{
	"id": "e36ccc74-4e27-4108-bda1-38113cd53cb4",
	"created_at": "2026-04-06T00:12:59.475906Z",
	"updated_at": "2026-04-10T13:12:29.672751Z",
	"deleted_at": null,
	"sha1_hash": "d0a67329310287d988001ee76d3c7b326fc16881",
	"title": "Audit in a OS X System",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 102957,
	"plain_text": "Audit in a OS X System\r\nBy Rocco Gagliardi\r\nArchived: 2026-04-05 18:30:24 UTC\r\nA Mac is a Mac and it works. In front of a Macbook Retina you feel comfortable, as long as you’re in the OS X\r\nflow.\r\nOS X\r\nBut what happens behind the beautiful sunset in Yosemite? Are the actions of a user or an application logged? Can\r\nyou use OS X in certified environments where a full audit is a requirement?\r\nThe Problem\r\nIn OS X, you can fire up the Console.app and take a look at the various logfiles created per default by the\r\nsystem; if you have super-user permissions, you may access the protected systems’ logfiles, and take a look at\r\nauthd or other specific logs in the ASL (Apple System Log facility).\r\nBut that is just logging, and is it not enough in a certified environment. In certified environments, auditing is\r\nrequired.\r\nAn auditing infrastructure, on the other hand, reports each instance of certain low-level events,\r\nregardless of which program caused the event to occur. – Security Log, Part 1: Experience with Log\r\nManagement – What is a log\r\nSecurity auditing involves recognising, recording, storing, and analysing information related to security\r\nrelevant activities. The resulting audit records can be examined to determine which security relevant\r\nactivities took place and whom (which user) is responsible for them. – Common Criteria, Class Family\r\nAudit: Security Audit\r\nThe audit problem was faced by Apple with OS X Panther (10.3.6, 2004), when the Desktop and Server version\r\nhave been submitted to the NIAP for Common Criteria certification. Common Criteria is an internationally\r\napproved set of security standards, and provides a clear and reliable evaluation of the security capabilities of\r\nInformation Technology products. Security-conscious customers are requiring Common Criteria certification as a\r\ndetermining factor in purchasing decisions.\r\nThe Solution\r\nIn 2004, Apple released new piece of software: openBSM. This software was created by McAfee Research, the\r\nsecurity research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include\r\nWayne Salamon, Robert Watson, and SPARTA Inc. The Basic Security Module (BSM) interface to audit records\r\nand audit event stream format were defined by Sun Microsystems. For Credits, check the complete list.\r\nhttps://www.scip.ch/en/?labs.20150108\r\nPage 1 of 8\n\nAt the same time, Common Criteria Configuration and Administration Guide was released to help security\r\nadministrators to properly configure the OS.\r\nFor old people, BSM sounds not really new: it is the Solaris Basic Security Module, a tool created by Sun\r\nMicrosystems to achieve the DoD C2-Level certification for Solaris 2.5.1 in 1996. The tool can trace every sys\r\ncall, intercepting the execution on every process running on the system, store the information in a binary format\r\nand report as needed.\r\nOpenBSM: What Is Logged Where\r\nThe main configuration file for auditing is /etc/security/audit_control , in this file we set which classes of\r\nevents we want to generate audit records for and where we want those records to go.\r\nThe default configuration installed on Yosemite /etc/security/audit_control\r\n#\r\n# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $\r\n#\r\ndir:/var/audit\r\nflags:lo,aa\r\nminfree:5\r\nnaflags:lo,aa\r\npolicy:cnt,argv\r\nfilesz:2M\r\nexpire-after:10M\r\nsuperuser-set-sflags-mask:has_authenticated,has_console_access\r\nsuperuser-clear-sflags-mask:has_authenticated,has_console_access\r\nmember-set-sflags-mask:\r\nmember-clear-sflags-mask:has_authenticated\r\nSome parameters are self-explanatory; for a complete reference, look at the audit_control(5) manual page. The\r\nfollowing parameters are interesting:\r\nParameter Description\r\nflags\r\nSpecifies which audit event classes are audited for all users. audit_user(5) describes how to\r\naudit events for individual users\r\nnaflags\r\nContains the audit flags that define what classes of events are audited when an action cannot be\r\nattributed to a specific user\r\npolicy\r\nA list of global audit policy flags specifying various behaviours, such as fail stop, auditing of\r\npaths and arguments, etc.\r\nWhat can be audited is specified with flags parameter. Following table lists which event class can be audited:\r\nhttps://www.scip.ch/en/?labs.20150108\r\nPage 2 of 8\n\nCode Class Class description\r\n0×00000000 no invalid class\r\n0×00000001 fr file read\r\n0×00000002 fw file write\r\n0×00000004 fa file attribute access\r\n0×00000008 fm file attribute modify\r\n0×00000010 fc file create\r\n0×00000020 fd file delete\r\n0×00000040 cl file close\r\n0×00000080 pc process\r\n0×00000100 nt network\r\n0×00000200 ip ipc\r\n0×00000400 na non attributable\r\n0×00000800 ad administrative\r\n0×00001000 lo login_logout\r\n0×00002000 aa authentication and authorization\r\n0×00004000 ap application\r\n0×20000000 io ioctl\r\n0×40000000 ex exec\r\n0×80000000 ot miscellaneous\r\n0xffffffff all all flags set\r\nThe Audit Policy Flags specifies how the system should react to some events or how many details should be\r\nlogged:\r\nPolicy\r\nFlag\r\nDescription\r\ncnt\r\nAllow processes to continue running even though events are not being audited. If not set,\r\nprocesses will be suspended when the audit store space is exhausted. Currently, this is not a\r\nrecoverable state.\r\nhttps://www.scip.ch/en/?labs.20150108\r\nPage 3 of 8\n\nahlt\r\nFail stop the system if unable to audit an event – this consists of first draining pending records\r\nto disk, and then halting the operating system.\r\nargv Audit command line arguments to execve(2).\r\narge Audit environmental variable arguments to execve(2).\r\nseq\r\nInclude a unique audit sequence number token in generated audit records (not implemented on\r\nFreeBSD or Darwin).\r\ngroup\r\nInclude supplementary groups list in generated audit records (not implemented on FreeBSD or\r\nDarwin; supplementary groups are never included in records on these systems).\r\ntrail\r\nAppend a trailer token to each audit record (not implemented on FreeBSD or Darwin; trailers\r\nare always included in records on these systems).\r\npath\r\nInclude secondary file paths in audit records (not implemented on FreeBSD or Darwin;\r\nsecondary paths are never included in records on these systems).\r\nzonename\r\nInclude a zone ID token with each audit record (not implemented on FreeBSD or Darwin;\r\nFreeBSD audit records do not currently include the jail ID or name).\r\nperzone\r\nEnable auditing for each local zone (not implemented on FreeBSD or Darwin; on FreeBSD,\r\naudit records are collected from all jails and placed in a single global trail, and only limited\r\naudit controls are permitted within a jail).\r\nWhich Systems Be Audited?\r\nAll of them! That’s the default answer. In this case you will collect all information generated by the system. But\r\nthis collection has a considerable impact on the system itself:\r\nEven if stored in binary format, the amount of information generated is huge, and the logfile grows rapidly\r\nDumping information for each action, impact on performance: basically interrupts to write on the disk\r\nOn a server system, the policy must be tuned to balance security and availability requirements.