https://github.com/osquery/osquery logo
#macos
Title
# macos
t

theopolis

09/16/2020, 6:55 PM
You should be able to use
--audit_allow_config
and that will set the right audit rules for
process_events
and
socket_events
c

CptOfEvilMinions

09/16/2020, 8:20 PM
@theopolis can I get some clarification on
--audit_allow_config
flag. The Linux section has the
--audit_allow_config
flag and and states if set to true it will modify the
/etc/audit.conf
, which I know is true. The current docs for Process auditing (link below) state that for macOS you have to modify
/etc/security/audit_controls
manually. I don’t see any indication from the docs that setting ``--audit_allow_config` to true will modify
/etc/security/audit_controls
. https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
t

theopolis

09/16/2020, 8:24 PM
Sure, yeah we need to update the documentation for macOS to mention that
--audit_allow_config
is preferred and that editing the
audit_controls
file is a manual way to have more nuanced control over audit settings.
The Linux section has the 
--audit_allow_config
 flag and and states if set to true it will modify the 
/etc/audit.conf
, which I know is true.
Quick clarification here, the flag does not edit the file contents. The flag tells osquery it is OK to configure audit via the netlink socket.
c

CptOfEvilMinions

09/16/2020, 8:24 PM
Ahhhhhhh okay. I have been doing manually editing of the file all along. Thanks for the clarification!!!
t

theopolis

09/16/2020, 8:25 PM
The flag should work the same way on macOS and on Linux. If enabled, it will use the runtime APIs to configure audit.
k

Keiran

09/16/2020, 8:25 PM
Yea this really is a big help. I've been ruining audit_control regularly
t

theopolis

09/16/2020, 8:26 PM
If you folks have some time, a pull request to update the documentation would be fantastic.
😄
k

Keiran

09/16/2020, 8:27 PM
@theopolis I should have some time next week. Should it be under the event section for macos where it mentions "--disable_audit=false --disable_events=false"
t

theopolis

09/16/2020, 9:52 PM
Yeah wherever you think the next person such as yourself would reasonably look
👍 1
4 Views