Help

SAP / macOS-enterprise-privileges (Privileges.app)

Mcleveland
New Contributor III

‎02-09-2023 05:17 PM - edited ‎02-09-2023 05:20 PM

Can anyone help me with examples of what to use so I can setup remotelogging? What companies to use, what setups? I understand if this is vague, I am actually struggling on how to ask the question.

Problem: Who should be the host for this?

Description: If RemoteLogging is used, this will send the logging for Privileges.app to a remote syslog server.

If using RemoteLogging, then the following subsidiary keys must also be set:

  • ServerType
  • ServerAddress
  • ServerPort
  • EnableTCP
  • SyslogOptions
  • LogFacility
  • LogSeverity
  • MaximumMessageSize

Sources: 
https://github.com/SAP/macOS-enterprise-privileges
https://github.com/SAP/macOS-enterprise-privileges/wiki/Managing-Privileges

0 Kudos
4 REPLIES 4

daniel_behan
Contributor III

Posted on ‎02-10-2023 06:03 AM

If your organization uses a Syslog server product such as Splunk, that's what the host would be.  Here's an example of what I'm using.  The values of those keys should be provided by whoever manages your syslog server.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DockToggleTimeout</key>
<integer>30</integer>
<key>RemoteLogging</key>
<dict>
<key>EnableTCP</key>
<false/>
<key>ServerAddress</key>
<string>"Your Server Here"</string>
<key>ServerPort</key>
<integer>"Your Port Here"</integer>
<key>ServerType</key>
<string>syslog</string>
<key>SyslogOptions</key>
<dict>
<key>MaximumMessageSize</key>
<integer>1024</integer>
<key>LogSeverity</key>
<integer>0</integer>
<key>LogFacility</key>
<integer>0</integer>
</dict>
</dict>
<key>RequireAuthentication</key>
<true/>
<key>ReasonMinLength</key>
<integer>10</integer>
<key>ReasonRequired</key>
<true/>
<key>LimitToUser</key>
<string>$USERNAME</string>
</dict>
</plist>
0 Kudos

Mcleveland
New Contributor III

Posted on ‎02-10-2023 09:13 AM

Any alternatives that you think would work great for this? We don't use Splunk :( 

0 Kudos

daniel_behan
Contributor III

Posted on ‎02-10-2023 09:25 AM

Does your organization currently have a functioning syslog server or siem?  If so, the administrators of that server can provide you the necessary hostnames and severities.  If not and you have the cycles to provision and manage your own, I'm sure there are plenty of available resources online.  You can still use this tool without the logging if your organization doesn't have an existing logging policy.

bowie
New Contributor II

Posted on ‎05-22-2023 06:29 AM

Can someone help me to find where should I paste my own configuration?

0 Kudos