[Auditbeat] MacOS auditing

[andrewkroh]

There is some built-in auditing support in macOS. I don't know much about it yet, but it sounds like we can get execve info at a minimum. This needs more investigation.

• https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man2/auditon.2.html
• https://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html
• https://github.com/objective-see/ProcInfo/blob/e6c01fdf69a605491aa52d7466888ef1f3f2e984/procInfo/ProcessMonitor.m#L125
  • sudo praudit -l /dev/auditpipe

[asekhar]

Does the new version include support for auditd on OSX? Wondering what the status of this issue is.

[cwurm]

@asekhar Not yet. Though we are working on some enhancements to Auditbeat that will allow to collect additional information on macOS as well.

If you don't mind me asking - what information would you want to collect?

Note: macOS does not have auditd as Linux does and so we will always be limited in what we can collect compared to it (in Linux, you can pretty much collect anything).

[asekhar]

I'd like to get a close to the artifacts described here: https://blogs.dropbox.com/tech/2018/04/4696/ as possible, but among others, process name, path, arguments, parent process, network connections, file creations.

[feld]

FreeBSD also uses the OpenBSM audit framework, so making sure it works on FreeBSD as well would be ideal.

edit:

sudo praudit -l /dev/auditpipe

This is not ideal. I've done this on FreeBSD boxes to pipe that through logger(1) to get the data into syslog so I can ship it to Logstash... high activity on a system can hit 100% cpu usage for that praudit(1) process pretty quickly, so you've just wasted an entire CPU core shipping logs that normally takes less than 1% CPU when it's shipped in its native binary format with auditdistd(8)

[Vladimir-csp]

+1 for native FreeBSD audit support, with perspective of abstracting the data together with Linux audit events

[gwsales]

This will get you xml, not sure if it would be easier to pass into a parser or if it adds any additional load. sudo praudit -x -l /dev/auditpipe

[deepybee]

@andrewkroh Auditbeat is now listed as supported in our Support Matrix for MacOS >= 10.13 (High Sierra). Can this issue be closed?

[andrewkroh]

No, it cannot be closed. There are many features of Auditbeat that work on MacOS, but reading from MacOS audit data from the auditpipe is not one of them yet.

[deepybee]

OK, thanks for the clarification!

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[gwsales]

@andrewkroh can you get this one reopened or maybe assigned to a team?

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[inqueue]

Passing on these links on behalf of another:

• https://community.spiceworks.com/topic/562291-how-to-audit-log-file-access-events-on-mac-os-x
• https://www.scip.ch/en/?labs.20150108

The first should be covered by the File Integrity Module. The second appears to be this GH issue.

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jasonborchardt]

Can this issue be re-opened? It appears auditbeat attempts to parse process information in real time instead of subscribing to events in MacOS, which causes many events to be missed if they start and stop quickly. Additionally, in order to get information about processes executing from auditd, you must modify files in /etc/security, then reboot the system (as SIP prevents you from restarting the auditd process with the new configuration). Additionally, every OS update wipes out changes to files located in /etc/security.

It is possible to build filters and subscribe to system events, especially in MacOS 11.x. Other tools such as Famf protect do this.

[a03nikki]

@elastic/siem : Could we please get this ticket re-opened? It has not been resolved yet and is important functionality.

[austinsonger]

Agreed..

[MakoWish]

No movement on this? We are only just now starting to test Auditbeat on Mac (we are mainly a Windows and Linux shop).

[jamiehynds]

Thanks to everyone who has chimed in on this issue. While we have an integration with Jamf Compliance Reporter to ingest events from Unified Logging, I understand this dependency on a 3rd party solution isn't ideal. We're currently assessing some options to natively support Unified Logging. If folks could share information on your use case for the Unified Logs, it would be a great help as we look at some options - e.g. are you mainly interested in process and authentication events, or any other event types?

[MakoWish]

For us it is mainly authentication events.

[asekhar]

process executions, network connections, file creation and authentication events

[gwsales]

• Authentication
• Process Execution / Process Creation
• Network Connections
• File Reads and Writes
• System Changes

Would be nice to add some advanced things as well like monitoring plist / ssh keys / system startup / listening processes. It's been awhile since I've looked at Auditbeat on Mac, we've mostly moved onto other tools since this doesn't seem to be getting much traction or progress.

[gwsales]

@elastic/siem Has there been any progress here? Elastic has solid coverage on Windows and Linux, but really seemed to just skip over anything MacOS.

Would be great to see some updates here.

[MakoWish]

Yeah, almost six years later, and no traction.

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[MakoWish]

We have officially passed six years on this. :-(