• Mac OS X,  Mac Security

    Quick and Dirty OpenBSM Auditing In macOS

    OpenBSM is a subsystem that has been installed on the Mac for some time. OpenBSM provides that ability to create and read audit logs based on the Common Criteria standards. Audit Logs The quick and easy way to see what OpenBSM is auditing is to cat the /etc/security/audit_control file: cat /etc/security/audit_control The output displays the directory of audit logs, as well as what is currently being audited. By default the configuration is as follows: ## $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $#dir:/var/auditflags:lo,aaminfree:5naflags:lo,aapolicy:cnt,argvfilesz:2Mexpire-after:10Msuperuser-set-sflags-mask:has_authenticated,has_console_accesssuperuser-clear-sflags-mask:has_authenticated,has_console_accessmember-set-sflags-mask:member-clear-sflags-mask:has_authenticated You can then see all of the files in your audit log, using a standard ls of those  ls /var/audit As you can see, the files are then stored with a date/time stamp naming convention. …