\r\nA recommended minimum set of classes is: lo , ad , na . This includes:\r\nlogin/out events ( lo )\r\nadmin events ( ad ) such as filesystem mounts creation of users\r\nnon-attributable events ( na )\r\nopenBSM Audit System from a CC Perspective\r\nFAU_ARP: Security Audit Automatic Response\r\nhttps://www.scip.ch/en/?labs.20150108\r\nPage 4 of 8\n\nThe TSF shall list actions upon detection of a potential security violation. The openBSM package has a tool called\r\nauditfilterd but, by default, isn’t compiled and installed on OS X because it has never left the experimental\r\nstate.\r\nIn any case, the source code is available and, with some fixes, it should be possible to run on OS X and play\r\naround with live log.\r\nAnother method to react live to events is to hook on the /dev/auditpipe .\r\nSecurity Audit Data Generation (FAU_GEN): The /etc/security/audit_control file contains settings\r\nneeded to generate the required audit records. In some cases, where a fine tuning is required, the file\r\n/etc/security/audit_user may contain specific audit settings for particular users. The system behaviour\r\ncan be specified: if required, the system can be halted in case of audit problems.\r\nSecurity Audit Event Storage (FAU_STG): Audit trail files generated with audit(4) and maintained by\r\nauditd(8) provide a reliable long-term store for audit log information. Specific settings for rotation can be\r\ndefined to help archiving.\r\nSecurity Audit Analysis (FAU_SAA)*: The audit facility provides an audit pipe facility for applications\r\nrequiring direct access to live BSM audit data for the purposes of real-time monitoring. Audit pipes are\r\navailable via a cloneable special device, /dev/auditpipe , subject to the permissions on the device node,\r\nand provide a “tee” of the audit event stream. As the device is cloneable, more than one instance of the\r\ndevice may be opened at a time; each device instance will provide independent access to all records.\r\nRun praudit on /dev/auditpipe to live decode the audit log.\r\nrcc@mpb~$ sudo praudit /dev/auditpipe\r\nheader,88,11,SecSrvr AuthEngine,0,Tue Dec 16 11:20:06 2014, + 119 msec\r\nsubject,-1,root,wheel,root,wheel,40,100000,41,0.0.0.0\r\ntext,begin evaluation\r\nreturn,success,0\r\ntrailer,88\r\n...\r\nSecurity Audit Event Selection (FAU_SEL): The auditreduce utility selects records from the audit trail\r\nfiles based on the specified criteria. Matching audit records are printed to the standard output in their raw\r\nbinary form. If no file argument is specified, the standard input is used by default. Use the praudit(1) utility\r\nto print the selected audit records in human-readable form.\r\nRun the auditreduce to filter records. Results are still in binary and must be converted using praudit .\r\nrcc@mpb~$ sudo auditreduce -cfd /dev/auditpipe\r\nT:I#O/Users/rcc/Library/Application Support\r\nSecurity Audit Review (FAU_SAR): The praudit utility prints the contents of the audit trail files to the\r\nstandard output in human-readable form. If the raw or short forms are not specified, the default is to print\r\nhttps://www.scip.ch/en/?labs.20150108\r\nPage 5 of 8\n\nthe tokens in their raw form. Events are displayed as per their descriptions given in\r\n/etc/security/audit_event ; UIDs and GIDs are expanded to their names; dates and times are\r\ndisplayed in human-readable format.\r\nRun the praudit to convert the binary record in human-readable format.\r\nrcc@mpb~$ sudo auditreduce -cfd /dev/auditpipe | praudit\r\nheader,311,11,rename(2),0,Tue Dec 16 11:26:48 2014, + 572 msec\r\npath,/Users/rcc/Library/Application Support/TextMate/Session/.dat29f8.0b3\r\npath,/Users/rcc/Library/Application Support/TextMate/Session/.dat29f8.0b3\r\nattribute,100644,rcc,staff,16777220,10648235,0\r\npath,/Users/rcc/Library/Application Support/TextMate/Session/Info.plist\r\nsubject,rcc,rcc,staff,rcc,staff,10744,100005,50331650,0.0.0.0\r\nreturn,success,0\r\ntrailer,311\r\nSummary\r\nAuditing is important for two reasons:\r\n1. Regular analysis of logs gives us an early warning of suspicious activity\r\n2. If stored securely, log-analysis can provide the evidence required to find out what went wrong when a\r\nbreach in the security policy occurs.