├── .DS_Store
├── .gitattributes
├── Install.sh
├── LICENSE
├── LaunchDaemons
├── com.splunk.bootstart.plist
├── com.supraudit.exec.startup.plist
├── com.supraudit.login.startup.plist
└── com.supraudit.net.startup.plist
├── Readme.md
├── Uninstall.sh
├── opt
├── SupraFilters_Exec.sh
├── SupraFilters_Login.sh
└── SupraFilters_Net.sh
├── splunkforwarder.tgz
└── supraudit
├── tmp
├── CREDITS
├── LICENSE
└── praudit.c
└── usr
├── local
└── bin
│ └── supraudit
└── share
└── man
└── manj
└── supraudit.j
/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AlfredoAbarca/OSXMon/92846925aff9dfa1614975ef68fc7bddb8b25360/.DS_Store
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
--------------------------------------------------------------------------------
/Install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | #=============================================================================================
4 | #
5 | # Author: Alfredo Abarca
6 | # OS Version: High Sierra 10.13.6
7 | # Creation Date: 31 July, 2018
8 | # Last Modification: 31 July, 2018
9 | # VersionForwarder: 1.0
10 | #
11 | # This script configure the supraudit app into user directory and create the directory for the
12 | # output file for supraudit logs, readable for users and others, rather than only for the
13 | # current user.
14 | # Forwarder
15 | # The supraudit tool is the original compiled binary file downloaded from Jonathan Levin site
16 | #
17 | # http://newosxbook.com/tools/supraudit.html
18 | #
19 | # Im only create this script to simplify the steps required to configure supraudit to startup
20 | # when a system does, and configure the output file, if you find any topic or suggestion related
21 | # to supraudit binary file please contact Jonathan throught his website forum.
22 | #
23 | # http://newosxbook.com/forum/index.php
24 | #
25 | #
26 | # IMPORTANT:
27 | # This script MUST BE RUN with root privileges.
28 | #
29 | # If you have any comment or any other matter related to this script, please let me know!
30 | #
31 | #=============================================================================================
32 |
33 | #===========================================
34 | #Configure this variables if you want to install Splunk Universal Forwarder to send the logs to
35 | # a splunk indexer server
36 |
37 | Splunk_Index_Server_IP=x.x.x.x
38 | Splunk_Index_Server_port=9997
39 | Splunk_Dep_Server_IP=y.y.y.y
40 | #===========================================
41 |
42 | #Copy the supraudit binary to /usr/bin directory
43 | echo "Copying supraudit file to /usr/bin directory"
44 | cp supraudit/usr/local/bin/supraudit /usr/bin/
45 | echo "Changing privileges to supraudit file..."
46 | chmod 755 /usr/bin/supraudit
47 | echo "Creating /var/log/supraudit directory..."
48 | if [ ! -d /var/log/supraudit/ ];
49 | # if the directory doesn't exists, then create a new one
50 | then
51 | mkdir /var/log/supraudit
52 | fi
53 | echo "Changing privileges to /var/log/supraudit"
54 | chmod -R 744 /var/log/supraudit
55 | echo "Checking if supraudit log files exists"
56 | if [ ! -f /var/log/supraudit/network.log ] || [ ! -f /var/log/supraudit/login.log ] || [ ! -f /var/log/supraudit/ExecApps.log ];
57 | # if any of files doesn't exists then creates a new one (when required)
58 | then
59 | echo "Creating supraudit log files..." status=$(sudo launchctl list | grep "com.supraudit.exec.startup" | wc -l)
60 | if [ $status -gt 0 ];
61 | # If supraudit daemon is registered correctly, then continue asking if splunk forwarder agent
62 | # needs to be installed
63 | then
64 | echo "com.supraudit.exec.startup up"
65 | else
66 | # If the supraudit daemon could not be registered by any error, then the scripts throw an error
67 | # message to the user.
68 | echo "com.supraudit.exec.startup failed to register"
69 | fi
70 | touch /var/log/supraudit/login.log
71 | touch /var/log/supraudit/network.log
72 | touch /var/log/supraudit/ExecApps.log
73 | else
74 | echo "The supraudit log files already exists"
75 | fi
76 |
77 | status=$(sudo launchctl list | grep "com.supraudit.exec.startup" | wc -l)
78 | if [ $status -gt 0 ];
79 | # If supraudit daemon is registered correctly, then continue asking if splunk forwarder agent
80 | # needs to be installed
81 | then
82 | echo "com.supraudit.exec.startup up"
83 | else
84 | # If the supraudit daemon could not be registered by any error, then the scripts throw an error
85 | # message to the user.
86 | echo "com.supraudit.exec.startup failed to register"
87 | fi
88 | echo "Changing privileges to /var/log/supraudit/login.log"
89 | chmod 744 /var/log/supraudit/login.log
90 | echo "Changing privileges to /var/log/supraudit/network.log"
91 | chmod 744 /var/log/supraudit/network.log
92 | echo "Changing privileges to /var/log/supraudit/ExecApps.log"
93 | chmod 744 /var/log/supraudit/ExecApps.log
94 | if [ ! -d /opt ];
95 | then
96 | #if /opt directory doesn`t exists, then create it
97 | mkdir /opt
98 | chmod 777 /opt
99 | fi
100 |
101 | echo "Copy supraudit filters file to /opt"
102 | cp -f opt/* /opt/
103 | chown root:wheel /opt/SupraFilters_*
104 | chmod -R a+x /opt/SupraFilters_*
105 |
106 | echo "Configuring supraudit as startup item..."
107 | cp -f LaunchDaemons/* /Library/LaunchDaemons/
108 | chown root:wheel /Library/LaunchDaemons/com.supraudit.*
109 | chmod 644 /Library/LaunchDaemons/com.supraudit.*
110 | echo "Registering Launchd Supraudit Daemon plist file"
111 | sleep 5s
112 | launchctl load -w /Library/LaunchDaemons/com.supraudit.exec.startup.plist
113 | launchctl start -w /Library/LaunchDaemons/com.supraudit.exec.startup.plist
114 | status=$(sudo launchctl list | grep "com.supraudit.exec.startup" | wc -l)
115 | if [ $status -gt 0 ];
116 | # If supraudit daemon is registered correctly, then continue asking if splunk forwarder agent
117 | # needs to be installed
118 | then
119 | echo "com.supraudit.exec.startup up"
120 | else
121 | # If the supraudit daemon could not be registered by any error, then the scripts throw an error
122 | # message to the user.
