Reapply Mac Audit Logs (#19989) after fixing the dependency (#20554)

* Reapply "[AI-5153] DDS: Mac Audit Logs Integration v1.0.0 (#19989)" (#20535)

This reverts commit a065a24.

* Fix dependency (move it to optional dependencies, pin it, and set it to the same version the agent is using)

Author: nubtron

.codecov.yml

@@ -410,6 +410,10 @@ coverage:
         target: 75
         flags:
         - litellm
+      Mac_Audit_Logs:
+        target: 75
+        flags:
+        - mac_audit_logs
       MapR:
         target: 75
         flags:
@@ -1314,6 +1318,11 @@ flags:
     paths:
     - litellm/datadog_checks/litellm
     - litellm/tests
+  mac_audit_logs:
+    carryforward: true
+    paths:
+    - mac_audit_logs/datadog_checks/mac_audit_logs
+    - mac_audit_logs/tests
   mapr:
     carryforward: true
     paths:

.github/CODEOWNERS

@@ -538,6 +538,11 @@ plaid/assets/logs/                                                  @DataDog/saa
 /forcepoint_security_service_edge/manifest.json                      @DataDog/saas-integrations @DataDog/documentation
 /forcepoint_security_service_edge/assets/logs/                       @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
 
+/mac_audit_logs/                                                     @DataDog/agent-integrations
+/mac_audit_logs/*.md                                                 @DataDog/agent-integrations @DataDog/documentation
+/mac_audit_logs/manifest.json                                        @DataDog/agent-integrations @DataDog/documentation
+/mac_audit_logs/assets/logs/                                         @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend
+
 /gpu/                                                                @DataDog/ebpf-platform
 /gpu/*.md                                                            @DataDog/ebpf-platform @DataDog/documentation
 /gpu/manifest.json                                                   @DataDog/ebpf-platform @DataDog/agent-integrations @DataDog/documentation

.github/workflows/config/labeler.yml

@@ -395,6 +395,8 @@ integration/linux_proc_extras:
 - linux_proc_extras/**/*
 integration/litellm:
 - litellm/**/*
+integration/mac_audit_logs:
+- mac_audit_logs/**/*
 integration/mailchimp:
 - mailchimp/**/*
 integration/mapr:

.github/workflows/test-all.yml

@@ -2494,6 +2494,26 @@ jobs:
       minimum-base-package: ${{ inputs.minimum-base-package }}
       pytest-args: ${{ inputs.pytest-args }}
     secrets: inherit
+  jc1b3d1e:
+    uses: ./.github/workflows/test-target.yml
+    with:
+      job-name: Mac Audit Logs
+      target: mac_audit_logs
+      platform: linux
+      runner: '["ubuntu-22.04"]'
+      repo: "${{ inputs.repo }}"
+      python-version: "${{ inputs.python-version }}"
+      standard: ${{ inputs.standard }}
+      latest: ${{ inputs.latest }}
+      agent-image: "${{ inputs.agent-image }}"
+      agent-image-py2: "${{ inputs.agent-image-py2 }}"
+      agent-image-windows: "${{ inputs.agent-image-windows }}"
+      agent-image-windows-py2: "${{ inputs.agent-image-windows-py2 }}"
+      test-py2: ${{ inputs.test-py2 }}
+      test-py3: ${{ inputs.test-py3 }}
+      minimum-base-package: ${{ inputs.minimum-base-package }}
+      pytest-args: ${{ inputs.pytest-args }}
+    secrets: inherit
   ja15251c:
     uses: ./.github/workflows/test-target.yml
     with:

mac_audit_logs/CHANGELOG.md

@@ -0,0 +1,4 @@
+# CHANGELOG - mac_audit_logs
+
+<!-- towncrier release notes start -->
+

