OpenBSM Audit Logs
Location
/var/audit/ (audit trail files) and /etc/security/audit_control (configuration)Description
macOS Basic Security Module (BSM) audit subsystem generating kernel-level audit records for system calls, file access, process execution, authentication events, and administrative actions. Audit trails are binary files in /var/audit/ that capture events based on the audit policy configured in /etc/security/audit_control. Each record contains event type, timestamp, process info, and operation-specific parameters.
Forensic Value
OpenBSM provides the most granular audit trail available on macOS, recording system calls at the kernel level. Audit records capture process execution (execve) with full arguments, file open operations with paths, network socket operations, and authentication events independently of application-level logging. The audit trail is tamper-resistant because it is written by the kernel audit subsystem. praudit and auditreduce enable filtering and human-readable output of binary audit trails. On systems where auditing is enabled, this is the authoritative source for process execution and file access evidence.
Tools Required
Collection Commands
praudit
praudit -x /var/audit/current > /forensics/bsm_audit_current.xml
auditreduce
auditreduce -c ex /var/audit/* | praudit > /forensics/bsm_execve_events.txt
cp
sudo cp /var/audit/* /forensics/bsm_audit_trails/
stat
sudo stat -f "%Sm %N" /var/audit/* | sort > /forensics/bsm_audit_timeline.txt
Collection Constraints
- •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.