123 | echo "com.supraudit.exec.startup failed to register"
124 | fi
125 | sleep 5s
126 | launchctl load -w /Library/LaunchDaemons/com.supraudit.login.startup.plist
127 | launchctl start -w /Library/LaunchDaemons/com.supraudit.login.startup.plist
128 | status=$(sudo launchctl list | grep "com.supraudit.login.startup" | wc -l)
129 | if [ $status -gt 0 ];
130 | # If supraudit daemon is registered correctly, then continue asking if splunk forwarder agent
131 | # needs to be installed
132 | then
133 | echo "com.supraudit.login.startup up"
134 | else
135 | # If the supraudit daemon could not be registered by any error, then the scripts throw an error
136 | # message to the user.
137 | echo "com.supraudit.login.startup failed to register"
138 | fi
139 | sleep 5s
140 | launchctl load -w /Library/LaunchDaemons/com.supraudit.net.startup.plist
141 | launchctl start -w /Library/LaunchDaemons/com.supraudit.net.startup.plist
142 | status=$(sudo launchctl list | grep "com.supraudit.net.startup" | wc -l)
143 | if [ $status -gt 0 ];
144 | # If supraudit daemon is registered correctly, then continue asking if splunk forwarder agent
145 | # needs to be installed
146 | then
147 | echo "com.supraudit.net.startup up"
148 | else
149 | # If the supraudit daemon could not be registered by any error, then the scripts throw an error
150 | # message to the user.
151 | echo "com.supraudit.net.startup failed to register"
152 | fi
153 |
154 | #The following part ask to the user if they want to install and configure Splunk Forwarder
155 | # to send the logs to a Splunk SIEM
156 | while [ -z "$REPLY" ] ; do
157 | if [ -z "$1" ] ; then
158 | read -p "Do you want to install/configure Splunk Universal Forwarder?(yes/no) "
159 | else
160 | REPLY=$1
161 | set --
162 | fi
163 | case $REPLY in
164 | [Yy]es) sleep 5s
165 | echo -e "\nSplunk Universal Forwarder now will be installed\n"
166 | tar xvfz splunkforwarder.tgz -C /opt
167 | export SPLUNK_HOME="/opt/splunkforwarder"
168 | export PATH=$PATH:$SPLUNK_HOME/bin
169 | echo -e "\nConfiguring Splunk Universal Forwarder to boot at startup"
170 | /opt/splunkforwarder/bin/splunk start --answer-yes --no-prompt --accept-license
171 | /opt/splunkforwarder/bin/splunk enable boot-start
172 | /opt/splunkforwarder/bin/splunk stop
173 | sleep 5s
174 | #-----------------------------------------------------------------------------
175 | # By default the splunk credentials will be admin:changeme you could modify
176 | # this script to set your defaults or maybe you want change manually
177 | #-----------------------------------------------------------------------------
178 | echo "[user_info]" > /opt/splunkforwarder/etc/system/local/user-seed.conf
179 | echo "USERNAME = admin" >> /opt/splunkforwarder/etc/system/local/user-seed.conf
180 | echo "PASSWORD = changeme" >> /opt/splunkforwarder/etc/system/local/user-seed.conf
181 | echo -e "\nThis forwarder is configured to connect to ${Splunk_Index_Server_IP}"
182 | # -----------------------------------------------------------------------------
183 | # If you change the default admin password on the lines above, you need to change
184 | # also in the following line
185 | # -----------------------------------------------------------------------------
186 | /opt/splunkforwarder/bin/splunk add forward-server $Splunk_Index_Server_IP:$Splunk_Index_Server_port -auth admin:changeme
187 | echo "Creating the application \"MacMon\" locally to start watching the logs to forwarder"
188 | /opt/splunkforwarder/bin/splunk add monitor /var/log/supraudit/ -index main -sourcetype MacMon
189 | #----------------------------------------------------------------------------
190 | # The following lines configures the Splunk forwarder as a deployment agent too.
191 | #
192 | # If you have a Splunk Deployment Server on your Splunk infrastructure
193 | # uncomment the following lines to set the configurations of deployment agent.
194 | #-----------------------------------------------------------------------------
195 | echo "[deployment-client]" > /opt/splunkforwarder/etc/system/local/deploymentclient.conf
196 | echo "clientName = ${HOSTNAME}" >> /opt/splunkforwarder/etc/system/local/deploymentclient.conf
197 | echo "" >> /opt/splunkforwarder/etc/system/local/deploymentclient.conf
198 | echo "[target-broker:deploymentServer]" >> /opt/splunkforwarder/etc/system/local/deploymentclient.conf
199 | echo "targetUri = ${Splunk_Dep_Server_IP}:8089" >> /opt/splunkforwarder/etc/system/local/deploymentclient.conf
200 | echo "" >> /opt/splunkforwarder/etc/system/local/server.conf
201 | echo "[proxyConfig]" >> /opt/splunkforwarder/etc/system/local/server.conf
202 | echo "no_proxy=*" >> /opt/splunkforwarder/etc/system/local/server.conf
203 | cp -f LaunchDaemons/com.splunk.bootstart.plist /Library/LaunchDaemons/
204 | chown root:wheel /Library/LaunchDaemons/com.splunk.bootstart.plist
205 | chmod 644 /Library/LaunchDaemons/com.splunk.bootstart.plist
206 | /opt/splunkforwarder/bin/splunk restart
207 | #launchctl load -w /Library/LaunchDaemons/com.splunk.bootstart.plist
208 | echo -e "\n Splunk Universal Forwarder has been configured on your system!!\n"
209 | echo -e "\n"
210 | echo -e "\n Happy Mac Event Monitoring!!\n"
211 | sleep 5s ;;
212 | [Nn]o) echo -e "\nThe system is now being auditing and the logs will be stored at /var/logs/supraudit\n"
213 | echo -e "Happy Auditing!!\n"
214 | sleep 5s ;;
215 | *) echo "Wrong answer. Print 'yes' or 'no'"
216 | unset REPLY ;;
217 | esac
218 | done
219 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU LESSER GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 |
9 | This version of the GNU Lesser General Public License incorporates
10 | the terms and conditions of version 3 of the GNU General Public
11 | License, supplemented by the additional permissions listed below.
