https://github.com/osquery/osquery logo
Title
z

zwass

04/18/2020, 12:42 AM
Anyone got the new socket_events table in macOS to work? https://github.com/osquery/osquery/pull/6028 I'm trying
sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=true
and not seeing any results.
The PR message indicates that there is some configuration that needs to be added to
/etc/security/audit_control
, but does not explain what that is.
t

terracatta

04/18/2020, 1:20 AM
I haven't tried it yet, but reading the PR it seems to imply that it uses OpenBSM, my guess is that something needs to be enabled there
Example OpenBSM config is at the bottom of this page https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
that might be a good starting point
s

seph

04/18/2020, 2:33 AM
i have a machine kicking around that’s got the security configs for process auditing. I haven’t tried socket auditing, but the BSM side was pretty easy. Docs as Jason said,
c

CptOfEvilMinions

04/20/2020, 3:59 PM
I used the following config posted by @terracatta from the Osquery docs and it didn’t work for me. Steps I took 1. Pasted content from Osquery docs on process monitoring for macOS to
/etc/security/audit_control
2.
sudo audit -s
3. Reboot 4. Login 5. Open terminal 6.
sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=true
7. Opened Chrome and browsed to google.com, yahoo.com, and reddit.com 8.
select * from socket_events;
- No results macOS version: 10.15.4 Osquery version: 4.3.0
z

zwass

04/20/2020, 6:00 PM
Worked it out and put in a PR here: https://github.com/osquery/osquery/pull/6407