macOS osquery Daemon Configuration
The following topic lists the osquery’s daemon configuration files for macOS.
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true",
"enable_file_events":"true",
"disable_events":"false"
},
"file_paths": {
"dir_system_app_support": [
"/Library/Application Support/%"
],
"dir_user_app_support": [
"/Users/%/Application Support/%"
],
"dir_shared": [
"/Users/Shared/%"
],
"dir_private_tmp": [
"/private/tmp/%"
],
"dir_user_downloads": [
"/Users/%/Downloads/%"
],
"dir_native_launchd": [
"/System/Library/LaunchDaemons/%"
],
"dir_third_party_launchd": [
"/Library/LaunchDaemons/%"
],
"dir_macos_launcha": [
"/System/Library/LaunchAgents/%"
],
"dir_all_users_launcha": [
"/Library/LaunchAgents/%"
],
"dir_apps": [
"/Applications/%%"
]
},
"yara": {
"signatures": {
"sig_group_1": [ "/var/run/cisco/orbital/config/yara_sigs/suspicious_app.yar" ]
},
"file_paths": {
"dir_apps": [ "sig_group_1" ]
}
}
}