Anyone know what data/events the `ad` (administrat...
# macos
Anyone know what data/events the
(administrative) flag provides in
@Mark I just happened to mess with this a couple of days ago. I just need to validate visibility via osquery however, I did validate via the /dev/auditpipe on MacOS. I added 'ad' to audit_control. I then tailed the /dev/auditpipe and validates that audit recorded when I su'd to root from my user account. Now what I need to do is validate that osquery can see that entry. I do have events enabled, I just need to perform the check. I hope that helps.
Interesting, thanks!
Sure. You can run: sudo praudit /dev/auditpipe and then su to root in a terminal and see the audit record the event. Here's a useful site that helped me.
Since Darwin is a BSD derivative this manpage "might" be of some use.