Anyone know what data/events the `ad` (administrat...
# macosm
Mark
09/13/2018, 2:53 PMAnyone know what data/events the
adaudit_controls
Shad0wSix
09/18/2018, 2:47 PM@Mark I just happened to mess with this a couple of days ago. I just need to validate visibility via osquery however, I did validate via the /dev/auditpipe on MacOS.
I added 'ad' to audit_control. I then tailed the /dev/auditpipe and validates that audit recorded when I su'd to root from my user account.
Now what I need to do is validate that osquery can see that entry. I do have events enabled, I just need to perform the check. I hope that helps.
m
Mark
09/18/2018, 2:49 PMInteresting, thanks!
s
Shad0wSix
09/18/2018, 3:09 PMSure. You can run: sudo praudit /dev/auditpipe and then su to root in a terminal and see the audit record the event.
Here's a useful site that helped me.
https://www.scip.ch/en/?labs.20150108
Shad0wSix
09/18/2018, 3:20 PMSince Darwin is a BSD derivative this manpage "might" be of some use.
https://www.freebsd.org/cgi/man.cgi?query=praudit&sektion=1