beats icon indicating copy to clipboard operation
beats copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Auditbeat] MacOS auditing

Open andrewkroh opened this issue 6 years ago • 18 comments

There is some built-in auditing support in macOS. I don't know much about it yet, but it sounds like we can get execve info at a minimum. This needs more investigation.

  • https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man2/auditon.2.html
  • https://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html
  • https://github.com/objective-see/ProcInfo/blob/e6c01fdf69a605491aa52d7466888ef1f3f2e984/procInfo/ProcessMonitor.m#L125
  • sudo praudit -l /dev/auditpipe

andrewkroh avatar Jan 12 '18 18:01 andrewkroh

Does the new version include support for auditd on OSX? Wondering what the status of this issue is.

asekhar avatar Dec 06 '18 19:12 asekhar

@asekhar Not yet. Though we are working on some enhancements to Auditbeat that will allow to collect additional information on macOS as well.

If you don't mind me asking - what information would you want to collect?

Note: macOS does not have auditd as Linux does and so we will always be limited in what we can collect compared to it (in Linux, you can pretty much collect anything).

cwurm avatar Dec 06 '18 23:12 cwurm

I'd like to get a close to the artifacts described here: https://blogs.dropbox.com/tech/2018/04/4696/ as possible, but among others, process name, path, arguments, parent process, network connections, file creations.

asekhar avatar Dec 07 '18 00:12 asekhar

FreeBSD also uses the OpenBSM audit framework, so making sure it works on FreeBSD as well would be ideal.

edit:

sudo praudit -l /dev/auditpipe

This is not ideal. I've done this on FreeBSD boxes to pipe that through logger(1) to get the data into syslog so I can ship it to Logstash... high activity on a system can hit 100% cpu usage for that praudit(1) process pretty quickly, so you've just wasted an entire CPU core shipping logs that normally takes less than 1% CPU when it's shipped in its native binary format with auditdistd(8)

feld avatar Jan 04 '19 17:01 feld

+1 for native FreeBSD audit support, with perspective of abstracting the data together with Linux audit events

Vladimir-csp avatar Mar 20 '19 09:03 Vladimir-csp

This will get you xml, not sure if it would be easier to pass into a parser or if it adds any additional load. sudo praudit -x -l /dev/auditpipe

gwsales avatar May 24 '19 13:05 gwsales

@andrewkroh Auditbeat is now listed as supported in our Support Matrix for MacOS >= 10.13 (High Sierra). Can this issue be closed?

deepybee avatar Aug 30 '19 15:08 deepybee

No, it cannot be closed. There are many features of Auditbeat that work on MacOS, but reading from MacOS audit data from the auditpipe is not one of them yet.

andrewkroh avatar Aug 30 '19 15:08 andrewkroh

OK, thanks for the clarification!

deepybee avatar Aug 30 '19 16:08 deepybee

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Jul 30 '20 16:07 botelastic[bot]

@andrewkroh can you get this one reopened or maybe assigned to a team?

gwsales avatar Aug 29 '20 18:08 gwsales

Pinging @elastic/siem (Team:SIEM)

elasticmachine avatar Sep 01 '20 18:09 elasticmachine

Passing on these links on behalf of another:

  • https://community.spiceworks.com/topic/562291-how-to-audit-log-file-access-events-on-mac-os-x
  • https://www.scip.ch/en/?labs.20150108

The first should be covered by the File Integrity Module. The second appears to be this GH issue.

inqueue avatar Nov 09 '20 21:11 inqueue

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Oct 10 '21 22:10 botelastic[bot]

Can this issue be re-opened? It appears auditbeat attempts to parse process information in real time instead of subscribing to events in MacOS, which causes many events to be missed if they start and stop quickly. Additionally, in order to get information about processes executing from auditd, you must modify files in /etc/security, then reboot the system (as SIP prevents you from restarting the auditd process with the new configuration). Additionally, every OS update wipes out changes to files located in /etc/security.

It is possible to build filters and subscribe to system events, especially in MacOS 11.x. Other tools such as Famf protect do this.

jasonborchardt avatar Jan 20 '22 12:01 jasonborchardt

@elastic/siem : Could we please get this ticket re-opened? It has not been resolved yet and is important functionality.

a03nikki avatar Jan 20 '22 15:01 a03nikki

Agreed..

austinsonger avatar Feb 03 '22 00:02 austinsonger

No movement on this? We are only just now starting to test Auditbeat on Mac (we are mainly a Windows and Linux shop).

MakoWish avatar Oct 07 '22 22:10 MakoWish

Thanks to everyone who has chimed in on this issue. While we have an integration with Jamf Compliance Reporter to ingest events from Unified Logging, I understand this dependency on a 3rd party solution isn't ideal. We're currently assessing some options to natively support Unified Logging. If folks could share information on your use case for the Unified Logs, it would be a great help as we look at some options - e.g. are you mainly interested in process and authentication events, or any other event types?

jamiehynds avatar Oct 19 '22 12:10 jamiehynds

For us it is mainly authentication events.

MakoWish avatar Oct 19 '22 15:10 MakoWish