Skip to main content
Question

SAP / macOS-enterprise-privileges (Privileges.app)

  • February 10, 2023
  • 4 replies
  • 91 views
Mcleveland
Forum|alt.badge.img+7

Can anyone help me with examples of what to use so I can setup remotelogging? What companies to use, what setups? I understand if this is vague, I am actually struggling on how to ask the question.

Problem: Who should be the host for this?

Description: If RemoteLogging is used, this will send the logging for Privileges.app to a remote syslog server.

If using RemoteLogging, then the following subsidiary keys must also be set:

  • ServerType
  • ServerAddress
  • ServerPort
  • EnableTCP
  • SyslogOptions
  • LogFacility
  • LogSeverity
  • MaximumMessageSize

Sources: 
https://github.com/SAP/macOS-enterprise-privileges
https://github.com/SAP/macOS-enterprise-privileges/wiki/Managing-Privileges

    4 replies

    D
    Forum|alt.badge.img+11
    • daniel_behan
    • Valued Contributor
    • February 10, 2023

    If your organization uses a Syslog server product such as Splunk, that's what the host would be.  Here's an example of what I'm using.  The values of those keys should be provided by whoever manages your syslog server.

     

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>DockToggleTimeout</key>
    <integer>30</integer>
    <key>RemoteLogging</key>
    <dict>
    <key>EnableTCP</key>
    <false/>
    <key>ServerAddress</key>
    <string>"Your Server Here"</string>
    <key>ServerPort</key>
    <integer>"Your Port Here"</integer>
    <key>ServerType</key>
    <string>syslog</string>
    <key>SyslogOptions</key>
    <dict>
    <key>MaximumMessageSize</key>
    <integer>1024</integer>
    <key>LogSeverity</key>
    <integer>0</integer>
    <key>LogFacility</key>
    <integer>0</integer>
    </dict>
    </dict>
    <key>RequireAuthentication</key>
    <true/>
    <key>ReasonMinLength</key>
    <integer>10</integer>
    <key>ReasonRequired</key>
    <true/>
    <key>LimitToUser</key>
    <string>$USERNAME</string>
    </dict>
    </plist>
    Mcleveland
    Forum|alt.badge.img+7
    • Mcleveland
    • Author
    • New Contributor
    • February 10, 2023

    Any alternatives that you think would work great for this? We don't use Splunk :( 

    D
    Forum|alt.badge.img+11
    • daniel_behan
    • Valued Contributor
    • February 10, 2023

    Does your organization currently have a functioning syslog server or siem?  If so, the administrators of that server can provide you the necessary hostnames and severities.  If not and you have the cycles to provision and manage your own, I'm sure there are plenty of available resources online.  You can still use this tool without the logging if your organization doesn't have an existing logging policy.

    Mcleveland
    bowie
    Forum|alt.badge.img+3
    • bowie
    • New Contributor
    • May 22, 2023

    Can someone help me to find where should I paste my own configuration?

    Terms & ConditionsCookie settingsAccessibility statement