OpenBSM Audit Logs

macosAuthentication & AccessDisk ImageSIEM / Log Aggregator

Location

/var/audit/ (audit trail files) and /etc/security/audit_control (configuration)

Description

macOS Basic Security Module (BSM) audit subsystem generating kernel-level audit records for system calls, file access, process execution, authentication events, and administrative actions. Audit trails are binary files in /var/audit/ that capture events based on the audit policy configured in /etc/security/audit_control. Each record contains event type, timestamp, process info, and operation-specific parameters.

Forensic Value

OpenBSM provides the most granular audit trail available on macOS, recording system calls at the kernel level. Audit records capture process execution (execve) with full arguments, file open operations with paths, network socket operations, and authentication events independently of application-level logging. The audit trail is tamper-resistant because it is written by the kernel audit subsystem. praudit and auditreduce enable filtering and human-readable output of binary audit trails. On systems where auditing is enabled, this is the authoritative source for process execution and file access evidence.

Tools Required

prauditauditreducemac_aptCrowdstrike UAClog2timeline (Plaso)

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical