SUpraudit - An actually useful praudit(1) for MacOS
What is this?
You may or may not be familiar with BSM auditing. A legacy of the dearly departed Solaris OS, which lives on in FreeBSD, Linux and - of course - MacOS. Auditing is detailed in my *OS Internals::Security & Insecurity's Chapter 2, and is one of the diamonds in the rough as far as system monitoring is concerned. Though not as powerful as the MAC Framework (and unable to proact, only react to operations), no other framework combines the ease of live monitoring with the advantages of pure user mode. The kernel is still very much involved - but you neither can nor should modify its auditing logic, which is enabled by default.
Apple took the set of default Solaris tools (namely,
grep(1) friendly even when used with
-l (single line output). And its XML output (
-x) isn't that shabby either.
After 25 or so years(?) it's time for a revamp. I've reversed
The immediate and most useful feature is
-S, which uses my own record format, rather than the default of Apple's. The format is very much like Linux's
strace (and my own
jtrace), and is super grep-friendly. You can toggle color (which really helps) using
-C or the usual
You can filter using
'INET'(all network connections),
As another example, consider the equivalent of my filemon (sans reactive capabilities):
As a quick alternative to
grep, you can use
proc for builtin filters. This is recommended, since you can always apply
grep(1) later. Also, doing so will automatically save an unfiltered audit log to
One of the audit mechanism's most glaring omissions is that, unlike
syslogd, it doesn't do remote logging to a centralized server - which is imperative if you want to ensure log integrity, and vital if you have more than 5 machines, like in an enterprise. Well, that's been fixed. Using
-R will relay to a centralized server, but that requires...
Oh, yes.. There's SUpraudit-PRO
A 'pro' version of SUpraudit has even more features, including:
- Triggers: Using a config file you can have
suprauditexecute commands with basic variable substituion (e.g: '
on file access "/secret/*" kill subject'). This is not recommeded for security-sensitive prevention, becauase the audit mechanism is reactive. But it can be useful to set up a basic host intrusion mechanism.
- Plugins: SUpraudit has a simple but powerful API for developers wishing to write their own programmatic plugins. This can be used to integrate with littlesnitch/bigbrother/twinsister/whatever.
- GUI (available soon): When you consolidate multiple audit logs, the data becomes crazy unmanageable. SUpraudit pro has a GUI which you can use to filter, sort, analyze, and even construct a timeline view showing you who-done-what.
The PRO version is in development, and will get a much more official and snazzier page when the fine folks at Technologeeks.com will get to it.
suprauditis FREE for personal use, and/or up to 5 hosts.
- If you are going to use this in a commercial environment of 10+ hosts, you'll need to talk to email@example.com about licensing - and you probably want to get the PRO version anyway, which contains the server (for -R message relaying) and, soon the GUI.
- If you suggest an improvement or fix which I will incorporate, you get a free site license for life, and my thanks.
- And now that you've read the license, feel free to get the binary (with its man page) here.
suprauditits own webpage