SUpraudit - An actually useful praudit(1) for MacOS

What is this?

You may or may not be familiar with BSM auditing. A legacy of the dearly departed Solaris OS, which lives on in FreeBSD, Linux and - of course - MacOS. Auditing is detailed in my *OS Internals::Security & Insecurity's Chapter 2, and is one of the diamonds in the rough as far as system monitoring is concerned. Though not as powerful as the MAC Framework (and unable to proact, only react to operations), no other framework combines the ease of live monitoring with the advantages of pure user mode. The kernel is still very much involved - but you neither can nor should modify its auditing logic, which is enabled by default.

Apple took the set of default Solaris tools (namely, praudit(1), auditreduce and audit(8), and hasn't really invested in them. At all. Notably, praudit(1), which is used to print audit records from files in /var/audit and the /dev/auditpipe, is a pretty terrible tool that is not grep(1) friendly even when used with -l (single line output). And its XML output (-x) isn't that shabby either.

Enter: SUpraudit

After 25 or so years(?) it's time for a revamp. I've reversed praudit paltry ~220 lines of assembly back to source, and then decided to rebuild it - better than before:

# Yes, you MUST have root privileges for this
morpheus@Zephyr (~) % supraudit
You're wasting my time, little man. I need root privileges

root@Zephr (~) #supraudit -h
supraudit: illegal option -- -h
usage: supraudit [-lnpx] [-r | -s] [-d del] [file ...]
         OR
       supraudit [-S] [-C] [-R _addr_]
       -S: SuperAudit records (much more readable)
       -C: Color (because everything looks better in color)
       -R: Relay to remote server at _addr_
       -F: Filter by predefined rules - files, net, proc
       -O: Log to specified outputfile

Usage examples

The immediate and most useful feature is -S, which uses my own record format, rather than the default of Apple's. The format is very much like Linux's strace (and my own jtrace), and is super grep-friendly. You can toggle color (which really helps) using -C or the usual JCOLOR=1:

You can filter using grep and cut -d'|'.

. Some useful filters for grep are 'INET' (all network connections), 'INET4' (IPv4) and 'INET6'.

As another example, consider the equivalent of my filemon (sans reactive capabilities):

As a quick alternative to grep, you can use -F files, net or proc for builtin filters. This is recommended, since you can always apply grep(1) later. Also, doing so will automatically save an unfiltered audit log to /tmp, so you can then see the full picture at any time.

Remote loghost

One of the audit mechanism's most glaring omissions is that, unlike syslogd, it doesn't do remote logging to a centralized server - which is imperative if you want to ensure log integrity, and vital if you have more than 5 machines, like in an enterprise. Well, that's been fixed. Using supraudit with -R will relay to a centralized server, but that requires...

Oh, yes.. There's SUpraudit-PRO

A 'pro' version of SUpraudit has even more features, including:

The PRO version is in development, and will get a much more official and snazzier page when the fine folks at Technologeeks.com will get to it.

License

TG Annoucement - The upcoming MOXiI training in NYC (December 11th, 2017) is open for registration! SUpraudit is only one of the many cool tracing/RE methods we demonstrate. You might want to follow @Technologeeks for announcements! You can drop i/n/f/o at TG an email if you want more details or to register.

Changelog

  • 10/01/2017 - Finally made supraudit its own webpage