https://github.com/osquery/osquery logo
Title
m

Mark

09/13/2018, 2:53 PM
Anyone know what data/events the
ad
(administrative) flag provides in
audit_control
?
s

Shad0wSix

09/18/2018, 2:47 PM
@Mark I just happened to mess with this a couple of days ago. I just need to validate visibility via osquery however, I did validate via the /dev/auditpipe on MacOS. I added 'ad' to audit_control. I then tailed the /dev/auditpipe and validates that audit recorded when I su'd to root from my user account. Now what I need to do is validate that osquery can see that entry. I do have events enabled, I just need to perform the check. I hope that helps.
m

Mark

09/18/2018, 2:49 PM
Interesting, thanks!
s

Shad0wSix

09/18/2018, 3:09 PM
Sure. You can run: sudo praudit /dev/auditpipe and then su to root in a terminal and see the audit record the event. Here's a useful site that helped me. https://www.scip.ch/en/?labs.20150108
Since Darwin is a BSD derivative this manpage "might" be of some use. https://www.freebsd.org/cgi/man.cgi?query=praudit&sektion=1