BSM Codes

0x00000000:no:invalid class

0x00000001:fr:file read

0x00000002:fw:file write

0x00000004:fa:file attribute access

0x00000008:fm:file attribute modify

0x00000010:fc:file create

0x00000020:fd:file delete

0x00000040:cl:file close

0x00000080:pc:process

0x00000100:nt:network

0x00000200:ip:ipc

0x00000400:na:non attributable

0x00000800:ad:administrative

0x00001000:lo:login_logout

0x00002000:aa:authentication and authorization

0x00004000:ap:application

0x10000000:res:reserved for internal use

0x20000000:io:ioctl

0x40000000:ex:exec

0x80000000:ot:miscellaneous

0xffffffff:all:all flags set

Unified Logging in macOS

With the introduction of “Unified Logging” in macOS 10.12 Sierra, one can use the log command to view system log messages in a terminal. For example

sudo log stream

or

sudo log stream –process `pgrep -f /usr/local/bin/myprogram` –info –debug

or

log show –predicate ‘process == “myprogram”‘ –last 1h –info –debug

——–++++++
sudo log stream –info –predicate ‘ eventMessage contains “password”‘ –last 15m > /Users/promin/Desktop/loggs/

——— This will pull incorrect password attempts ———-
sudo log show –info –predicate ‘ eventMessage contains “incorrect password attempt”‘ –last 15m > /Users/promin/Desktop/loggs/lol.txt

log show –info –predicate ‘ eventMessage contains “login”‘ –last 3d > /Users/promin/Desktop/loggs

log show –info –predicate ‘ eventMessage contains “sudo”‘ –last 3d > /Users/promin/Desktop/loggs

———— LINKS

https://www.dssw.co.uk/blog/2017-03-02-view-power-manager-unified-logs-on-macos/

audit service retention time

audit service retention time
The check displays the amount of time the audit system is configured to retain audit log files. The audit system will not delete logs until the specified condition has been met. To view the current setting, run the following command:

sudo grep ^expire-after /etc/security/audit_control

If this returns no results, or does not contain 7d or a larger value, this is a finding.

—->
Edit the /etc/security/audit_control file, and change the value for ‘expire-after’ to the amount of time audit logs should be kept for the system. Use the following command to set the ‘expire-after’ value to ‘7d’:

sudo sed -i.bak ‘s/.*expire-after.*/expire-after:7d/’ /etc/security/audit_control; sudo audit -s
sudo sed -i.bak ‘s/.*expire-after.*/expire-after:365d/’ /etc/security/audit_control; sudo audit -s

//////////////////////

audit service should be configured to immediately print messages to the console
By default, auditd only logs errors to syslog. To see if audit has been configured to print error messages to the console, run the following command:

sudo grep logger /etc/security/audit_warn

If the argument ‘-s’ is missing, or if audit_warn has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.

—->

To make auditd log errors to standard error as well as syslogd, run the following command:

sudo sed -i.bak ‘s/logger -p/logger -s -p/’ /etc/security/audit_warn; sudo audit -s

//////////////////////

audit service should shut down the computer if it is unable to audit system events

To view the setting for the audit control system, run the following command:

sudo grep ^policy /etc/security/audit_control | grep ahlt

If there is no result, this is a finding.

—->

Edit the /etc/security/audit_control file, and change the value for policy to include the setting ‘ahlt’. To programmatically do this, run the following command:

sudo sed -i.bak ‘/^policy/ s/$/,ahlt/’ /etc/security/audit_control; sudo audit -s

//////////////////////

Auditing successful and unsuccessful attempts to elevate privileges

The options to configure the audit daemon are located in the /etc/security/audit_control file. To view the current settings, run the following command:

sudo grep ^flags /etc/security/audit_control

If the ‘lo’, ‘ad’, and ‘aa’ options are not set, this is a finding.

—->

To set the audit flags to the recommended setting, run the following command to add the flags ‘lo’, ‘ad’, and ‘aa’ all at once:

sudo sed -i.bak ‘/^flags/ s/$/,lo,ad,aa/’ /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.

//////////////////////

If events associated with non-local administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available.

In order to view the currently configured flags for the audit daemon, run the following command:

sudo grep ^flags /etc/security/audit_control

Administrative actions and changes to configuration settings are logged by way of the ‘ad’ flag. If ‘ad’ is not listed in the result of the check, this is a finding.

—->

To make sure the appropriate flags are enabled for auditing, run the following command:

sudo sed -i.bak ‘/^flags/ s/$/,ad/’ /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.

//////////////////////

auditing privileged functions

In order to view the currently configured flags for the audit daemon, run the following command:

sudo grep ^flags /etc/security/audit_control

Privileged access is logged via the ‘ad’ flag. If ‘ad’ is not listed in the result of the check, this is a finding.

—->

To make sure the appropriate flags are enabled for auditing, run the following command:

sudo sed -i.bak ‘/^flags/ s/$/,ad/’ /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.

more auditing privileged functions

In order to view the currently configured flags for the audit daemon, run the following command:

sudo grep ^flags /etc/security/audit_control

Attempts to log in as another user are logged by way of the ‘lo’ flag. If ‘lo’ is not listed in the result of the check, this is a finding.

—->
To make sure the appropriate flags are enabled for auditing, run the following command:

sudo sed -i.bak ‘/^flags/ s/$/,lo/’ /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.