You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -690,3 +690,21 @@ otherwise its fallback mechanism will be used.
Configure the region to use for the AWS Kinesis logger plugin. If not specified, the `--aws_region` flag value will be used if set,
otherwise its fallback mechanism will be used.
## macOS keychain flags
By default, Osquery limits frequent access to keychain files on macOS. This limit applies to `certificates`, `keychain_acls`, and `keychain_items` tables.
`--keychain_access_cache=true`
Whether to use a cache for keychain access (default true). The cache resides in-memory, and independent entries are used for each table and keychain file.
If the keychain file has NOT been modified, osquery will return the cached result. The cache does not expire. It is cleared when osquery is restarted.
`--keychain_access_interval=5`
Minimum minutes required between keychain accesses (default is 5). Keychain cache must be enabled.
The access interval is the minimum time that must elapse before osquery will open and read a keychain file.
Starting from the first access and until time + `--keychain_access_interval`, osquery will return cached results for a given keychain file.
The interval is applied independently for each table. Therefore, multiple tables can read the same keychain file, but they can only do so once within the interval.
Since keychain files are generally not updated frequently, we expect that most keychain accesses will not be impacted by this interval.
To disable the keychain access interval: `--keychain_access_interval=0`
