Auditd: the logs we need, not the logs we deserve

Bob Gendler
9 min readJul 25, 2023

--

The newest and greatest operating system upgrade for macOS has been announced and released in a public beta, macOS Sonoma 14. And just like macOS Ventura, this beta is rock solid awesome.

The biggest change is one that’s happened a bit quieter. Though it’s been mentioned briefly in the past as deprecated, it’s been disabled in Sonoma which means the next step is it will be removed, and that is the change to the Auditd subsystem.

Now what is Auditd?

Auditd is also known as OpenBSM. The OpenBSM implementation was created by McAfee Research, the security division of McAfee, under contract to Apple in 2004. But substantial work has been done by a number of individuals and companies as you can see here — https://opensource.apple.com/source/OpenBSM/OpenBSM-21/openbsm/CREDITS

OpenBSM was subsequently adopted by the TrustedBSD Project (http://www.trustedbsd.org/openbsm.html). Audit doesn’t block anything, it only reports what happened. The audit implementation is quite a full-stack offering, including user space tools to control the kernel audit system and even to parse audit records. Apple includes version 1.1 of OpenBSM (https://opensource.apple.com/source/OpenBSM/OpenBSM-21/openbsm/NEWS.auto.html) which seems to be the current version (https://github.com/openbsm/openbsm/tags) unless you account for alpha releases. From macOS 10.3–10.5 this software had to be installed separately, but from 10.6 and on, it has been included in macOS. This work was completed to provide macOS with security auditing, a core component for modern operating systems and required for Common Criteria evaluation, which is itself a necessary step for doing business with the US Federal Government and other governments around the world that respect the standard.

So cool, that’s a bit of a back story on auditd/OpenBSM — if you want to read more on how to use it and configure it, here are some great links; warning that some may be a bit dense.

If you read all those links, you now see the power of this awesome auditing tool built right into macOS! And it’s been there forever! It’s built in, not bolted on. No 3rd party software required to record events that may have security implications. From a security point of view it can be very helpful for detecting and understanding intrusions or infections.

As of macOS Sonoma, the Auditd subsystem has been marked as disabled. It will no longer start when the system boots up. Which means on macOS Sonoma, no audit logs will be recorded unless 3rd party software is installed or an admin re-enables Auditd. This move requires security auditing to potentially be bolted on, since someday soon it will no longer be built in. This is a very odd decision by Apple considering Microsoft Windows, every flavor of Linux, Solaris, FreeBSD, and basically every modern operating system includes built in security auditing tools.

Now when did Apple mark the Auditd subsystem as deprecated? It happened back at WWDC 2020.

This year we’re announcing that the audit subsystem is being deprecated. This mainly refers to functionality related to audit events such as events written to audit trail files, typically those found in the /var/audit directory, as well as events sent to the Auditpipe pseudo-device for applications that wanted a live event stream.

And then at WWDC 2022 it was restated.

We expect that with these additions, most Endpoint Security clients no longer need to rely on the deprecated OpenBSM audit trail at all. The audit trail has been deprecated since macOS Big Sur and will be removed in a future version of macOS.

But also at WWDC 2022 in the same session a new tool eslogger was introduced.

We hope eslogger will be useful not only for engineers working on Endpoint Security clients, but also for security analysts and other security practitioners who need visibility into security-relevant events on macOS.

The newly debuted tool eslogger seemed like it would have promise, however, in the man page itself it says do not rely on the information emitted by eslogger for any reason. So there goes that hope.

Apple has added some new ES_EVENTS to Endpoint Security which is great and will enhance the ability for 3rd party EDR (Endpoint Detection and Response) software to detect malicious software. These events can also be shipped off by a 3rd party agent to a 3rd party SIEM (Security Information and Event Management). But it still isn’t everything that Auditd can do. You can see all the events (new and old) on Apple’s developer documentation — https://developer.apple.com/documentation/endpointsecurity?changes=latest_minor

What Apple has created with Endpoint Security is awesome for endpoint security clients. But it’s not Auditd. In my opinion, the quotes from WWDC indirectly promised they’d have a full replacement for Auditd. They’ve seem to have made things better for endpoint security clients but potentially worse for everyone else.

In a world without the Auditd subsystem, a tool such as Jamf Protect or SentinelOne is required to send the logs to a SIEM. And now you need a SIEM, such as Splunk where cost is based on the amount of data. And as far as I know there, are no products that generate local audit logs, only ones that send data to a SIEM. This all increases the cost of macOS and it increases the complexity of macOS. Remember all those total cost of ownership Mac vs PC in the enterprise articles like this one from Jamf.

