Skip to content

[AI-5153] DDS: Mac Audit Logs Integration v1.0.0 #19989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open

[AI-5153] DDS: Mac Audit Logs Integration v1.0.0 #19989

Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
f911566
Add mac audit logs integration
tirthrajchaudhari-crest Apr 2, 2025
2102d19
Add test results and unit test case
tirthrajchaudhari-crest Apr 2, 2025
eafb8fd
Resolve lint issue
tirthrajchaudhari-crest Apr 2, 2025
6507012
Add images and resolve CI sync failure
tirthrajchaudhari-crest Apr 2, 2025
9de0d14
Update spec name and ci sync
tirthrajchaudhari-crest Apr 2, 2025
dd7717f
Merge branch 'master' of https://github.com/DataDog/integrations-core…
tirthrajchaudhari-crest Apr 2, 2025
ecb42b2
Resolve CI sync
tirthrajchaudhari-crest Apr 2, 2025
24e2bd7
Update cloud siem panels
tirthrajchaudhari-crest Apr 3, 2025
240fc8d
update source type name
akaila-crest Apr 3, 2025
de285c4
update manifest.json
akaila-crest Apr 3, 2025
247eebf
Update test-all.yml
akaila-crest Apr 3, 2025
ea36267
Update constants.py
akaila-crest Apr 3, 2025
db06d1b
Add support for timezone
tirthrajchaudhari-crest Apr 14, 2025
4e0a6e8
Update test samples
tirthrajchaudhari-crest Apr 14, 2025
39b8924
Update test results
tirthrajchaudhari-crest Apr 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions .codecov.yml
View file
Original file line number Diff line number Diff line change
@@ -398,6 +398,10 @@ coverage:
target: 75
flags:
- linux_proc_extras
Mac_Audit_Logs:
target: 75
flags:
- mac_audit_logs
MapR:
target: 75
flags:
@@ -594,10 +598,6 @@ coverage:
target: 75
flags:
- sonarqube
sonatype_nexus:
target: 75
flags:
- sonatype_nexus
Spark:
target: 75
flags:
@@ -758,6 +758,10 @@ coverage:
target: 75
flags:
- nvidia_nim
sonatype_nexus:
target: 75
flags:
- sonatype_nexus
tibco_ems:
target: 75
flags:
@@ -1287,6 +1291,11 @@ flags:
paths:
- linux_proc_extras/datadog_checks/linux_proc_extras
- linux_proc_extras/tests
mac_audit_logs:
carryforward: true
paths:
- mac_audit_logs/datadog_checks/mac_audit_logs
- mac_audit_logs/tests
mapr:
carryforward: true
paths:
5 changes: 5 additions & 0 deletions .github/CODEOWNERS
View file
Original file line number Diff line number Diff line change
@@ -504,6 +504,11 @@ plaid/assets/logs/ @DataDog/saa
/forcepoint_security_service_edge/manifest.json @DataDog/saas-integrations @DataDog/documentation
/forcepoint_security_service_edge/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend

/mac_audit_logs/ @DataDog/agent-integrations
/mac_audit_logs/*.md @DataDog/agent-integrations @DataDog/documentation
/mac_audit_logs/manifest.json @DataDog/agent-integrations @DataDog/documentation
/mac_audit_logs/assets/logs/ @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend

/gpu/ @DataDog/ebpf-platform
/gpu/*.md @DataDog/ebpf-platform @DataDog/documentation
/gpu/manifest.json @DataDog/ebpf-platform @DataDog/agent-integrations @DataDog/documentation
2 changes: 2 additions & 0 deletions .github/workflows/config/labeler.yml
View file
Original file line number Diff line number Diff line change
@@ -370,6 +370,8 @@ integration/linkerd:
- linkerd/**/*
integration/linux_proc_extras:
- linux_proc_extras/**/*
integration/mac_audit_logs:
- mac_audit_logs/**/*
integration/mailchimp:
- mailchimp/**/*
integration/mapr:
20 changes: 20 additions & 0 deletions .github/workflows/test-all.yml
View file
Original file line number Diff line number Diff line change
@@ -2434,6 +2434,26 @@ jobs:
minimum-base-package: ${{ inputs.minimum-base-package }}
pytest-args: ${{ inputs.pytest-args }}
secrets: inherit
jc1b3d1e:
uses: ./.github/workflows/test-target.yml
with:
job-name: Mac Audit Logs
target: mac_audit_logs
platform: linux
runner: '["ubuntu-22.04"]'
repo: "${{ inputs.repo }}"
python-version: "${{ inputs.python-version }}"
standard: ${{ inputs.standard }}
latest: ${{ inputs.latest }}
agent-image: "${{ inputs.agent-image }}"
agent-image-py2: "${{ inputs.agent-image-py2 }}"
agent-image-windows: "${{ inputs.agent-image-windows }}"
agent-image-windows-py2: "${{ inputs.agent-image-windows-py2 }}"
test-py2: ${{ inputs.test-py2 }}
test-py3: ${{ inputs.test-py3 }}
minimum-base-package: ${{ inputs.minimum-base-package }}
pytest-args: ${{ inputs.pytest-args }}
secrets: inherit
ja15251c:
uses: ./.github/workflows/test-target.yml
with:
4 changes: 4 additions & 0 deletions mac_audit_logs/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# CHANGELOG - mac_audit_logs

