@Mark I just happened to mess with this a couple of days ago. I just need to validate visibility via osquery however, I did validate via the /dev/auditpipe on MacOS.
I added 'ad' to audit_control. I then tailed the /dev/auditpipe and validates that audit recorded when I su'd to root from my user account.
Now what I need to do is validate that osquery can see that entry. I do have events enabled, I just need to perform the check. I hope that helps.
09/18/2018, 2:49 PM
09/18/2018, 3:09 PM
Sure. You can run: sudo praudit /dev/auditpipe and then su to root in a terminal and see the audit record the event.
Here's a useful site that helped me.