mac_audit_logs/README.md

@@ -0,0 +1,109 @@
+## Overview
+
+[Mac Audit Logs][1] captures detailed information about system events, user actions, network and security-related activities. These logs are crucial for monitoring system integrity, identifying unauthorized access, and ensuring adherence to security policies and regulations.
+
+This integration provides enrichment and visualization for various log types, including:
+
+- **Authentication and Authorization** events  
+- **Administrative** activities  
+- **Network** events  
+- **File Access** activities  
+- **Input/Output Control**  
+- **IPC (Inter-Process Communication)**  
+
+This integration collects Mac audit logs and sends them to Datadog for analysis, providing visual insights through out-of-the-box dashboards and the Log Explorer. It also helps monitor and respond to security threats with ready-to-use Cloud SIEM detection rules.
+
+* [Log Explorer][2]
+* [Cloud SIEM][3]
+
+## Setup
+
+### Installation
+
+To install the Mac Audit Logs integration, run the following Agent installation command and follow the steps below. For more information, see the [Integration Management][4] documentation.
+
+For Mac, run:
+  ```shell
+  sudo datadog-agent integration install datadog-mac-audit-logs==1.0.0
+  ```
+
+
+### Configuration
+
+#### Configure BSM Auditing on Mac
+**Note**: The following steps are required for the Mac version >=14.
+
+1. Copy the configurations from `audit_control.example` to `audit_control`
+    ```shell
+    cp /etc/security/audit_control.example /etc/security/audit_control
+    ```
+
+2. Update the configuration to specify the event types that should be audited. Execute the command below to audit all event types:
+    ```shell
+    sudo sed -i '' 's/^flags:.*/flags:all/' /etc/security/audit_control && \
+    sudo sed -i '' 's/^naflags:.*/naflags:all/' /etc/security/audit_control
+    ```
+3. Restart `auditd` service:
+    ```shell
+    /bin/launchctl enable system/com.apple.auditd
+    ```
+
+4. Restart the Mac.
+
+### Validation
+
+[Run the Agent's status subcommand][5] and look for `mac_audit_logs` under the Checks section.
+
+## Data Collected
+
+### Metrics
+
+The Mac Audit Logs integration does not include any metrics.
+
+### Log Collection
+
+1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file:
+
+   ```yaml
+   logs_enabled: true
+   ```
+
+2. Configure `mac_audit_logs.d/conf.yaml` file to start collecting Mac audit logs.
+
+   See the [sample mac_audit_logs.d/conf.yaml][6] for available configuration options.
+
+      ```yaml
+      init_config:
+      instances:
+        - MONITOR: true
+          AUDIT_LOGS_DIR_PATH: /var/audit
+          min_collection_interval: 15
+      logs:
+        - type: integration
+          service: mac-audit-logs
+          source: mac-audit-logs
+      ```
+
+   **Note**:
+     - Do not change the `service` and `source` values, as they are essential for proper log pipeline processing.
+     - Default value for `AUDIT_LOGS_DIR_PATH` is `/var/audit`. In case of different BSM audit logging directory, please check `dir` value in `/etc/security/audit_control` file.
+
+3. [Restart the Agent][7].
+
+### Events
+
+The Mac Audit Logs integration does not include any events.
+
+## Troubleshooting
+
+Need help? Contact [Datadog support][8].
+
+
+[1]: https://www.apple.com/mac/
+[2]: https://docs.datadoghq.com/logs/explorer/
+[3]: https://www.datadoghq.com/product/cloud-siem/
+[4]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install
+[5]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information
+[6]: https://github.com/DataDog/integrations-core/blob/master/mac_audit_logs/datadog_checks/mac_audit_logs/data/conf.yaml.example
+[7]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent
+[8]: https://docs.datadoghq.com/help/

mac_audit_logs/assets/configuration/spec.yaml

@@ -0,0 +1,35 @@
+name: Mac Audit Logs
+files:
+- name: mac_audit_logs.yaml
+  options:
+  - template: init_config
+    options:
+    - template: init_config/default
+  - template: instances
+    options:
+    - name: MONITOR
+      required: true
+      description: "Flag indicating Mac audit log collection status. Set to true to enable collection."
+      value:
+        type: boolean
+        example: true
+    - name: AUDIT_LOGS_DIR_PATH
+      required: true
+      description: "Path to the directory containing the BSM audit logs."
+      value:
+        type: string
+        example: /var/audit
+    - template: instances/default
+      overrides:
+        min_collection_interval.required: true
+        min_collection_interval.value.example: 15
+        min_collection_interval.value.minimum: 1
+        min_collection_interval.value.maximum: 64800
+        service.hidden: true
+        empty_default_hostname.hidden: true
+        metric_patterns.hidden: true
+  - template: logs
+    example:
+    - type: integration
+      service: mac-audit-logs
+      source: mac-audit-logs