craftwa.re

A walk outside the sandbox

Home Blog Cheat Sheets MacOS Tips Area 51 About

Check Audit Logs

07 Oct 2017 | Security

Overview

  • macOS implements the Basic Security Module (BSM) auditing subsystem, originally introduced in Solaris.
  • This subsystem is useful for tracking user sessions, authentications and process actions.

Work with audit logs

Check/modify settings

The configuration for the of auditd (8) is stored in /etc/security/audit_control file:

$ cat /etc/security/audit_control
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated

Logs storage

The dir field above specifies the folder where logs will be created. The naming convention for the log files is start_time.stop_time with the timestamps accurate to the second. The latest log has stop_time value of not_terminated:

$ ls -al /var/audit
total 1008
drwx------  24 root  wheel    816 15 Mar 23:49 .
drwxr-xr-x  25 root  wheel    850 22 Sep 10:28 ..
[..]
-r--r-----   1 root  wheel   9738 15 Mar 23:45 20180315215409.crash_recovery
-r--r-----   1 root  wheel  44944 19 Mar 22:00 20180315234914.not_terminated
lrwxr-xr-x   1 root  wheel     40 15 Mar 23:49 current -> /var/audit/20180315234914.not_terminated

Parsing

Since the audit logs are stored in a binary format, we need a tool to parse them. praudit (1) with the -x for XML output is very handy. Below we see that a session termination was recorded, followed by user authentication:

$ sudo praudit -x /var/audit/current
[..]
<record version="11" event="session end" modifier="0" time="Sun Mar 18 22:56:54 2018" msec=" + 523 msec" >
  <argument arg-num="1" value="0x0" desc="sflags" />
  <argument arg-num="2" value="0x0" desc="am_success" />
  <argument arg-num="3" value="0x0" desc="am_failure" />
  <subject audit-uid="-1" uid="root" gid="wheel" ruid="root" rgid="wheel" pid="0" sid="100100" tid="0 0.0.0.0" />
  <return errval="success" retval="0" />
</record>

<record version="11" event="user authentication" modifier="0" time="Sun Mar 18 22:56:54 2018" msec=" + 682 msec" >
  <subject audit-uid="m" uid="m" gid="staff" ruid="m" rgid="staff" pid="1148" sid="100007" tid="1149 0.0.0.0" />
  <text>Verify password for record type Users "m" node "/Local/Default"</text>
  <return errval="failure: Unknown error: 255" retval="5000" />
</record>
[..]

Since logs are cycled frequently, the special character device /dev/auditpipe allowa user-mode programs to access the audit records in real time. This is very useful if we need to pipe the events to a shell script for example:

$ sudo  praudit /dev/auditpipe | ./pareEvent.sh

References

OpenBSM auditing on Mac OS X