To verify that macOS auditing is enabled and functioning correctly, you can use Splunk to search for specific audit logs that macOS generates. macOS uses the OpenBSM audit framework, which generates audit records for various system and user activities. Here’s how you can approach this using Splunk:
Check for Audit Log Configuration: Ensure that the audit system is configured and running on your macOS systems. The configuration is usually found in /etc/security/audit_control.
Audit Log Location: macOS typically stores its audit logs in /var/audit/. Ensure that Splunk is ingesting these logs from your macOS devices.
Splunk Search Queries:
Basic Audit Check: Search for any audit events to confirm that logging is occurring. A simple search query in Splunk could be index=your_index sourcetype=your_sourcetype (replace your_index and your_sourcetype with the appropriate values for your setup).
User Activity: To check for specific user activities, you can refine the search. For example, index=your_index sourcetype=your_sourcetype user!=root will show you audit logs for activities initiated by users other than the root.
Process Execution: If you want to verify that execution of commands is being audited, you can search for exec events: index=your_index sourcetype=your_sourcetype eventtype=exec.
File Access: To ensure file accesses are audited, you could search for file-related audit events, like index=your_index sourcetype=your_sourcetype eventtype=file_open.
Network Activities: For network-related auditing, you might search for events like connections being established: index=your_index sourcetype=your_sourcetype eventtype=connect.
Validate Audit Policy Settings: You can also check for audit policy settings to ensure that they are as expected. Audit policy settings can be found in the audit_control file, and you might be able to query for changes to this file or ensure its settings are reflected in the audit logs.
Remember to replace your_index and your_sourcetype with the specific index and sourcetype that you’re using in Splunk for macOS audit logs. Adjust the search queries based on the specific auditing details you’re interested in verifying.
To ensure macOS audit logs are being collected in Splunk, you need to follow a series of steps to configure both your macOS system for audit logging and Splunk for collecting and indexing these logs. Here’s a step-by-step guide:
On the macOS System:
Enable Auditing:
Ensure auditing is enabled on the macOS device. You can verify and modify audit settings in the /etc/security/audit_control file. The auditd service should be active to collect audit logs.
Use the command sudo audit -s to apply changes and restart the audit system if you modify the audit configuration.
Configure Audit Policy:
Adjust the audit policy in the audit_control file to capture the desired events. For example, you might want to audit all login, logout, and system start-up and shut down events.
The flags field in the audit_control file specifies which events to log. Ensure this is configured to capture the necessary audit data.
Verify Audit Log Generation:
Audit logs in macOS are typically stored in /var/audit/. Verify that logs are being generated and stored in this directory.
On the Splunk Instance:
Install the Universal Forwarder:
Install Splunk Universal Forwarder on the macOS device. This agent will forward logs from the macOS system to the Splunk server.
Configure the Universal Forwarder to monitor the /var/audit/ directory or wherever the audit logs are stored.
Configure Inputs:
On the Universal Forwarder, edit the inputs.conf file to include the audit log path. For example:
[monitor:///var/audit/]
disabled = false
index = your_index
sourcetype = macos_audit
Replace your_index with the index you want to use in Splunk for these logs.
Forward Logs to Splunk:
Ensure the Universal Forwarder is configured to send data to your Splunk instance. This is typically done in the outputs.conf file of the Universal Forwarder.
Verify Data Reception in Splunk:
Log into your Splunk instance and search for the incoming audit logs using the index and sourcetype specified in the inputs.conf configuration.
A simple search query like index=your_index sourcetype=macos_audit should return the macOS audit logs if everything is configured correctly.
Troubleshooting:
If logs are not appearing in Splunk, verify the network connectivity between the macOS device and the Splunk server.
Check the Universal Forwarder’s logs for any error messages related to data forwarding.
Ensure there are no firewall rules blocking the data transmission.
By following these steps, you should be able to configure your macOS system to collect audit logs and ensure that they are being successfully forwarded to and indexed by Splunk.
eslogger
Script
#!/bin/bash
# Define the path where you want to store the audit logs
LOG_PATH="/var/log/audit_logs"
# Check if the log directory exists, if not, create it
if [ ! -d "$LOG_PATH" ]; then
mkdir -p "$LOG_PATH"
fi
# Configure eslogger to collect and store logs in the defined path
# Assuming eslogger is already installed and configured to collect audit logs
# You might need to adjust the configuration based on your eslogger setup and what logs you want to capture
# This is a placeholder line; replace it with the actual command to start eslogger with the desired configuration
# For example, it might look something like this:
# eslogger --output $LOG_PATH/audit.log
# Note: The above command is illustrative and should be replaced with the actual command you use to run eslogger with the necessary configuration for your environment.
eslogger --input /var/audit/ --output $LOG_PATH/audit.log
Audit Log Configuration: First, ensure that the macOS audit system is configured to capture the necessary events. The audit control file (/etc/security/audit_control) needs to be configured to capture detailed audit information as specified by CIS benchmarks. This includes successful and failed attempts for various activities like authentication, authorization, file access, system calls, and network actions.
Example audit_control settings:
dir:/var/audit
flags:ex,fc,fd,fm,-fr,fw,pc,ap,aa,ka,lo,na,nt,ot,sa,sp
minfree:5
naflags:ex,ap,aa,lo,nt,ot
policy:cnt,argv,arge
filesz:2M
expire-after:10M
