alessandrogario
01/03/2020, 6:30 PMJamie Windley
01/03/2020, 6:40 PMalessandrogario
01/03/2020, 6:41 PMJamie Windley
01/03/2020, 8:20 PMalessandrogario
01/03/2020, 8:20 PMJamie Windley
01/03/2020, 8:22 PMselect * from process_events;
alessandrogario
01/03/2020, 8:25 PMJamie Windley
01/03/2020, 8:26 PM#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:ex,pc,ap,aa,lo,ad
minfree:5
naflags:no
policy:cnt,argv,arge
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
alessandrogario
01/03/2020, 8:58 PMJamie Windley
01/04/2020, 5:13 PMosqueryi
I can run the command which shows which flags are activetheopolis
01/04/2020, 5:23 PMosqueryi
and osqueryd
may not be using the same config file, so double check! When testing in the shell using select * from osquery_events
and looking at the active
column for process_events
will give a strong indicator if the table is working.Jamie Windley
01/05/2020, 12:48 PMactive
flag for the process_events