theopolis
09/16/2020, 6:55 PM--audit_allow_config
and that will set the right audit rules for process_events
and socket_events
CptOfEvilMinions
09/16/2020, 8:20 PM--audit_allow_config
flag.
The Linux section has the --audit_allow_config
flag and and states if set to true it will modify the /etc/audit.conf
, which I know is true.
The current docs for Process auditing (link below) state that for macOS you have to modify /etc/security/audit_controls
manually. I don’t see any indication from the docs that setting ``--audit_allow_config` to true will
modify /etc/security/audit_controls
.
https://osquery.readthedocs.io/en/stable/deployment/process-auditing/theopolis
09/16/2020, 8:24 PM--audit_allow_config
is preferred and that editing the audit_controls
file is a manual way to have more nuanced control over audit settings.The Linux section has theQuick clarification here, the flag does not edit the file contents. The flag tells osquery it is OK to configure audit via the netlink socket.flag and and states if set to true it will modify the--audit_allow_config
, which I know is true./etc/audit.conf
CptOfEvilMinions
09/16/2020, 8:24 PMtheopolis
09/16/2020, 8:25 PMKeiran
09/16/2020, 8:25 PMtheopolis
09/16/2020, 8:26 PMKeiran
09/16/2020, 8:27 PMtheopolis
09/16/2020, 9:52 PM