Reading Mac BSM Audit Logs

By: Sarah Edwards

The audit trail logs provide security related information, in particular user login/logoff data. By default, these logs record a user logging in and logging off via the login screen, SSH, user credential authentication for a software program, or failed logins. They will also record when a user is created or removed from a system.

McAfee created the OpenBSM implementation that OS X implements, using these logs for compliance in the Common Criteria standards. The audit log formats are based on the Basic Security Module developed by Sun Microsystems.

The logs are located in /private/var/audit and are only accessible on a live system (if you enable the root user), or extracted from a forensic image. The logs are identified as StartTime.Endtime (in UTC) in the format: YYYYMMDDHHMMSS.YYYYMMDDHHMMSS (See Figure 1). Each of these files is known as a “trail file.”

Figure 1 – Audit Log Files in /private/var/audit/

Other files might have the following labels in their filename:
.crash_recovery – Log file not terminated due to crash, and recovered. The following audit file will have a “Audit recovery” record as its first record.
current – Symlink to currently active trail file.
.not_terminated – Active audit trail file, or auditd was not shutdown gracefully.

While audit log expiration can be set in the audit_control file (see Configuration Files below) with the expire-after setting, this is not configured by default on OS X. It is unknown how and when these log files are removed, but appears to keep the past six months worth of log files.

Carving for Audit Logs

Carving free space for these files may be accomplished by keyword searching. There will be vital data before and after these keywords (see Manual File Parsing below), as these are the starting and ending records of a trail file. If the trail file is one that ends in .not_terminated or .crash_recovery these will not have the “Audit shutdown” file end record. A file may also begin with “launchctl::Audit recovery”, if the file recovered from a crash.
• File Start (Figure 2) – launchctl::Audit startup
• File End (Figure 3) – launchctl::Audit shutdown

Figure 2 – Audit startup Record

Figure 3 – Audit shutdown Record

Reviewing Audit Logs Using praudit

The log files are in a binary format, which are not easily human-readable. This is where the command line tool praudit comes in handy. praudit allows output of these files in a variety of formats.

The default format is shown in below, this contains one record in the log.

header,139,11,user authentication,0,Sat Apr 21 22:02:14 2012, + 940 msec
subject,oompa,oompa,staff,root,staff,69,100005,69,0.0.0.0
text,Verify password for record type Users 'oompa' node '/Local/Default'
return,success,0
trailer,139

Audit Log File Format

Each record contains tokens. In the example above, there are five tokens.

  • Header
  • Subject
  • Text
  • Return
  • Trailer

Each log record may contain a variety of tokens, detailed information about the tokens can be found in the man page for audit.log. In general each record starts with a ‘header’ token and ends with a ‘trailer’ token.

The ‘header’ token contains data such as number of bytes in the record (139), event type (user authentication), and timestamp.

The ‘subject’ and ‘subject_ex’ tokens are also of value as these contain data about the user account performing the action.

  • Audit ID
  • Effective User ID
  • Effective Group ID
  • Real User ID
  • Real Group ID
  • Process ID
  • Session ID
  • Terminal Port ID
  • Terminal Machine Address

praudit Output Formats

As stated above, praudit has the ability to output in different formats, the man page is available here:

The output of the -l option, which prints out each record to its own line, delimited by a comma.

header,139,11,user authentication,0,Sat Apr 21 22:02:14 2012, + 940 msec,subject,oompa,oompa,staff,root,staff,69,100005,69,0.0.0.0,text,Verify password for record type Users 'oompa' node '/Local/Default',return,success,0,trailer,139,

The output of the -r option, which prints out each record in raw format.

20,139,11,45023,0,1335060134,940
36,501,501,20,0,20,69,100005,69,0.0.0.0
40,Verify password for record type Users 'oompa' node '/Local/Default'
39,0,0
19,139

The output of the -s option, which prints out each record in short format.

header,139,11,AUE_auth_user,0,Sat Apr 21 22:02:14 2012, + 940 msec
subject,oompa,oompa,staff,root,staff,69,100005,69,0.0.0.0
text,Verify password for record type Users 'oompa' node '/Local/Default'
return,success,0
trailer,139

The output of the -x option, which prints out each record in XML format.


<record version="11" event="user authentication" modifier="0" time="Sat Apr 21 22:02:14 2012" msec=" + 940 msec" >
<subject audit-uid="oompa" uid="oompa" gid="staff" ruid="root" rgid="staff" pid="69" sid="100005" tid="69 0.0.0.0" />
<text>Verify password for record type Users &apos;oompa&apos; node &apos;/Local/Default&apos;</text>
<return errval="success" retval="0" />
</record>

The output using the –x and –n options, this prints out each record in XML format and does not resolve the user and group names. This option should be used if not doing analysis from the original system (i.e.: extracted audit logs from forensic image). I find the XML format to be the easiest to read if you are not familiar with the token formats.


<record version="11" event="user authentication" modifier="0" time="Sat Apr 21 22:02:14 2012" msec=" + 940 msec" >
<subject audit-uid="501" uid="501" gid="20" ruid="0" rgid="20" pid="69" sid="100005" tid="69 0.0.0.0" />
<text>Verify password for record type Users &apos;oompa&apos; node &apos;/Local/Default&apos;</text>
<return errval="success" retval="0" />
</record>

To output all audit files in a directory to a file called audit_log_output.txt.
(XML format without user/group names resolved), use this command:

praudit –xn /example/directory/path/* >audit_log_output.txt

Manual File Parsing

For those of us who like to parse these files by hand I would highly recommend the reviewing the audit.log man page for the format of each token record which contains the format for each token record.

Other files that may be of use are located in /usr/include/bsm/:

Token ID Types:
audit_record.h available here.

Event Types:
audit_kevents.h – Kernel Events
audit_uevents.h – User Events

Audit Configuration Files

The audit configuration files are located in /etc/security/. Each file has a specific purpose; specifics can be viewed by performing the man command on each filename listed below.

Other Tools

Apple had developed a tool called Audit Log Viewer (Figure 4) for analyzing these audit files, however it has not been developed since 10.5. It is available here. I should note that while it does install and work on 10.7, it limits what information is available. I should also warn that it overwrites a newer version of praudit and its associated man pages – I suggest installing it in a VM. (Yes, I found this out the hard way.)

Figure 4 – Audit Log Viewer

For $20, you can purchase Audit Explorer from the Mac App Store, which gives a nice GUI to analyze these files from.

References
http://www.nycbsdcon.org/2010/presentations/nycbsdcon-freebsd-audit.pdf
http://www.freebsd.org/doc/handbook/audit.html

Comments are closed.