\r\nThere are other areas where auditing helps as well, such as analysis of our security policies for correct\r\nimplementation, as well as debugging auditing that can report pertinent information to our security model.\r\nopenBSM provides an auditing system available as part of the core OS X.\r\nAdvantages: openBSM adds support for security event auditing. Event auditing supports reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins,\r\nconfiguration changes, and file and network access. These log records can be invaluable for live system\r\nmonitoring, intrusion detection, and post mortem analysis.\r\nLimitations: The audit facility has some known limitations. Not all security-relevant system events are\r\nauditable and some login mechanisms, such as Xorg-based display managers and third-party daemons, do\r\nnot properly configure auditing for user login sessions.\r\nThe security event auditing facility is able to generate very detailed logs of system activity. On a busy system, trail\r\nfile data can be very large when configured for high detail, exceeding gigabytes a week in some configurations.\r\nAdministrators should take into account the disk space requirements associated with high volume audit\r\nconfigurations.\r\nEn Passant\r\nDuring the research, a LoL boundary check popped up: openbsm/sys/bsm/audit_kevents.h\r\nhttps://www.scip.ch/en/?labs.20150108\r\nPage 6 of 8\n\n/*\r\n * The reserved event numbers for kernel events are 1...2047 and 43001..44900.\r\n */\r\n#define AUE_IS_A_KEVENT(e) (((e) \u003e 0 \u0026\u0026 (e) \u003c 2048) || \\\r\n ((e) \u003e 43000 \u0026\u0026 (e) \u003c 45000))\r\nHowever, the problem is in the comment not in the code, as stated in file openbsm/etc/audit_event :\r\n# Allocation of BSM event identifier ranges:\r\n#\r\n# 0 Reserved and invalid\r\n# 1 - 2047 Reserved for Solaris kernel events\r\n# 2048 - 5999 Reserved and unallocated\r\n# 6000 - 9999 Reserved for Solaris user events\r\n# 10000 - 32767 Reserved and unallocated\r\n# 32768 - 65535 Available for third party applications\r\n#\r\n# Of the third party range, OpenBSM allocates from the following ranges:\r\n#\r\n# 43000 - 44999 Reserved for OpenBSM kernel events\r\n# 45000 - 46999 Reserved for OpenBSM application events\r\nAbout the Author\r\nRocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main\r\nfocus lies in security frameworks, network routing, firewalling and log management.\r\nLinks\r\nhttp://www.commoncriteriaportal.org\r\nhttp://www.commoncriteriaportal.org/files/ccfiles/ccpart2v2.3.pdf\r\nhttp://www.opensource.apple.com/source/OpenBSM/\r\nhttp://www.opensource.apple.com/source/OpenBSM/OpenBSM-21/openbsm/CREDITS\r\nhttps://www.scip.ch/en/?labs.20150108\r\nPage 7 of 8\n\nhttp://www.opensource.apple.com/source/OpenBSM/OpenBSM-21/openbsm/etc/audit_class\r\nhttp://www.scip.ch/?labs.20121122\r\nhttps://www.apple.com/support/security/commoncriteria/\r\nhttps://www.niap-ccevs.org\r\nSource: https://www.scip.ch/en/?labs.20150108\r\nhttps://www.scip.ch/en/?labs.20150108\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.scip.ch/en/?labs.20150108"
	],
	"report_names": [
		"?labs.20150108"
	],
	"threat_actors": [],
	"ts_created_at": 1775434379,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0a67329310287d988001ee76d3c7b326fc16881.pdf",
		"text": "https://archive.orkl.eu/d0a67329310287d988001ee76d3c7b326fc16881.txt",
		"img": "https://archive.orkl.eu/d0a67329310287d988001ee76d3c7b326fc16881.jpg"
	}
}