Quantcast
Channel: rtrouton – Der Flounder
Viewing all articles
Browse latest Browse all 764

Re-enabling OpenBSM auditing on macOS Sonoma

$
0
0

Apple deprecated its OpenBSM audit system beginning with macOS Big Sur, but the audit system itself stayed enabled until the release of macOS Sonoma. As of macOS Sonoma, it is now disabled and does not run by default. The man page includes this deprecation notice section:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


DEPRECATION NOTICE
The audit(4) subsystem has been deprecated since macOS 11.0, disabled since macOS 14.0, and WILL BE REMOVED in a future version of macOS. Applications that
require a security event stream should use the EndpointSecurity(7) API instead.
On this version of macOS, you can re-enable audit(4) by renaming or copying /etc/security/audit_control.example to /etc/security/audit_control, re-enabling the
system/com.apple.auditd service by running launchctl enable system/com.apple.auditd as root, and rebooting.
view raw

gistfile1.txt

hosted with ❤ by GitHub

Screenshot 2023 10 18 at 11 00

If you still need to have the OpenBSM audit system running on macOS Sonoma, it’s possible to re-enable it using the procedure described in the man page. For more information, please see below the jump.

Check if it’s already running

Before enabling, I recommend verifying that it’s not already running. For example, I know that Jamf Pro 10.50 and later will re-enable the OpenBSM auditing system on macOS Sonoma Macs. Please use the procedure below to check and see if something else has already enabled the OpenBSM audit system.

1. Run the following command with root privileges:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


/bin/launchctl list | grep auditd
view raw

gistfile1.txt

hosted with ❤ by GitHub

If it’s already enabled and running, you should see output similar to what’s shown below:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


username@computername ~ % sudo /bin/launchctl list | grep auditd
375 0 com.apple.auditd
username@computername ~ %
view raw

gistfile1.txt

hosted with ❤ by GitHub

If it’s not running you should see output similar to what’s shown below:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


username@computername ~ % sudo /bin/launchctl list | grep auditd
username@computername ~ %
view raw

gistfile1.txt

hosted with ❤ by GitHub

If the OpenBSM audit system is not running and you want to enable it, please use the procedure described below:

1. Run the following command with root privileges:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


cp /etc/security/audit_control.example /etc/security/audit_control
view raw

gistfile1.txt

hosted with ❤ by GitHub

2. Run the following command with root privileges:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


/bin/launchctl enable system/com.apple.auditd
view raw

gistfile1.txt

hosted with ❤ by GitHub

3. Restart the Mac.

4. Following the restart, verify that the auditd service is enabled by running the following command with root privileges:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


/bin/launchctl list | grep auditd
view raw

gistfile1.txt

hosted with ❤ by GitHub

You should see output similar to what’s shown below:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


username@computername ~ % sudo /bin/launchctl list | grep auditd
375 0 com.apple.auditd
username@computername ~ %
view raw

gistfile1.txt

hosted with ❤ by GitHub

Note: If you have a custom configuration for OpenBSM auditing, you’ll need to add those configuration settings to the following file:

/etc/security/audit_control

For more information on configuration of OpenBSM auditing, please see the audit_control man page or my earlier post on OpenBSM auditing.


Viewing all articles
Browse latest Browse all 764

Trending Articles