From 7c8008bfd71b576c4edab5e5d47b0e1a476dfae8 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Thu, 2 May 2024 20:15:34 +0200
Subject: [PATCH 1/2] Update auditctl.yaml

---
 artifacts/live_response/system/auditctl.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/artifacts/live_response/system/auditctl.yaml b/artifacts/live_response/system/auditctl.yaml
index 1a9829c0..fbec7980 100644
--- a/artifacts/live_response/system/auditctl.yaml
+++ b/artifacts/live_response/system/auditctl.yaml
@@ -2,14 +2,14 @@ version: 1.0
 artifacts:
   -
     description: Display kernel's audit rules.
-    supported_os: [linux]
+    supported_os: [linux, macos]
     collector: command
     command: auditctl -l
     output_file: auditctl_-l.txt
   -
     description: Display the kernel's audit subsystem status.
-    supported_os: [linux]
+    supported_os: [linux, macos]
     collector: command
     command: auditctl -s
     output_file: auditctl_-s.txt
-  
\ No newline at end of file
+  

From 7b12fd99e68d5cce929ee036573257dd3e9a56be Mon Sep 17 00:00:00 2001
From: Thiago Canozzo Lahr <tclahr@gmail.com>
Date: Wed, 15 May 2024 19:41:06 -0300
Subject: [PATCH 2/2] artif: add /var/audit

---
 artifacts/files/logs/macos.yaml              | 7 +++++++
 artifacts/live_response/system/auditctl.yaml | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/artifacts/files/logs/macos.yaml b/artifacts/files/logs/macos.yaml
index 8bf2051e..1e1c566c 100644
--- a/artifacts/files/logs/macos.yaml
+++ b/artifacts/files/logs/macos.yaml
@@ -24,4 +24,11 @@ artifacts:
     collector: file
     path: /%user_home%/Library/Logs
     max_file_size: 1073741824 # 1GB
+  -
+    description: Collect auditd logs.
+    # Reference: https://medium.com/@boutnaru/the-macos-process-journey-auditd-audit-log-management-daemon-1addd6698016
+    supported_os: [macos]
+    collector: file
+    path: /var/audit
+    max_file_size: 1073741824 # 1GB
   
\ No newline at end of file
diff --git a/artifacts/live_response/system/auditctl.yaml b/artifacts/live_response/system/auditctl.yaml
index fbec7980..19e91401 100644
--- a/artifacts/live_response/system/auditctl.yaml
+++ b/artifacts/live_response/system/auditctl.yaml
@@ -2,13 +2,13 @@ version: 1.0
 artifacts:
   -
     description: Display kernel's audit rules.
-    supported_os: [linux, macos]
+    supported_os: [linux]
     collector: command
     command: auditctl -l
     output_file: auditctl_-l.txt
   -
     description: Display the kernel's audit subsystem status.
-    supported_os: [linux, macos]
+    supported_os: [linux]
     collector: command
     command: auditctl -s
     output_file: auditctl_-s.txt