Anyone got the new socket_events table in macOS to...
# macos
Anyone got the new socket_events table in macOS to work? I'm trying
sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=true
and not seeing any results.
The PR message indicates that there is some configuration that needs to be added to
, but does not explain what that is.
I haven't tried it yet, but reading the PR it seems to imply that it uses OpenBSM, my guess is that something needs to be enabled there
Example OpenBSM config is at the bottom of this page
that might be a good starting point
i have a machine kicking around that’s got the security configs for process auditing. I haven’t tried socket auditing, but the BSM side was pretty easy. Docs as Jason said,
I used the following config posted by @terracatta from the Osquery docs and it didn’t work for me. Steps I took 1. Pasted content from Osquery docs on process monitoring for macOS to
sudo audit -s
3. Reboot 4. Login 5. Open terminal 6.
sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=true
7. Opened Chrome and browsed to,, and 8.
select * from socket_events;
- No results macOS version: 10.15.4 Osquery version: 4.3.0
Worked it out and put in a PR here: