Apple deprecated its OpenBSM audit system beginning with macOS Big Sur, but the audit system itself stayed enabled until the release of macOS Sonoma. As of macOS Sonoma, it is now disabled and does not run by default. The man page includes this deprecation notice section:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DEPRECATION NOTICE | |
The audit(4) subsystem has been deprecated since macOS 11.0, disabled since macOS 14.0, and WILL BE REMOVED in a future version of macOS. Applications that | |
require a security event stream should use the EndpointSecurity(7) API instead. | |
On this version of macOS, you can re-enable audit(4) by renaming or copying /etc/security/audit_control.example to /etc/security/audit_control, re-enabling the | |
system/com.apple.auditd service by running launchctl enable system/com.apple.auditd as root, and rebooting. |
If you still need to have the OpenBSM audit system running on macOS Sonoma, it’s possible to re-enable it using the procedure described in the man page. For more information, please see below the jump.
Check if it’s already running
Before enabling, I recommend verifying that it’s not already running. For example, I know that Jamf Pro 10.50 and later will re-enable the OpenBSM auditing system on macOS Sonoma Macs. Please use the procedure below to check and see if something else has already enabled the OpenBSM audit system.
1. Run the following command with root privileges:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/bin/launchctl list | grep auditd |
If it’s already enabled and running, you should see output similar to what’s shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % sudo /bin/launchctl list | grep auditd | |
375 0 com.apple.auditd | |
username@computername ~ % |
If it’s not running you should see output similar to what’s shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % sudo /bin/launchctl list | grep auditd | |
username@computername ~ % |
If the OpenBSM audit system is not running and you want to enable it, please use the procedure described below:
1. Run the following command with root privileges:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cp /etc/security/audit_control.example /etc/security/audit_control |
2. Run the following command with root privileges:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/bin/launchctl enable system/com.apple.auditd |
3. Restart the Mac.
4. Following the restart, verify that the auditd service is enabled by running the following command with root privileges:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/bin/launchctl list | grep auditd |
You should see output similar to what’s shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % sudo /bin/launchctl list | grep auditd | |
375 0 com.apple.auditd | |
username@computername ~ % |
Note: If you have a custom configuration for OpenBSM auditing, you’ll need to add those configuration settings to the following file:
/etc/security/audit_control
For more information on configuration of OpenBSM auditing, please see the audit_control man page or my earlier post on OpenBSM auditing.