Title
#macos
zwass

zwass

04/18/2020, 12:42 AM
Anyone got the new socket_events table in macOS to work? https://github.com/osquery/osquery/pull/6028 I'm trying
sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=true
and not seeing any results.
12:43 AM
The PR message indicates that there is some configuration that needs to be added to
/etc/security/audit_control
, but does not explain what that is.
terracatta

terracatta

04/18/2020, 1:20 AM
I haven't tried it yet, but reading the PR it seems to imply that it uses OpenBSM, my guess is that something needs to be enabled there
1:20 AM
Example OpenBSM config is at the bottom of this page https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
1:21 AM
that might be a good starting point
s

seph

04/18/2020, 2:33 AM
i have a machine kicking around that’s got the security configs for process auditing. I haven’t tried socket auditing, but the BSM side was pretty easy. Docs as Jason said,
CptOfEvilMinions

CptOfEvilMinions

04/20/2020, 3:59 PM
I used the following config posted by @terracatta from the Osquery docs and it didn’t work for me. Steps I took1. Pasted content from Osquery docs on process monitoring for macOS to
/etc/security/audit_control
2.
sudo audit -s
3. Reboot 4. Login 5. Open terminal 6.
sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=true
7. Opened Chrome and browsed to google.com, yahoo.com, and reddit.com 8.
select * from socket_events;
- No results macOS version: 10.15.4 Osquery version: 4.3.0
zwass

zwass

04/20/2020, 6:00 PM
Worked it out and put in a PR here: https://github.com/osquery/osquery/pull/6407