Help

"Auditable Events" in OS X?

Not applicable

Posted on ‎01-12-2018 12:02 PM

Very broad, but worth asking...

I've been asked to produce a list of "auditable events" in the Mac OS. I'm aware that we can track just about anything with the right config, but does anyone know of a list from Apple of things that are "built in" to the OS? I've got more historical data in the JAMF | Pro console than I need, but looking for specific OS-level items, such as logon/logoff, failed logons, etc. Just wondering if anyone has a list or link.

0 Kudos
2 REPLIES 2

wlcasey
New Contributor III

Posted on ‎01-12-2018 01:56 PM

That term "auditable events" makes me think they are looking for the items included in BSM auditing.

The best reference to get started with BSM is on Der Flounder.

See https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/

If you look up the events associated with BSM logging, there is. handy list to give the security folks who asked. But, once you say BSM they should already know what is on that list...

And be careful, if their instructions are to "audit everything" they are crazy. BSM can create some serious logs if your not careful. It will fill up your hard drive in no time.

0 Kudos

Not applicable

Posted on ‎01-12-2018 02:03 PM

Thanks - much appreciated. I found the BSM list, but the new unified logging still gives me a headache, so looking next for something like a list of predicates that can be used to filter there. I also have all of our JAMF logs, of course, and I know there are a few other random ones scattered around, just trying to find as complete of a list as possible.

Our focus is mostly forensic, so BSM probably covers the essential (login/out, etc.) also will eventually want things like failed login attempts/etc. Not too worried about being told "log ALL THE THINGS!" but that's always a risk once you tell them all the data that you CAN capture.

0 Kudos