macos: automating audit rules install

[npamnani-uptycs]

No need to edit macos /etc/security/* files and reboot the machine anymore.
if --disable_audit is false, rules are controlled by -
--audit_allow_sockets default(false)
--audit_allow_process_events default(true)
--audit_allow_user_events default(true)
--audit_allow_fim_events default(false)

With this implementation osquery can inform kernel in what events its interested. That way it will not interfere with default audit trail mechanism of the system. Unlike linux kernel, OSX takes the responsibility of de-multiplexing the audit messages and apply the installed rules before delivering the messages to the userland.

[theopolis]

Awesome! Do you know if this configuration needs to be removed / restored each time osquery runs? I think the important part is restoring the audit configuration if osquery stops.

[theopolis]

Also it looks like the CI build failures are valid.

[npamnani-uptycs]

Do you know if this configuration needs to be removed / restored each time osquery runs? I think the important part is restoring the audit configuration if osquery stops.

We are configuring the audit pipe i.e. setting the attributes of audit pipe fd. We are not disturbing the setting of audit trail. In fact we can create 32(in case of 10.12 kernel) audit pipes and all can work independently and all can have different filtering rules and settings and which go away once fd is closed.