Anyone know what data events the `ad` administrative flag pr

Question

Anyone know what data events the `ad` administrative flag provides in `audit control`

Shad0wSix · Answer

< Mark> I just happened to mess with this a couple of days ago I just need to validate visibility via osquery however I did validate via the dev auditpipe on MacOS I added ad to audit control I then tailed the dev auditpipe and validates that audit recorded when I su d to root from my user account Now what I need to do is validate that osquery can see that entry I do have events enabled I just need to perform the check I hope that helps

Mark · Answer

Interesting thanks

Shad0wSix · Answer

Sure You can run sudo praudit dev auditpipe and then su to root in a terminal and see the audit record the event Here s a useful site that helped me <https www scip ch en labs 20150108>

Shad0wSix · Answer

Since Darwin is a BSD derivative this manpage might be of some use <https www freebsd org cgi man cgi query=praudit amp sektion=1>