Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Anyone got the new socket_events table in macOS to work? <https://github.com/osquery/osquery/pull/6028>

I'm trying `sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=true` and not seeing any results.

The PR message indicates that there is some configuration that needs to be added to `/etc/security/audit_control`, but does not explain what that is.

I haven't tried it yet, but reading the PR it seems to imply that it uses OpenBSM, my guess is that something needs to be enabled there

Example OpenBSM config is at the bottom of this page <https://osquery.readthedocs.io/en/stable/deployment/process-auditing/>

i have a machine kicking around that’s got the security configs for process auditing. I haven’t tried socket auditing, but the BSM side was pretty easy. Docs as Jason said,

I used the following config posted by <@U1BEEMRU2> from the Osquery docs and it didn’t work for me.

Steps I took
1. Pasted content from Osquery docs on process monitoring for macOS to `/etc/security/audit_control`
2. `sudo audit -s`
3. Reboot
4. Login
5. Open terminal
6. `sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=true`
7. Opened Chrome and browsed to <http://google.com|google.com>, <http://yahoo.com|yahoo.com>, and <http://reddit.com|reddit.com>
8. `select * from socket_events;`  - No results

macOS version: 10.15.4
Osquery version: 4.3.0

Worked it out and put in a PR here: <https://github.com/osquery/osquery/pull/6407>