12 |
13 | 0. Additional Definitions.
14 |
15 | As used herein, "this License" refers to version 3 of the GNU Lesser
16 | General Public License, and the "GNU GPL" refers to version 3 of the GNU
17 | General Public License.
18 |
19 | "The Library" refers to a covered work governed by this License,
20 | other than an Application or a Combined Work as defined below.
21 |
22 | An "Application" is any work that makes use of an interface provided
23 | by the Library, but which is not otherwise based on the Library.
24 | Defining a subclass of a class defined by the Library is deemed a mode
25 | of using an interface provided by the Library.
26 |
27 | A "Combined Work" is a work produced by combining or linking an
28 | Application with the Library. The particular version of the Library
29 | with which the Combined Work was made is also called the "Linked
30 | Version".
31 |
32 | The "Minimal Corresponding Source" for a Combined Work means the
33 | Corresponding Source for the Combined Work, excluding any source code
34 | for portions of the Combined Work that, considered in isolation, are
35 | based on the Application, and not on the Linked Version.
36 |
37 | The "Corresponding Application Code" for a Combined Work means the
38 | object code and/or source code for the Application, including any data
39 | and utility programs needed for reproducing the Combined Work from the
40 | Application, but excluding the System Libraries of the Combined Work.
41 |
42 | 1. Exception to Section 3 of the GNU GPL.
43 |
44 | You may convey a covered work under sections 3 and 4 of this License
45 | without being bound by section 3 of the GNU GPL.
46 |
47 | 2. Conveying Modified Versions.
48 |
49 | If you modify a copy of the Library, and, in your modifications, a
50 | facility refers to a function or data to be supplied by an Application
51 | that uses the facility (other than as an argument passed when the
52 | facility is invoked), then you may convey a copy of the modified
53 | version:
54 |
55 | a) under this License, provided that you make a good faith effort to
56 | ensure that, in the event an Application does not supply the
57 | function or data, the facility still operates, and performs
58 | whatever part of its purpose remains meaningful, or
59 |
60 | b) under the GNU GPL, with none of the additional permissions of
61 | this License applicable to that copy.
62 |
63 | 3. Object Code Incorporating Material from Library Header Files.
64 |
65 | The object code form of an Application may incorporate material from
66 | a header file that is part of the Library. You may convey such object
67 | code under terms of your choice, provided that, if the incorporated
68 | material is not limited to numerical parameters, data structure
69 | layouts and accessors, or small macros, inline functions and templates
70 | (ten or fewer lines in length), you do both of the following:
71 |
72 | a) Give prominent notice with each copy of the object code that the
73 | Library is used in it and that the Library and its use are
74 | covered by this License.
75 |
76 | b) Accompany the object code with a copy of the GNU GPL and this license
77 | document.
78 |
79 | 4. Combined Works.
80 |
81 | You may convey a Combined Work under terms of your choice that,
82 | taken together, effectively do not restrict modification of the
83 | portions of the Library contained in the Combined Work and reverse
84 | engineering for debugging such modifications, if you also do each of
85 | the following:
86 |
87 | a) Give prominent notice with each copy of the Combined Work that
88 | the Library is used in it and that the Library and its use are
89 | covered by this License.
90 |
91 | b) Accompany the Combined Work with a copy of the GNU GPL and this license
92 | document.
93 |
94 | c) For a Combined Work that displays copyright notices during
95 | execution, include the copyright notice for the Library among
96 | these notices, as well as a reference directing the user to the
97 | copies of the GNU GPL and this license document.
98 |
99 | d) Do one of the following:
100 |
101 | 0) Convey the Minimal Corresponding Source under the terms of this
102 | License, and the Corresponding Application Code in a form
103 | suitable for, and under terms that permit, the user to
104 | recombine or relink the Application with a modified version of
105 | the Linked Version to produce a modified Combined Work, in the
106 | manner specified by section 6 of the GNU GPL for conveying
107 | Corresponding Source.
108 |
109 | 1) Use a suitable shared library mechanism for linking with the
110 | Library. A suitable mechanism is one that (a) uses at run time
111 | a copy of the Library already present on the user's computer
112 | system, and (b) will operate properly with a modified version
113 | of the Library that is interface-compatible with the Linked
114 | Version.
115 |
116 | e) Provide Installation Information, but only if you would otherwise
117 | be required to provide such information under section 6 of the
118 | GNU GPL, and only to the extent that such information is
119 | necessary to install and execute a modified version of the
120 | Combined Work produced by recombining or relinking the
121 | Application with a modified version of the Linked Version. (If
122 | you use option 4d0, the Installation Information must accompany
123 | the Minimal Corresponding Source and Corresponding Application
124 | Code. If you use option 4d1, you must provide the Installation
125 | Information in the manner specified by section 6 of the GNU GPL
126 | for conveying Corresponding Source.)
127 |
128 | 5. Combined Libraries.
129 |
130 | You may place library facilities that are a work based on the
131 | Library side by side in a single library together with other library
132 | facilities that are not Applications and are not covered by this
133 | License, and convey such a combined library under terms of your
134 | choice, if you do both of the following:
135 |
136 | a) Accompany the combined library with a copy of the same work based
137 | on the Library, uncombined with any other library facilities,
138 | conveyed under the terms of this License.
139 |
140 | b) Give prominent notice with the combined library that part of it
141 | is a work based on the Library, and explaining where to find the
142 | accompanying uncombined form of the same work.
143 |
144 | 6. Revised Versions of the GNU Lesser General Public License.
145 |
146 | The Free Software Foundation may publish revised and/or new versions
147 | of the GNU Lesser General Public License from time to time. Such new
148 | versions will be similar in spirit to the present version, but may
149 | differ in detail to address new problems or concerns.
150 |
151 | Each version is given a distinguishing version number. If the
152 | Library as you received it specifies that a certain numbered version
153 | of the GNU Lesser General Public License "or any later version"
154 | applies to it, you have the option of following the terms and
155 | conditions either of that published version or of any later version
156 | published by the Free Software Foundation. If the Library as you
157 | received it does not specify a version number of the GNU Lesser
158 | General Public License, you may choose any version of the GNU Lesser
159 | General Public License ever published by the Free Software Foundation.