<!-- towncrier release notes start -->

109 changes: 109 additions & 0 deletions mac_audit_logs/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
## Overview

[Mac Audit Logs][1] captures detailed information about system events, user actions, network and security-related activities. These logs are crucial for monitoring system integrity, identifying unauthorized access, and ensuring adherence to security policies and regulations.

This integration provides enrichment and visualization for various log types, including:

- **Authentication and Authorization** events
- **Administrative** activities
- **Network** events
- **File Access** activities
- **Input/Output Control**
- **IPC (Inter-Process Communication)**

This integration collects Mac audit logs and sends them to Datadog for analysis, providing visual insights through out-of-the-box dashboards and the Log Explorer. It also helps monitor and respond to security threats with ready-to-use Cloud SIEM detection rules.

* [Log Explorer][2]
* [Cloud SIEM][3]

## Setup

### Installation

To install the Mac Audit Logs integration, run the following Agent installation command and follow the steps below. For more information, see the [Integration Management][4] documentation.

**Note**: This step is not necessary for Agent versions >= 7.66.0

For Mac, run:
```shell
sudo datadog-agent integration install datadog-mac-audit-logs==1.0.0
```


### Configuration

#### Configure BSM Auditing on Mac
**Note**: The following steps are required for the Mac version >=14.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**Note**: The following steps are required for the Mac version >=14.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

1. Copy the configurations from `audit_control.example` to `audit_control`
```shell
cp /etc/security/audit_control.example /etc/security/audit_control
```

2. Update the configuration to specify the event types that should be audited. Execute the command below to audit all event types:
```shell
sudo sed -i '' 's/^flags:.*/flags:all/' /etc/security/audit_control && \
sudo sed -i '' 's/^naflags:.*/naflags:all/' /etc/security/audit_control
```
3. Restart `auditd` service:
```shell
/bin/launchctl enable system/com.apple.auditd
```

4. Restart the Mac.

### Validation

[Run the Agent's status subcommand][5] and look for `mac_audit_logs` under the Checks section.

## Data Collected

### Metrics

The Mac Audit Logs integration does not include any metrics.

### Log Collection

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file:

```yaml
logs_enabled: true
```

2. Configure `mac_audit_logs.d/conf.yaml` file to start collecting Mac audit logs.

See the [sample mac_audit_logs.d/conf.yaml][6] for available configuration options.

```yaml
init_config:
instances:
- MONITOR: true
min_collection_interval: 15
logs:
- type: integration
service: mac-audit-logs
source: mac-audit-logs
```

**Note**:
- Do not change the `service` and `source` values, as they are essential for proper log pipeline processing.

3. [Restart the Agent][7].

### Events

The Mac Audit Logs integration does not include any events.

## Troubleshooting

Need help? Contact [Datadog support][8].


[1]: https://www.apple.com/mac/
[2]: https://docs.datadoghq.com/logs/explorer/
[3]: https://www.datadoghq.com/product/cloud-siem/
[4]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install
[5]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information
[6]: https://github.com/DataDog/integrations-core/blob/master/mac_audit_logs/datadog_checks/mac_audit_logs/data/conf.yaml.example
[7]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent
[8]: https://docs.datadoghq.com/help/
29 changes: 29 additions & 0 deletions mac_audit_logs/assets/configuration/spec.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Mac Audit Logs
files:
- name: mac_audit_logs.yaml
options:
- template: init_config
options:
- template: init_config/default
- template: instances
options:
- name: MONITOR
required: true
description: "Flag indicating Mac audit log collection status. Set to true to enable collection."
value:
type: boolean
example: true
- template: instances/default
overrides:
min_collection_interval.required: true
min_collection_interval.value.example: 15
min_collection_interval.value.minimum: 1
min_collection_interval.value.maximum: 64800
service.hidden: true
empty_default_hostname.hidden: true
metric_patterns.hidden: true
- template: logs
example:
- type: integration
service: mac-audit-logs
source: mac-audit-logs
Loading