macOS osquery Daemon Configuration


The following topic lists the osquery’s daemon configuration files for macOS.

{
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "utc": "true",
    "enable_file_events":"true",
    "disable_events":"false"
  },

  "file_paths": {
    "dir_system_app_support": [
      "/Library/Application Support/%"
   ],
    "dir_user_app_support": [
      "/Users/%/Application Support/%"
   ],
    "dir_shared": [
      "/Users/Shared/%"
   ],
    "dir_private_tmp": [
      "/private/tmp/%"
   ],
    "dir_user_downloads": [
      "/Users/%/Downloads/%"
   ],
    "dir_native_launchd": [
      "/System/Library/LaunchDaemons/%"
   ],
   "dir_third_party_launchd": [
      "/Library/LaunchDaemons/%"
   ],
   "dir_macos_launcha": [
      "/System/Library/LaunchAgents/%"
   ],
   "dir_all_users_launcha": [
      "/Library/LaunchAgents/%"
   ],
   "dir_apps": [
      "/Applications/%%"
   ]
  },

  "yara": {
    "signatures": {
      "sig_group_1": [ "/var/run/cisco/orbital/config/yara_sigs/suspicious_app.yar" ]
    },
    "file_paths": {
      "dir_apps": [ "sig_group_1" ]
    }
  }
}

Return to Orbital Yara Rules and System Configuration

Return to Table of Contents