160 |
161 | If the Library as you received it specifies that a proxy can decide
162 | whether future versions of the GNU Lesser General Public License shall
163 | apply, that proxy's public statement of acceptance of any version is
164 | permanent authorization for you to choose that version for the
165 | Library.
--------------------------------------------------------------------------------
/LaunchDaemons/com.splunk.bootstart.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Label
6 | com.splunk.bootstart
7 | ProgramArguments
8 |
9 | /opt/splunkforwarder/bin/splunk
10 | start
11 |
12 | RunAtLoad
13 |
14 | StandardErrorPath
15 | /tmp/splunkboot.stderr
16 | StandardOutPath
17 | /tmp/splunkboot.stdout
18 |
19 |
20 |
--------------------------------------------------------------------------------
/LaunchDaemons/com.supraudit.exec.startup.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | EnvironmentVariables
6 |
7 | PATH
8 | /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
9 |
10 | Label
11 | com.supraudit.exec.startup
12 | ProgramArguments
13 |
14 | /opt/SupraFilters_Exec.sh
15 |
16 | RunAtLoad
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/LaunchDaemons/com.supraudit.login.startup.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | EnvironmentVariables
6 |
7 | PATH
8 | /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
9 |
10 | Label
11 | com.supraudit.login.startup
12 | ProgramArguments
13 |
14 | /opt/SupraFilters_Login.sh
15 |
16 | RunAtLoad
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/LaunchDaemons/com.supraudit.net.startup.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | EnvironmentVariables
6 |
7 | PATH
8 | /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
9 |
10 | Label
11 | com.supraudit.net.startup
12 | ProgramArguments
13 |
14 | /opt/SupraFilters_Net.sh
15 |
16 | RunAtLoad
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
1 | # OSXMon
2 |
3 | ## Monitoreo de Eventos en MAC para realizar ThreatHunting.
4 |
5 | **OSXMon** nace de la necesidad de monitorear los eventos que suceden en un equipo con sistema Operativo OS X para detectar amenazas tanto de usuarios malintencionados como de aquellas piezas de malware diseñadas para evadir los controles tradicionales de seguridad (AV, Control de Aplicaciones, etc...)
6 |
7 | Antes de entrar en los detalles técnicos y alcance de la herramienta quiero agradecer a **Jonathan Levin**, ya que sin su aplicación [Supraudit](http://newosxbook.com/tools/supraudit.html) este proyecto no hubiera sido posible, si tienen alguna duda, comentario, u observación de esta gran aplicación no duden en contactarlo a través de su foro en su sitio web [NewOSXBook](http://newosxbook.com/forum/index.php).
8 |
9 | # ¿ThreatHunting.... qué es?
10 | Sin entrar en tanto detalle el **ThreatHunting** es, como su nombre lo indica, la búsqueda de amenazas en un equipo de computo o servidor a través de la obervación de la actividad que se sucita en un determinado momento.
11 |
12 | Hay muchas herramientas hoy en día que nos ayudan a este tipo de actividades como los sandboxes o analizadores de malware, los honeypots, entre otras.... Sin embargo cuando estamos en un escenario empresarial donde tenemos miles de endpoints que proteger y monitorear, esta tarea no se vuelve sencilla.
13 |
14 | Para equipos con sistema operativo Windows, existe la herramienta Sysmon, cuya implementación en el entorno empresarial es relativamente sencilla además que hay una buena cantidad de artículos que tratan este tema.
15 |
16 | Sin embargo no pasa lo mismo para equipos con S.O. MAC OS X y Linux, este último lo trataré mas adelante. Y de ahí surge la necesidad de realizar este proyecto.
17 |
18 | ## Estructura del ambiente
19 | Básicamente para realizar el monitoreo centralizado de amenazas me apoyé en 2 elementos básicos:
20 |
21 | * **Supraudit:**
22 | Una aplicación para volcar los eventos del S.O. en pantalla o en un archivo de texto en la terminal. Por su diseño, esta aplicación puede mostrar los siguientes eventos:
23 |
24 |
25 |
26 | - Conexiones de Red
27 | - Todo tipo de operaciones relacionadas con archivos.
28 | - Todos los procesos en ejecución (con su linea de comandos) ;)
29 |
30 | * **SIEM:**
31 | En mi implementación utilice la versión gratuita de [**Splunk**](https://www.splunk.com/en_us/download/splunk-light.html) para la realización de los dashboards y alertas finales, aunque bien, podría utilizar cualquier producto diseñado para este fin.
32 |
33 | Así que lo que verá en este artículo será lo relacionado a este SIEM.
34 |
35 | ## Requerimientos previos e instaladores.
36 | Para poder ejecutar y comenzar a utilizar este monitoreo recomiendo lo necesario:
37 |
38 | * Descargar la última versión de la herramienta de [Supraudit](http://newosxbook.com/tools/supraudit.html) del sitio oficial del desarrollador.
39 | * Descargar el [Splunk Universal Forwarder](https://www.splunk.com/es_es/download/universal-forwarder.html) para MAC
40 | * Configurar el Supraudit para auditar los eventos relevantes de acuerdo a las opciones que tiene la misma aplicación y guardar los eventos en un archivo dentro del equipo.
41 | * Configurar el forwarder para leer estos archivos y enviarlos al SIEM.
42 |
43 | ### O
44 |
45 | >Si ud. no está familiarizado con este sistema operativo no se preocupe, en [**mi repositorio**](https://github.com/AlfredoAbarca/OSXMon) de GitHub encontrará un instalador que realizará estas tareas por Ud.
46 |
47 | **NOTA IMPORTANTE:** Si decide utilizar mi script de instalación es importante que considere que debe desactivar previamente la función de [**System Integrity Protection**](https://www.macworld.co.uk/how-to/mac/how-turn-off-mac-os-x-system-integrity-protection-rootless-3638975/) de Apple, puesto que almaceno el ejecutable de Supraudit en la carpeta de /bin para evitar un posible tampering de este archivo posterior a su configuración, tras concluir la instalación puede activarlo nuevamente.
48 |
49 |
50 |
--------------------------------------------------------------------------------
/Uninstall.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #==============================================================================================
3 | #
4 | # Author: Alfredo Abarca Barajas
5 | # Operating System: Mac OSX 10.13.6 (High Sierra)
6 | # Creation Date: August 14, 2018
7 | # Last Modification: August 14, 2018
8 | #
9 | #
10 | # This Script undo the installation of Supraudit to monitor de events of the operating system.
11 | #
12 | # It MUST TO BE RUN with root privileges
13 | #
14 | # Any doubt or comment related to this script, please let me know.
15 | #
16 | #==============================================================================================
17 | echo -e "\n This script will uninstall the Supraudit Monitoring system from your computer.\n"
18 | while [ -z "$REPLY" ] ; do
19 | if [ -z "$1" ] ; then
20 | read -p "Do you want to proceed?(yes/no) "
21 | else
22 | REPLY=$1
23 | set --
24 | fi
25 | case $REPLY in
26 | [Yy]es) sleep 5s
27 | echo -e "\n Starting with the uninstallation process, please wait...\n"
28 | echo -e "\n It maybe take some minutes to complete"
29 | sleep 5s
30 | echo -e "Stoping Monitoring daemons..\n"
31 | launchctl unload -w /Library/LaunchDaemons/com.supraudit.*
32 | echo -e "Stoping and Uninstalling Splunk Universal Forwarder...\n"
33 | /opt/splunkforwarder/bin/splunk stop
34 | rm -rf /opt/splunkforwarder/
35 | echo -e "Checking that all changes has been applied succesfully\n"
36 | daemons=$(launchctl list | grep "com.supraudit.*" | wc -l)
37 | if [[ $daemon -eq 0 ]];
38 | then
39 | echo -e "Startup items has been removed succesfully\n"
40 | else
41 | echo -e "This startup items still remains on memory\n"
42 | launchctl list | grep "com.supraudit.*"
43 | fi
44 | if [ ! -d /opt/splunkforwarder/ ];
45 | then
46 | echo -e "The splunk forwarder directory /opt/splunkforwarder/ has been removed\n"
47 | else
48 | echo -e "The splunk forwarder directory /opt/splunkforwarder cannot be deleted\n"
49 | fi
50 | echo -e "\n The uninstallation script has ended!!\n"
51 | sleep 5s;;
52 | [Nn]o) echo -e "\nYou don't have made any change to the system, Good Bye!!\n"
53 | sleep 5s ;;
54 | *) echo "Wrong answer. Print 'yes' or 'no'"
55 | unset REPLY ;;
56 | esac
57 | done
58 |
--------------------------------------------------------------------------------
/opt/SupraFilters_Exec.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #===========================================================================================================
3 | #
4 | #
5 | # AUTHOR: Alfredo Abarca
6 | # OS Version: High Sierra 10.13.6
7 | # Creation Date: July 31, 2018
8 | # Last Modification: July 31, 2018
9 | # Version: 1.0
10 | #
11 | # This bash script executes supraudit with some modifiers in order to try filtering not relevant events and
12 | # reduce the amount of information stored in the local computer.
13 | #
14 | # supraudit tool has been developed by Jonathan Levin and any topic related with the binary could be reported
15 | # to him throught his forum section at newosxbook.com
16 | #
17 | #==========================================================================================================
18 |
19 | #The form in which the events will be recorded are like the following example:
20 |
21 | #TIMESTAMP | PROCESS NAME | PID/UID |operation (modifiers) (arguments) = return value
22 | #-------------+----------------+---------+--------------------------------------------------
23 | #1507164879.89| vmnet-natd|53832/501|open (read)(flags=0 path=/private/etc/hosts ) = 10
24 | #1507164879.89| vmnet-natd|53832/501|close(fd=10 path=/private/etc/hosts ) = 0
25 |
26 | #========EXECUTED APPS=========
27 | # Audit the execution of an application throught
28 | supraudit -S /dev/auditpipe | grep -Ev 'ioctl|close\(|callservicesd|CodeSi|secinitd|mdworker|mds|amfid|helpd|framework|Framework' | grep -E 'AUE_ACCESS\(path=/Applications|execve' >> /var/log/supraudit/ExecApps.log
29 |
30 |
31 |
--------------------------------------------------------------------------------
/opt/SupraFilters_Login.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #===========================================================================================================
3 | #
4 | #
5 | # AUTHOR: Alfredo Abarca
6 | # OS Version: High Sierra 10.13.6
7 | # Creation Date: July 31, 2018
8 | # Last Modification: July 31, 2018
9 | # Version: 1.0
10 | #
11 | # This bash script executes supraudit with some modifiers in order to try filtering not relevant events and
12 | # reduce the amount of information stored in the local computer.
13 | #
14 | # supraudit tool has been developed by Jonathan Levin and any topic related with the binary could be reported
15 | # to him throught his forum section at newosxbook.com
16 | #
17 | #==========================================================================================================
18 |
19 | #The form in which the events will be recorded are like the following example:
20 |
21 | #TIMESTAMP | PROCESS NAME | PID/UID |operation (modifiers) (arguments) = return value
22 | #-------------+----------------+---------+--------------------------------------------------
23 | #1507164879.89| vmnet-natd|53832/501|open (read)(flags=0 path=/private/etc/hosts ) = 10
24 | #1507164879.89| vmnet-natd|53832/501|close(fd=10 path=/private/etc/hosts ) = 0
25 |
26 |
27 | # ====USER FAILED/SUCCESS LOGIN======
28 | # Send the log related to succesfully/failed login
29 | #
30 | supraudit -S /dev/auditpipe | grep -Ev 'ioctl|close\(|INET6|127.0.0.1|INET4 10.|INET4 192.|INET4 0.|INET4 255.' | grep "password" >> /var/log/supraudit/login.log
31 |
32 |
33 |
--------------------------------------------------------------------------------
/opt/SupraFilters_Net.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #===========================================================================================================
3 | #
4 | #
5 | # AUTHOR: Alfredo Abarca
6 | # OS Version: High Sierra 10.13.6
7 | # Creation Date: July 31, 2018
8 | # Last Modification: July 31, 2018
9 | # Version: 1.0
10 | #
11 | # This bash script executes supraudit with some modifiers in order to try filtering not relevant events and
12 | # reduce the amount of information stored in the local computer.
