Log Types: AppleBSM
Overview
The Apple OSX system generates logs that are based on the Solaris BSM subsystem.
Apple logs can be collected by the Snare for OSX agent. OSX generates logs that are token-based, with tabs separating content associated with each token. Snare for OSX will prefix any event with a hostname, a logtype, and a 'criticality' value.
Sample Events
osx10 AppleBSM 1 header,122,2,execve(2),,2006-03-21 14:28:22.555 +11:00 path,/usr/bin/find attribute,100555,root,bin,26738688,438,0 exec_args,1,find subject,root,root,root,root,root,650,1070026970,12849 202240 inferno.intersectalliance.com return,success,0 sequence,105 snareseq,32
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | AppleBSM |
EVENTCOUNT | An internal counter of the generated event. Incremented by one each time an event is generated. If filters are active, this number may skip on the Snare Central server. |
EVENTID | An event identifier such as execve, or sysinfo |
AUID | Audit UID - an immutable ID that represents the ID used by the user to initially log in. |
EUID | Effective UID - the UID under which the current executable is running |
EGID | Effective GID - the group ID under which the current executable is running |
RUID | Real UID - the UID associated with the user at login. Note that this is not immutable, and can be overriden by root-level system calls. |
RGID | Real GID - the GID associated with the user at login. Note that this is not immutable, and can be overriden by root-level system calls. |
PID | Process ID |
RETURNCODE | Returncode of the executed command or system call |
STRINGS | Any other content that does not fit into the other fields |
TARGET | For some events, the targeted entity (eg: a path) |
Notes
Tokens are usually in a fixed order, but are not guaranteed to remain that way between OSX versions.
Tokens that may be commonly seen in Apple events include:
header (length, version, eventid, null, date/time
trailer (reclen)
arbitrary (tokenID, format, datasize, count, .. arbitrary info - "count" fields in length)
argument (tokenID, argid, argval, string)
exec_args (argcount, # .. arbitrary info - "count" fields in length)
attribute (filemode, owneruid, ownergid, filesysid,inodeid, deviceid)
exit (status, retval)
file (date/time, filename)
group (groups)
ip addr (address)
ip address (ipheader)
IPC (objecttype, objecthandle)
IPC perm (owneruid, ownergid,creatoruid,creatorgid,accessmode,seqnum,keyval)
ip port (address)
opaque (count, .. arbitrary info - "count" fields in length)
path (path)
process (aUID, eUID, eGID, rUID, rGID, processID, sessionID, terminalID)
return (status, retval)
sequence (seqnum)
socket (sockettype, localportaddr, localipaddr, remoteportaddr, remoteipaddr)
subject (aUID, eUID, eGID, rUID, rGID, processID, sessionID,terminalID)
text (text)
NOTE that different events, will use different tokens - for example, a 'execve' event will generally follow the 'header' token with a 'path' token. A 'logout' event, will generally have a 'subject' token second.