modify

/etc/security/audit_controls

. https://osquery.readthedocs.io/en/stable/deployment/process-auditing/

Sure, yeah we need to update the documentation for macOS to mention that

--audit_allow_config

is preferred and that editing the

audit_controls

file is a manual way to have more nuanced control over audit settings.

Ahhhhhhh okay. I have been doing manually editing of the file all along. Thanks for the clarification!!!

The flag should work the same way on macOS and on Linux. If enabled, it will use the runtime APIs to configure audit.

Yea this really is a big help. I've been ruining audit_control regularly

If you folks have some time, a pull request to update the documentation would be fantastic.

@theopolis I should have some time next week. Should it be under the event section for macos where it mentions "--disable_audit=false --disable_events=false"

Yeah wherever you think the next person such as yourself would reasonably look