13 | #
14 | # supraudit tool has been developed by Jonathan Levin and any topic related with the binary could be reported
15 | # to him throught his forum section at newosxbook.com
16 | #
17 | #==========================================================================================================
18 |
19 | #The form in which the events will be recorded are like the following example:
20 |
21 | #TIMESTAMP | PROCESS NAME | PID/UID |operation (modifiers) (arguments) = return value
22 | #-------------+----------------+---------+--------------------------------------------------
23 | #1507164879.89| vmnet-natd|53832/501|open (read)(flags=0 path=/private/etc/hosts ) = 10
24 | #1507164879.89| vmnet-natd|53832/501|close(fd=10 path=/private/etc/hosts ) = 0
25 |
26 | # =====NETWORK CONNECTIONS====
27 | #Send the network connection logs to a network.log the filters applied are:
28 | #
29 | # Doesn't record INET6 Connections, IP v4 connections starting with 10.*, 192.*, 0.* or 255.*
30 |
31 | supraudit -S -F net /dev/auditpipe | grep -Ev 'ioctl|close\(|INET6|127.0.0.1|INET4 10.|INET4 192.|INET4 0.|INET4 255.' >> /var/log/supraudit/network.log
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/splunkforwarder.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AlfredoAbarca/OSXMon/92846925aff9dfa1614975ef68fc7bddb8b25360/splunkforwarder.tgz
--------------------------------------------------------------------------------
/supraudit/tmp/CREDITS:
--------------------------------------------------------------------------------
1 |
2 | praudit was designed and implemented by the fine folks of the (now departed) Solaris.
3 |
4 | The praudit.c file was directly reverse-engineered from Apple's Darwin implementation,
5 | which for some reason (known only to them) remains closed source.
6 |
7 | supraudit is the brainchild of Jonathan Levin, J@NewOSXBook.com, and was first shown
8 | in the "MacOS/iOS Internals" Trilogy, volume III.
9 |
10 | The -J (JSON) output switch was suggested by Pepijn Bruienne (@Bruienne)
11 |
12 |
--------------------------------------------------------------------------------
/supraudit/tmp/LICENSE:
--------------------------------------------------------------------------------
1 |
2 | supraudit is FREE for personal use, and/or up to 5 hosts. If you are going to use this in a commercial environment of 10+ hosts, you'll need to talk to products@technologeeks.com about licensing - and you probably want to get the PRO version anyway, which contains the server (for -R message relaying) and, soon the GUI.
3 |
4 | If you suggest an improvement or fix which I will incorporate, you get a free site license for life, and my thanks.
5 |
6 |
--------------------------------------------------------------------------------
/supraudit/tmp/praudit.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 |
19 | // An almost 100% compatible praudit clone by J@NewOSXBook.com
20 | //
21 | // compile with gcc -lbsm
22 | //
23 | #define PROGNAME "praudit"
24 | #define FLAG_NONEWLINE 0x1000
25 |
26 |
27 | char *g_delim = "|";
28 | void usage(char *MyName)
29 | {
30 |
31 | fprintf(stderr, "usage: %s [-lnpx] [-r | -s] [-d del] [file ...]\n", MyName);
32 |
33 |
34 | }
35 |
36 |
37 |
38 | void processRecord (unsigned char *Buf, int RecSize, int Flags,char *Delimiter)
39 | {
40 | tokenstr_t tok;
41 |
42 | int pos = 0;
43 |
44 | while (au_fetch_tok(&tok,
45 | Buf + pos, // u_char *buf,
46 | RecSize) == 0) //
47 | {
48 | au_print_flags_tok(stdout, // FILE *outfp,
49 | &tok, // tokenstr_t *tok,
50 | Delimiter, // char *del,
51 | Flags); //Flags); // int oflags);
52 |
53 | RecSize -= tok.len;
54 | pos += tok.len;
55 | if (!(Flags & FLAG_NONEWLINE)) fprintf(stdout,"\n");
56 | else {
57 | printf("%s",Delimiter);
58 | }
59 | }
60 |
61 | } // processRecord
62 |
63 |
64 | void processFile (FILE *auditPipeFile, int Flags, char *Delim) {
65 |
66 | int recsize;
67 |
68 | #define BUFSIZE 8192
69 |
70 |
71 |
72 | if (Flags & AU_OFLAG_XML) au_print_xml_header(stdout);
73 |
74 | unsigned char *buf;
75 | int recs = 0;
76 | while ((recsize = au_read_rec(auditPipeFile, &buf)) > 0)
77 | {
78 | recs++;
79 |
80 | processRecord(buf, recsize, Flags,Delim);
81 |
82 | if (Flags & FLAG_NONEWLINE) {
83 | fprintf(stdout,"\n");
84 | }
85 | free(buf);
86 |
87 | }
88 | if (!recs) {
89 | fprintf(stderr,"%sNot an audit log%s\n",
90 | (Flags & AU_OFLAG_XML) ?"": "",
91 | (Flags & AU_OFLAG_XML) ?"": "");
92 | }
93 | if (Flags & AU_OFLAG_XML) au_print_xml_footer(stdout);
94 | } // processFile
95 |
96 |
97 | int doFile(char *FileName, int Flags,char *Delim) {
98 |
99 |
100 |
101 | struct stat stBuf;
102 |
103 | int fd = open (FileName, O_RDONLY);
104 | if (fd < 0) { perror (FileName); return 3;}
105 |
106 | int rc = fstat (fd, &stBuf);
107 | if (rc != 0) { perror ("stat"); close (fd); return 4; }
108 |
109 |
110 | if (!(stBuf.st_mode & S_IFREG)) {
111 | fprintf(stderr,"%s: Not a regular file\n", FileName); close(fd); return 5;}
112 |
113 | #if 0
114 | // This would be way more efficient, but au_read_rec (which is used later)
115 | // requires a FILE *.
