Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
z
zwass
04/18/2020, 12:42 AMAnyone got the new socket_events table in macOS to work? https://github.com/osquery/osquery/pull/6028
I'm trying
sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=trueThe PR message indicates that there is some configuration that needs to be added to
/etc/security/audit_controlt
terracatta
04/18/2020, 1:20 AMI haven't tried it yet, but reading the PR it seems to imply that it uses OpenBSM, my guess is that something needs to be enabled there
Example OpenBSM config is at the bottom of this page https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
that might be a good starting point
s
seph
04/18/2020, 2:33 AMi have a machine kicking around that’s got the security configs for process auditing. I haven’t tried socket auditing, but the BSM side was pretty easy. Docs as Jason said,
c
CptOfEvilMinions
04/20/2020, 3:59 PMI used the following config posted by @terracatta from the Osquery docs and it didn’t work for me.
Steps I took
1. Pasted content from Osquery docs on process monitoring for macOS to
/etc/security/audit_controlsudo audit -ssudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=trueselect * from socket_events;z
zwass
04/20/2020, 6:00 PMWorked it out and put in a PR here: https://github.com/osquery/osquery/pull/6407