By: Sarah Edwards
The audit trail logs provide security related information, in particular user login/logoff data. By default, these logs record a user logging in and logging off via the login screen, SSH, user credential authentication for a software program, or failed logins. They will also record when a user is created or removed from a system.
McAfee created the OpenBSM implementation that OS X implements, using these logs for compliance in the Common Criteria standards. The audit log formats are based on the Basic Security Module developed by Sun Microsystems.
The logs are located in
/private/var/audit and are only accessible on a live system (if you enable the root user), or extracted from a forensic image. The logs are identified as StartTime.Endtime (in UTC) in the format:
YYYYMMDDHHMMSS.YYYYMMDDHHMMSS (See Figure 1). Each of these files is known as a “trail file.”
Other files might have the following labels in their filename:
.crash_recovery – Log file not terminated due to crash, and recovered. The following audit file will have a “
Audit recovery” record as its first record.
current – Symlink to currently active trail file.
.not_terminated – Active audit trail file, or
auditd was not shutdown gracefully.
While audit log expiration can be set in the
audit_control file (see Configuration Files below) with the
expire-after setting, this is not configured by default on OS X. It is unknown how and when these log files are removed, but appears to keep the past six months worth of log files.
Carving for Audit Logs
Carving free space for these files may be accomplished by keyword searching. There will be vital data before and after these keywords (see Manual File Parsing below), as these are the starting and ending records of a trail file. If the trail file is one that ends in
.crash_recovery these will not have the “
Audit shutdown” file end record. A file may also begin with “
launchctl::Audit recovery”, if the file recovered from a crash.
• File Start (Figure 2) –
• File End (Figure 3) –
Reviewing Audit Logs Using praudit
The log files are in a binary format, which are not easily human-readable. This is where the command line tool
praudit comes in handy.
praudit allows output of these files in a variety of formats.
The default format is shown in below, this contains one record in the log.
Audit Log File Format
Each record contains tokens. In the example above, there are five tokens.
Each log record may contain a variety of tokens, detailed information about the tokens can be found in the man page for
audit.log. In general each record starts with a ‘header’ token and ends with a ‘trailer’ token.
The ‘header’ token contains data such as number of bytes in the record (139), event type (
user authentication), and timestamp.
The ‘subject’ and ‘subject_ex’ tokens are also of value as these contain data about the user account performing the action.
- Audit ID
- Effective User ID
- Effective Group ID
- Real User ID
- Real Group ID
- Process ID
- Session ID
- Terminal Port ID
- Terminal Machine Address
praudit Output Formats
As stated above,
praudit has the ability to output in different formats, the man page is available here:
The output of the -l option, which prints out each record to its own line, delimited by a comma.
The output of the -r option, which prints out each record in raw format.
The output of the -s option, which prints out each record in short format.
The output of the -x option, which prints out each record in XML format.
The output using the –x and –n options, this prints out each record in XML format and does not resolve the user and group names. This option should be used if not doing analysis from the original system (i.e.: extracted audit logs from forensic image). I find the XML format to be the easiest to read if you are not familiar with the token formats.
To output all audit files in a directory to a file called
(XML format without user/group names resolved), use this command:
praudit –xn /example/directory/path/* >audit_log_output.txt
Manual File Parsing
For those of us who like to parse these files by hand I would highly recommend the reviewing the audit.log man page for the format of each token record which contains the format for each token record.
Other files that may be of use are located in
Token ID Types:
audit_record.h available here.
Audit Configuration Files
The audit configuration files are located in
/etc/security/. Each file has a specific purpose; specifics can be viewed by performing the man command on each filename listed below.
- audit_class – Auditable event class descriptions.
- audit_control – Audit configuration parameters.
- audit_event – Auditable event descriptions.
- audit_user – Audit configuration for a particular user.
- audit_warn – Script that runs for audit warnings.
Apple had developed a tool called Audit Log Viewer (Figure 4) for analyzing these audit files, however it has not been developed since 10.5. It is available here. I should note that while it does install and work on 10.7, it limits what information is available. I should also warn that it overwrites a newer version of
praudit and its associated man pages – I suggest installing it in a VM. (Yes, I found this out the hard way.)
For $20, you can purchase Audit Explorer from the Mac App Store, which gives a nice GUI to analyze these files from.