OSX System Audit Subsystem details

OSX System Audit Subsystem details

OS X is the basic security module BSM. The audit system is used to track user and process operations. Similar to the log function in Windows.
For security considerations, the audit system must be executed at the kernel level. In OS X, audit is implemented through Mach.

By default, audit logs are stored in the/var/audit directory. The naming method is start_time.stop_time. Start_time is the start timestamp, and the precision is second. The stop_time of the last log file is not_terminated.
Enter the following command in terminal to view the basic information of the/var/aduit directory:

ls -ld /var/audit

The running result is as follows:

drwx------ 564 root wheel 19176 Apr 18 16:11 /var/audit

To view all files in the audit folder, run the following command:

sudo ls -l /var/audit

If sudo is not added, you may not be authorized to access the service. Enter the password to view all files.
Audit logs are saved in binary format and can be decoded using the praudit command. The default output format is CSV. You can also use the-x parameter to output a more beautiful XML format. The sample code is as follows:

sudo praudit /var/audit/20150418081102.not_terminated -x

You can get many such documents.

trailer,102header,57,11,audit startup,0,Sat Apr 18 16:11:02 2015, + 739 msectext,launchd::Audit startupreturn,success,0

Because log loops are too frequent, there is a special Byte Device/dev/auditpipe to facilitate users to access audit records in real time. For example:

sudo praudit /dev/auditpipe