116 |
117 | char *mmapped = mmap (0, // void *addr,
118 | stBuf.st_size, // size_t len,
119 | PROT_READ, // int prot,
120 | MAP_PRIVATE, // int flags,
121 | fd, // int fd,
122 | 0); // off_t offset);
123 |
124 | if (mmapped == MAP_FAILED) { perror ("mmap"); close (fd); return 6; }
125 |
126 | // Audit files are just raw records, and don't have a magic. In practice,
127 | // however, they all start with "14 00 00 00" (AUT_HEADER32) or AUT_HEADER64
128 | // One way of checking would be to check for that header, like so
129 |
130 | if (*((uint32_t *) mmapped ) != AUT_HEADER32){
131 | fprintf(stderr,"%s is not an audit trail file\n", FileName); close (fd); return 7;}
132 |
133 | // But since processFile will call au_read_rec, which will fail if the record header
134 | // doesn't start the file, this is #ifdef'ed out.
135 |
136 | #endif
137 |
138 |
139 | FILE *File = fdopen (fd, "r");
140 | processFile(File , Flags,Delim);
141 | return 0;
142 |
143 | } // doFile
144 | int doPipe(int Flags, char *Delim) {
145 |
146 | uint64_t selectMode;
147 | int auditPipe = open ("/dev/auditpipe", O_RDWR);
148 | if (auditPipe < 0) {
149 | fprintf(stderr,"Unable to open /dev/auditpipe!\n");
150 | exit(3);
151 | }
152 |
153 | if (ioctl (auditPipe, AUDITPIPE_GET_PRESELECT_MODE, &selectMode) < 0) {
154 | perror ("ioctl");
155 | exit(4);
156 | }
157 | // should be one
158 |
159 | selectMode = 2;
160 | if (ioctl (auditPipe, AUDITPIPE_SET_PRESELECT_MODE, &selectMode) < 0) {
161 | perror ("ioctl");
162 | exit(4);
163 | }
164 |
165 |
166 | selectMode =0xffffffffffffffff;
167 | if (ioctl (auditPipe, AUDITPIPE_SET_PRESELECT_FLAGS, &selectMode) < 0) {
168 | perror ("ioctl");
169 | exit(4);
170 | }
171 |
172 | selectMode= 0;
173 | if (ioctl (auditPipe, AUDITPIPE_GET_PRESELECT_FLAGS, &selectMode) < 0) {
174 | perror ("ioctl");
175 | exit(4);
176 | }
177 | uint32_t queueLimit = 0;
178 | if (ioctl (auditPipe, AUDITPIPE_GET_QLIMIT, &queueLimit) < 0) {
179 | perror ("ioctl");
180 | exit(4);
181 | }
182 | uint32_t queueLimitMax = 0;
183 | if (ioctl (auditPipe, AUDITPIPE_GET_QLIMIT_MAX, &queueLimitMax) < 0) {
184 | perror ("ioctl");
185 | exit(4);
186 | }
187 | if (ioctl (auditPipe, AUDITPIPE_SET_QLIMIT, &queueLimitMax) < 0) {
188 | perror ("ioctl");
189 | exit(4);
190 | }
191 |
192 | /*
193 | if (ioctl (auditPipe, AUDITPIPE_GET_QLIMIT, &queueLimit) < 0) {
194 |
195 | perror ("ioctl");
196 | exit(4);
197 | }
198 |
199 | printf ("Queue limit: %d\n", queueLimit);
200 | */
201 | //printf("select flags: %d\n", selectMode); // should be 1 AUDITPIPE_PRESELECT_MODE_TRAIL
202 |
203 | selectMode= 0xffffffffffffffff;
204 | if (ioctl (auditPipe, AUDITPIPE_SET_PRESELECT_NAFLAGS, &selectMode) < 0) {
205 | perror ("ioctl");
206 | exit(4);
207 | }
208 |
209 |
210 | FILE *auditPipeFile = fdopen (auditPipe, "rw");
211 |
212 | // From this point, it's just a file
213 |
214 | processFile (auditPipeFile, Flags,Delim);
215 |
216 |
217 |
218 |
219 | return 0;
220 |
221 | } // doPipe
222 |
223 | char *processArguments(int argc, char **argv,int *Flags)
224 | {
225 |
226 | // the real praudit uses getopt(3). Me, I'm not a fan
227 |
228 | char *filename = NULL;
229 |
230 | int arg;
231 | for (arg = 1; arg < argc; arg++)
232 | {
233 |
234 | if (argv[arg][0] == '-')
235 | {
236 | switch (argv[arg][1])
237 | {
238 | case 'd':
239 | g_delim = argv[arg+1];
240 | arg++;
241 | break;
242 | case 's':
243 | *Flags |= AU_OFLAG_SHORT;
244 | break;
245 | case 'r':
246 | *Flags |= AU_OFLAG_RAW;
247 | break;
248 | case 'x':
249 | *Flags |= AU_OFLAG_XML;
250 | break;
251 | case 'l':
252 | *Flags |= FLAG_NONEWLINE;
253 | break;
254 | case 'n':
255 | *Flags |= AU_OFLAG_NORESOLVE;
256 | break;
257 |
258 | default:
259 | fprintf(stderr,"%s: illegal option -- %s\n", argv[0],argv[arg]);
260 | usage(argv[0]);
261 | exit(1);
262 |
263 | }
264 |
265 | }
266 | else {
267 | // Could be a filename
268 | if (access(argv[arg], R_OK) == 0)
269 | {
270 | // This IS a filename
271 | filename = argv[arg];
272 | }
273 | else
274 | {
275 | fprintf(stderr,"praudit: %s - Not a file I can read from\n", argv[arg]);
276 | exit(2);
277 | }
278 | }
279 |
280 | } // end for
281 | return (filename);
282 | }
283 |
284 |
285 | __attribute__((__used__)) static char sccsid[] = "@(#) PROGRAM:praudit PROJECT:j-auditutils-39.0.0";
286 |
287 |
288 |
289 | int main (int argc, char **argv)
290 | {
291 |
292 | // This is a compatible, but not identical implementation of praudit
293 |
294 | if (geteuid()) {
295 | fprintf(stderr,"You're wasting my time, little man. I need root privileges\n");
296 | exit(2);
297 | }
298 |
299 | /*
300 | int t = AUDIT_TRIGGER_INITIALIZE;
301 | auditon( A_SENDTRIGGER, &t, sizeof(int));
302 |
303 | */
304 |
305 | int Flags = 0;
306 |
307 | char *fileName = processArguments(argc, argv, &Flags);
308 |
309 | if (!fileName) {
310 | if (isatty(0))
311 | {
312 | fprintf(stderr,"supraudit won't read audit records directly from the terminal. Use a pipe (|) instead. -h will get you help\n");
313 | exit(1);
314 | }
315 |
316 | }
317 | else
318 | {
319 | if (strcmp(fileName,"/dev/auditpipe") == 0) doPipe(Flags, g_delim);
320 | doFile(fileName, Flags, g_delim);
321 | }
322 | exit(0);
323 |
324 |
325 | }
326 |
327 |
--------------------------------------------------------------------------------
/supraudit/usr/local/bin/supraudit:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AlfredoAbarca/OSXMon/92846925aff9dfa1614975ef68fc7bddb8b25360/supraudit/usr/local/bin/supraudit
--------------------------------------------------------------------------------
/supraudit/usr/share/man/manj/supraudit.j:
--------------------------------------------------------------------------------
1 | .\" Copyright (c) 2004-2009 Apple Inc.
