JAMF Connect - Privilege Escalation logging

duff2481-1
Contributor

We are trying to understand how to pull what has been done when someone requests elevation through JamfConnect.  I know that we can look at there reasonslog to see what reason they selected and when they elevated, but we will want to know what was changed.  I thought there was something about being able to forward to Jamf Protect and we've added a couple configurations for both the reasons log and 

subsystem == "com.jamf.connect.daemon" && category == "PrivilegeElevation"

 however this is not providing us with what happened.  Did they change system settings, did they uninstall or install an application?  Has anyone set this up successfully?  We're working with our SIEM but need to know where to get these logs first before we can look to forward them anywhere. 

4 REPLIES 4

John_Valdez
New Contributor

@duff2481-1 wrote:

Did they change system settings, did they uninstall or install an application? 


We are looking to get the exact info as well. We are not able to deploy this tool if this kind of information can't be logged and audited.

I don't think there's any way to get the information today, but would love to hear from the Jamf Support team and the community on how they are approaching this issue.

mm2270
Legendary Contributor III

Posting here so I'm notified of any responses. I'm interested in the Jamf Connect privilege escalation capability, but culling information around it hasn't been so easy to figure out. This is an important aspect for us too, as I doubt we will be able to get an approval to use this escalation path unless we can prove we can capture logs of what's being done by the user during that elevated period of time. Our InfoSec team will not like it if we can't show that.

duff2481-1
Contributor

Inside of Jamf Protect, we've create a new log called 'JamfProtect.log' under 'Telemetry'.  Within this JamfProtect.log, we have included /private/var/log/install.log logs to see what is being installed / uninstalled. We then take the jamfprotect log and send that to our SIEM.   This is early on and we may need to add additional files within the jamfprotect.log but this is where we are starting. 

Ventures
New Contributor

Would love this option as well.  Posting for update.