Channels
#general
Title
# general
j
Jamie Windley
05/17/2019, 7:04 AMWhat is the best way to log simple authentication events from Mac? I tried the table 'last' but it doesn't log success/failures and logs about 80 events per 'login'. I'm trying to look at 'user_events' but I am not sure it exists on Mac. Any guidance here?
p
packetzero
05/17/2019, 1:56 PMhttps://www.osquery.io/schema/3.3.2#process_events is based on open BSM audit on MacOS
there should be some logon details from same stream. let me check
user_events
j
Jamie Windley
05/17/2019, 3:07 PMThanks, I've enabled a query for selecting from user_events, but I am not getting anything back. Do you know of any particular settings that need to be modified? I've modified audit_control and am successfully getting results from process_events, just not user_events 😞
p
packetzero
05/17/2019, 3:10 PMyes, in /etc/security/auditd-control should have
flags:lo,aaand auditd should be running
j
Jamie Windley
05/17/2019, 3:12 PMYes, already have that as am successfully logging process_events. I need to check auditd but I presume it is running, if process_events is updating
p
packetzero
05/17/2019, 3:13 PMsudo praudit /dev/auditpipe
then do a 'sudo ls' in another terminal
you should see login details
j
Jamie Windley
05/17/2019, 3:19 PMNice, I can see those.
Wonder why selecting from user_events is empty
p
packetzero
05/17/2019, 3:22 PMhmm... looking at the code, it might only be generating ssh events
given the name of teh subscriber is OpenBSMSSHLoginSubscriber
if you need more, your best bet is to create an issue on the osql fork https://github.com/osql/osql/issues
j
Jamie Windley
05/17/2019, 3:24 PMOk, thank you
2 Views