Support for MacOS Unified Logging

[nathanrstacey]

Describe the enhancement: Support for MacOS Unified Logging

Describe a specific use case for the enhancement or feature: Auditbeat doesn’t provide much valuable information because it is still pulling information from syslog, MacOS is deprecating use of syslog and has moved to Unified Logging. To my knowledge there is no Beat for MacOS that will track login, logout, lock, unlock, or sudo access. It is possible to create custom scripts to grab some (not all) of this info but a Beat would be much easier

[a03nikki]

Unified Logging is also mentioned on (closed) https://github.com/elastic/beats/issues/3109.

[fearful-symmetry]

This has been needed for a long time, we should definitely prioritize this.

[natewalck]

👍 for this. It is badly needed so you don't need to run a launchd just to dump the logs to disk for Filebeat to pick up.

[fearful-symmetry]

I'm a little worried that this is going to languish, as we don't really have a "MacOS expert" and this is a MacOS api. @masci do you have any ideas for how to manage this?

[andrewkroh]

It looks like there is an API since macOS 10.15. https://developer.apple.com/documentation/oslog

It would require cgo and objective-c to use the API.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[jamiehynds]

While native MacOS Unified Logging support isn't currently supported or being worked on for Beats/Agent, there was a very popular tool called cmdReporter that people used to pull events from Unified Logging to send to a SIEM. That tool was acquired by Jamf and rebranded, but the good news is, we're about to ship an integration with Jamf Compliance Reporter to provide visibility into Mac events.

Relevant PR: https://github.com/elastic/integrations/pull/3210

[defensivedepth]

While having the integration mentioned by @jamiehynds is great for those that use jamf, it doesn't help the rest of us that don't use that specific product.

So another vote for native support of ingesting security logs for macOS Unified Logging.

[jamiehynds]

Thanks for the feedback @defensivedepth - we're currently assessing some options to natively supported for Unified Logging. Could you share more information on your use case for the Unified Logs - e.g. are you mainly interested in process and authentication events, or any other event types you're interested in monitoring?

[defensivedepth]

Process & auth events are definitely on my list. Also (may overlap with above):

• Gatekeeper events
• Xprotect events
• Apple script events
• sudo, logons, opendirectory events

Some other interesting events (from https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/):

Predicate	Description
process == “sudo”	Captures command line activity run with elevated privileges
process == “logind”	Captures user login events
process == “tccd”	Captures events that indicate permissions and access violations
process == “sshd”	Captures successful, failed and general ssh activity
process == “kextd” && sender == “IOKit”	Captures successful and failed attempts to add kernel extensions
process == “screensharingd || process == “ScreensharingAgent”’	Captures events that indicate successful or failed authentication via screen sharing
process == “loginwindow” && sender == “Security”	Captures keychain.db unlock events
process == “securityd” && eventMessage CONTAINS “Session ” && subsystem == “com.apple.securityd”	Captures session creation and destruction events

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[defensivedepth]

I'll just mention that there is a rust library put out by Mandiant to parse the Unified Log - https://github.com/mandiant/macos-UnifiedLogs

[DefSecSentinel]

What is the real need here for the Apple Unified Logs? What would the goal be with these logs as opposed to what our macOS agent already provides? Our macOS agent taps into the Apple Endpoint Security Framework (ESF:https://developer.apple.com/documentation/endpointsecurity) which allows us to collect just about anything you could want to access in the Unified Logs via dedicated events vs a filtered event stream.

From a security perspective collecting Apple Unified Logging provides no real benefit aside from maybe in an incident response capacity collecting data after the fact. In addition to the many ESF events and custom/proprietary data sources our agent provides you can also implement our OSQuery integration with the agent to conduct and collect live queries of absolutely any data source macOS makes available via Unified Logs.

@defensivedepth Many of the use cases you pose from the Mandiant and Crowdstrike blogs are already covered by what our macOS agent provides utilizing Apple's ESF, or can be queried using OSQuery. The only events our agent doesn't currently collect are login/logout, session lock/unlock, screenattach, and session create/destroy all of which though we could collect and add to our agent with ESF if needed. These events though are more admin/policy focused and less helpful in actively detecting threat actor activity in real time. The events would be useful for Incident Response though or organization specific policy monitoring but like I said you can query this specific data via our agent OSQuery integration currently and we are adding the macOS login/authentication events (found here: https://developer.apple.com/documentation/endpointsecurity/endpointsecurity_structures) to our agent very soon.

[DefSecSentinel]

All of that is not to say we shouldn't have an integration for macOS Unified Logging I think we should but with our agent and OSQuery there isn't a real need for it.

[defensivedepth]

@DefSecSentinel

Our macOS agent taps into the Apple Endpoint Security Framework (ESF:https://developer.apple.com/documentation/endpointsecurity) which allows us to collect just about anything you could want to access in the Unified Logs via dedicated events vs a filtered event stream.

What specific Integration are you referring to?

[DefSecSentinel]

macOS agent with the Elastic Defend integration installed (and OSQuery integration if wanted)

[defensivedepth]

Can you post a link to the Elastic docs for Defend and ESF? I am not seeing anything.

I am running Elastic Agent + Defend on macOS and appear to just have File + Process + Network events:

[DefSecSentinel]

As long as you have those 3 options checked you should be getting everything. What specifically are you looking for?

[defensivedepth]

Ok, so to make sure I understand - if I want to detect when a new local user has been created or a configuration profile has been installed, I would need to get that through the File/Process/Network events? The ESF integration you are talking about doesn't create structured logs - like for example, EventID 4720 in the Security Event Channel on Windows is generated when a new local user is created.

[DefSecSentinel]

Yes, there are a number of different queries or detections you could write to see whether a new user has been created or configuration profile has been added using process and file events.

ESF isn't an Elastic integration. It's a framework provided by Apple on macOS that allows our agent to subscribe to specific events (similar to how you can subscribe to events by event codes like 4720 on Windows). Create user is one of those ESF events (https://developer.apple.com/documentation/endpointsecurity/es_event_od_create_user_t) we could subscribe to but don't currently.

Are you wanting to know in general if a new user gets created for policy reasons or if a new user gets created in a suspicious or abnormal manner?

[DefSecSentinel]

For instance if you want to detect when a new user gets created programmatically (not via the GUI) you can search for the use of the dscl binary with the create flag:

process : "dscl" and process.args : "create"

[natewalck]

For this particular issue, I think ingesting logs from the unified log system is the ask. You can get some info from EndpointSecurity framework, but its not the same as the log data.

[gord-lyr]

Any update on this?

I'm asking because we have a customer making use of this MacOS app: https://github.com/SAP/macOS-enterprise-privileges. Logs for this get pushed to Apple Unified Log, and not sure if this is something we could pickup automatically or not.

There are options for Syslog, but this is only useful for devices that always have line-of-sight to the syslog server, which won't always be the case - so AUL would be the best method.

Thanks