Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

You should be able to use `--audit_allow_config` and that will set the right audit rules for `process_events` and `socket_events`

<@U09M563C7> can I get some clarification on `--audit_allow_config` flag.

The Linux section has the `--audit_allow_config` flag and and states if set to true it will modify the `/etc/audit.conf`, which I know is true.

The current docs for Process auditing (link below) state that for macOS you have to modify `/etc/security/audit_controls` manually. I don’t see any indication from the docs that setting ``--audit_allow_config` to true will
modify `/etc/security/audit_controls` .

<https://osquery.readthedocs.io/en/stable/deployment/process-auditing/>

Sure, yeah we need to update the documentation for macOS to mention that `--audit_allow_config` is preferred and that editing the `audit_controls` file is a manual way to have more nuanced control over audit settings.

&gt;  The Linux section has the `--audit_allow_config` flag and and states if set to true it will modify the `/etc/audit.conf`, which I know is true.
Quick clarification here, the flag does not edit the file contents. The flag tells osquery it is OK to configure audit via the netlink socket.

Ahhhhhhh okay. I have been doing manually editing of the file all along. Thanks for the clarification!!!

The flag should work the same way on macOS and on Linux. If enabled, it will use the runtime APIs to configure audit.

Yea this really is a big help. I've been ruining audit_control regularly

If you folks have some time, a pull request to update the documentation would be fantastic.

<@U09M563C7> I should have some time next week. Should it be under the event section for macos where it mentions "--disable_audit=false --disable_events=false"

Yeah wherever you think the next person such as yourself would reasonably look