Log Types: AppleBSM

Overview

The Apple OSX system generates logs that are based on the Solaris BSM subsystem.

Apple logs can be collected by the Snare for OSX agent. OSX generates logs that are token-based, with tabs separating content associated with each token. Snare for OSX will prefix any event with a hostname, a logtype, and a 'criticality' value.

Sample Events

osx10 AppleBSM 1 header,122,2,execve(2),,2006-03-21 14:28:22.555 +11:00 path,/usr/bin/find attribute,100555,root,bin,26738688,438,0 exec_args,1,find subject,root,root,root,root,root,650,1070026970,12849 202240 inferno.intersectalliance.com return,success,0 sequence,105 snareseq,32

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

AppleBSM

EVENTCOUNT

An internal counter of the generated event. Incremented by one each time an event is generated. If filters are active, this number may skip on the Snare Central server.

EVENTID

An event identifier such as execve, or sysinfo

AUID

Audit UID - an immutable ID that represents the ID used by the user to initially log in.

EUID

Effective UID - the UID under which the current executable is running

EGID

Effective GID - the group ID under which the current executable is running

RUID

Real UID - the UID associated with the user at login. Note that this is not immutable, and can be overriden by root-level system calls.

RGID

Real GID - the GID associated with the user at login. Note that this is not immutable, and can be overriden by root-level system calls.

PID

Process ID

RETURNCODE

Returncode of the executed command or system call

STRINGS

Any other content that does not fit into the other fields

TARGET

For some events, the targeted entity (eg: a path)

Notes

Tokens are usually in a fixed order, but are not guaranteed to remain that way between OSX versions.

Tokens that may be commonly seen in Apple events include:

  • header (length, version, eventid, null, date/time

  • trailer (reclen)

  • arbitrary (tokenID, format, datasize, count, .. arbitrary info - "count" fields in length)

  • argument (tokenID, argid, argval, string)

  • exec_args (argcount, # .. arbitrary info - "count" fields in length)

  • attribute (filemode, owneruid, ownergid, filesysid,inodeid, deviceid)

  • exit (status, retval)

  • file (date/time, filename)

  • group (groups)

  • ip addr (address)

  • ip address (ipheader)

  • IPC (objecttype, objecthandle)

  • IPC perm (owneruid, ownergid,creatoruid,creatorgid,accessmode,seqnum,keyval)

  • ip port (address)

  • opaque (count, .. arbitrary info - "count" fields in length)

  • path (path)

  • process (aUID, eUID, eGID, rUID, rGID, processID, sessionID, terminalID)

  • return (status, retval)

  • sequence (seqnum)

  • socket (sockettype, localportaddr, localipaddr, remoteportaddr, remoteipaddr)

  • subject (aUID, eUID, eGID, rUID, rGID, processID, sessionID,terminalID)

  • text (text)

NOTE that different events, will use different tokens - for example, a 'execve' event will generally follow the 'header' token with a 'path' token. A 'logout' event, will generally have a 'subject' token second.