SAP / macOS-enterprise-privileges (Privileges.app)

Mcleveland
New Contributor III

Can anyone help me with examples of what to use so I can setup remotelogging? What companies to use, what setups? I understand if this is vague, I am actually struggling on how to ask the question.

Problem: Who should be the host for this?

Description: If RemoteLogging is used, this will send the logging for Privileges.app to a remote syslog server.

If using RemoteLogging, then the following subsidiary keys must also be set:

  • ServerType
  • ServerAddress
  • ServerPort
  • EnableTCP
  • SyslogOptions
  • LogFacility
  • LogSeverity
  • MaximumMessageSize

Sources: 
https://github.com/SAP/macOS-enterprise-privileges
https://github.com/SAP/macOS-enterprise-privileges/wiki/Managing-Privileges

4 REPLIES 4

daniel_behan
Contributor III

If your organization uses a Syslog server product such as Splunk, that's what the host would be.  Here's an example of what I'm using.  The values of those keys should be provided by whoever manages your syslog server.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DockToggleTimeout</key>
<integer>30</integer>
<key>RemoteLogging</key>
<dict>
<key>EnableTCP</key>
<false/>
<key>ServerAddress</key>
<string>"Your Server Here"</string>
<key>ServerPort</key>
<integer>"Your Port Here"</integer>
<key>ServerType</key>
<string>syslog</string>
<key>SyslogOptions</key>
<dict>
<key>MaximumMessageSize</key>
<integer>1024</integer>
<key>LogSeverity</key>
<integer>0</integer>
<key>LogFacility</key>
<integer>0</integer>
</dict>
</dict>
<key>RequireAuthentication</key>
<true/>
<key>ReasonMinLength</key>
<integer>10</integer>
<key>ReasonRequired</key>
<true/>
<key>LimitToUser</key>
<string>$USERNAME</string>
</dict>
</plist>

Mcleveland
New Contributor III

Any alternatives that you think would work great for this? We don't use Splunk :( 

daniel_behan
Contributor III

Does your organization currently have a functioning syslog server or siem?  If so, the administrators of that server can provide you the necessary hostnames and severities.  If not and you have the cycles to provision and manage your own, I'm sure there are plenty of available resources online.  You can still use this tool without the logging if your organization doesn't have an existing logging policy.

bowie
New Contributor III

Can someone help me to find where should I paste my own configuration?