This might not hold true anymore because now you HAVE to consider an agent and you HAVE to consider the cost of a SIEM.

If Auditd is removed and we must rely on a 3rd party tool, this could also delay roll out of updates and upgrades to the system as you are dependent on the 3rd party tool being release ready. And every agent that’s added to a Mac, while it serves a purpose, it also introduces an additional security risk.

Reliance on 3rd party applications are not normally the Apple way, but if Auditd is removed, compliance requirements on what’s audited, audit log storage capabilities, response to audit logging failures, audit record retention, and audit record generation all will require a 3rd party application. So the Mac no longer can meet these government regulatory compliance requirements out of the box without additional tools.

Having that data in a SIEM is actually great for long term data retention. However, when there’s a security incident it’s important during an investigation to be able to verify the data by having it in 2 places (on the machine and in the SIEM). Information stored in only one location is vulnerable to accidental or incidental deletion or alteration.

Also, imagine non-networked, stand alone machines, how will they work? If Auditd is removed, there is no security auditing since it’s non-networked, the data can’t be sent off to a SIEM.

Or imagine for some reason the agent isn’t functioning properly and data isn’t being forwarded off, now there are no audit logs for that machine. This becomes a major cybersecurity issue.

Now while a large enterprise probably already has all this infrastructure in place, a small to medium size definitely does not — but will now need to have all this set up, to get a feature that’s by default enabled in macOS 13 but not in macOS 14. And congratulations Apple since schools now require lots of cyber insurance coverage, this will price Macs out of the education market since it’ll cost more to deploy a Mac in an environment where pennies are already being pinched.

Recently, Microsoft had their Office 365 system compromised by Chinese hackers and over 25 organizations and federal government agencies were compromised. This hack went undetectable for organizations that had less expensive Microsoft services. The biggest thing that would have detected the breach available in the higher paid tier of service is audit logging.

“Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box to reasonably detect malicious cyber activity,”

— A CISA official said on a press call discussing the incident.

CISA is saying “every organization should have access to logging and security data out of the box”. If auditd is removed, macOS will NOT have access to this data OUT OF THE BOX.

Sen. Ron Wyden, a Democrat on the Senate Intelligence Committee active on cybersecurity and technology policy issues, decried the practice.

“Offering insecure products and then charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags.”

Now not that macOS is insecure, but no operating system is free of flaws. So please Apple, don’t make us spend more for seatbelts.

Does Apple want to be the next on the list that does Pay-to-Play security?

So with all that said, the OpenBSM Auditd subsystem is one of the oldest subsystems in macOS today. It’s survived the transition from PowerPC to Intel and now Apple Silicon. OpenBSM isn’t without its problems. It can cause performance issues the more you set it to audit. The binary log files require some deep knowledge to piece together. It’s hooked to the kernel which makes it a potential issue. It doesn’t appear to be that active of an open source project anymore. Lastly, it’s overly complicated.

Do I love it? No!

Do I know when Auditd will be removed? No. I’m guessing it won’t be 14.0, could it be mid-release cycle like 14.3, maybe? Could be in 15.0, maybe? Or 16.0, who knows?

But Apple, please do not remove it until you have a complete replacement. The endpoint security events are just part of the requirement for auditing and logging. We need a subsystem that will write audit log files, rotate log files, configure which events are written to disk, and potentially shut down the system if there is an auditing failure.

The removal of Auditd will become a deployment blocker for macOS devices in environments where they have auditing and logging legal requirements.

BONUS ROUND

Something else I discovered, if your organization uses Jamf Pro and the Restricted Software feature in your environment, I found out by using macOS Sonoma that when Auditd is disabled, restricted software does not work and when Auditd is enabled, restricted software does work.

Objective-See’s RansomWhere application will not work as it’s built off of using the Auditd APIs.

And I’m sure there’s a number of other security software or management software that may not work or may not work as well now in a world without Auditd.

And yes I’ve submitted Feedback — FB12482025. I suggest you do as well.

--

--

Bob Gendler
Bob Gendler

Written by Bob Gendler

IT Specialist in the Apple world. Jamf guru, wizard of Mac Management, and mastermind of Apple trivia. The views are my own and not the views of my employer.

Responses (2)