2 | .\" All rights reserved.
3 | .\"
4 | .\" Redistribution and use in source and binary forms, with or without
5 | .\" modification, are permitted provided that the following conditions
6 | .\" are met:
7 | .\" 1. Redistributions of source code must retain the above copyright
8 | .\" notice, this list of conditions and the following disclaimer.
9 | .\" 2. Redistributions in binary form must reproduce the above copyright
10 | .\" notice, this list of conditions and the following disclaimer in the
11 | .\" documentation and/or other materials provided with the distribution.
12 | .\" 3. Neither the name of Apple Inc. ("Apple") nor the names of
13 | .\" its contributors may be used to endorse or promote products derived
14 | .\" from this software without specific prior written permission.
15 | .\"
16 | .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
17 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | .\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
20 | .\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24 | .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 | .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | .\" POSSIBILITY OF SUCH DAMAGE.
27 | .\"
28 | .\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#14 $
29 | .\"
30 | .Dd October 01, 2017
31 | .Dt PRAUDIT j
32 | .Os
33 | .Sh NAME
34 | .Nm supraudit
35 | .Nd "Do what praudit does, only way better, and actually useful"
36 | .Sh SYNOPSIS
37 | .Nm
38 | .Op Fl lnpx
39 | .Op Fl r | s
40 | .Op Fl d Ar del
41 | .Op Ar
42 | .Op Fl S
43 | .Op Fl C
44 | .Op Fl J
45 | .Op Fl R Ar addr
46 | .Op Fl F Ar proc/net/files
47 | .Op Fl O Ar outputfile
48 |
49 | .Sh DESCRIPTION
50 | The
51 | .Nm
52 | utility matches praudit's functionality, but then adds the following useful behaviors:
53 | .Pp
54 | .Bl -tag -width indent
55 | .It Fl S
56 | Specifies that "supraudit" format is desired. The format is tabular (pipe '|' separated) and resembles that of Linux strace:
57 |
58 | TIMESTAMP | PROCESS NAME | PID/UID |operation (modifiers) (arguments) = return value
59 | -------------+----------------+---------+--------------------------------------------------
60 | 1507164879.89| vmnet-natd|53832/501|open (read)(flags=0 path=/private/etc/hosts ) = 10
61 | 1507164879.89| vmnet-natd|53832/501|close(fd=10 path=/private/etc/hosts ) = 0
62 |
63 | .It Fl C
64 | Turns on color output, which makes it easier to sift through the copious data.
65 | You can also omit this option if the JCOLOR environment variable is set.
66 | If this option is specified and you pipe the output, do so with 'less -R' instead
67 | of more, because the latter can't handle the color curses sequences.
68 |
69 | .It Fl J
70 | Indicates JSON output is desired. Cannot be used with -S and will ignore -C
71 |
72 | .It Fl R Ar addr
73 | Rather than log locally, send all the output to a remote supraudit server. This is a great
74 | option if you want to centralize logging, which helps ensure logging integrity and detailed forensics.
75 | The supraudit-GUI may be used to view the logs.
76 |
77 | .It Fl O Ar outputfile
78 |
79 | Log full (unfiltered) output to specified outputfile (/tmp/supraudit.YYYYMMDDHHmmss is default)
80 |
81 | .It Fl F
82 | files proc net
83 |
84 | Use pre-defined filters for file operations (files), IPv4/IPv6 (net) or process lifecycle (proc)
85 |
86 | .Sh FILES
87 | Unlike the
88 | .Xr praudit 1
89 | utility, supraudit doesn't care about whatever audit policy is configured via the files in /etc/security.
90 |
91 | .Sh OTHER NOTES
92 |
93 | supraudit will turn on auditing (the equivalent of
94 | .Xr audit 1
95 | -i) when started. Note that a call to
96 | .Xr audit 1
97 | -t when supraudit is started will freeze auditing, and supraudit will warn about it. This is expected behavior, and may be changed in a future release.
98 |
99 |
100 | Future versions of this tool may use a config file, as does the pro version.
101 |
102 | .El
103 | .Sh SEE ALSO
104 | .Xr praudit 1 ,
105 | .Xr auditreduce 1 ,
106 | .Xr audit 4 ,
107 | .Xr auditpipe 4 ,
108 | .Xr audit_class 5 ,
109 | .Xr audit_event 5
110 | .Sh HISTORY
111 | The OpenBSM implementation was created by McAfee Research, the security
112 | division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
113 | It was subsequently adopted by the TrustedBSD Project as the foundation for
114 | the OpenBSM distribution.
115 | .Sh AUTHORS
116 | .An -nosplit
117 | This software was created by Jonathan Levin, as part of the toolchest of http://NewOSXBook.com
118 |
119 | If you have suggestions for improvement, email J@NewOSXBook.com
120 |
121 | .Sh LICENSE
122 |
123 | This software is free for personal use. For commercial use, please contact
124 | .Pp
125 | The Basic Security Module (BSM) interface to audit records and audit event
126 | stream format were defined by Sun Microsystems. God bless Solaris. RIP.
127 |
--------------------------------------------------------------------------------