Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

"Auditable Events" in OS X?

Very broad, but worth asking...

I've been asked to produce a list of "auditable events" in the Mac OS. I'm aware that we can track just about anything with the right config, but does anyone know of a list from Apple of things that are "built in" to the OS? I've got more historical data in the JAMF | Pro console than I need, but looking for specific OS-level items, such as logon/logoff, failed logons, etc. Just wondering if anyone has a list or link.

Like Comment
Order by:
SOLVED Posted: by wlcasey

That term "auditable events" makes me think they are looking for the items included in BSM auditing.

The best reference to get started with BSM is on Der Flounder.

See https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/

If you look up the events associated with BSM logging, there is. handy list to give the security folks who asked. But, once you say BSM they should already know what is on that list...

And be careful, if their instructions are to "audit everything" they are crazy. BSM can create some serious logs if your not careful. It will fill up your hard drive in no time.

Like
SOLVED Posted: by WTArmstrong

Thanks - much appreciated. I found the BSM list, but the new unified logging still gives me a headache, so looking next for something like a list of predicates that can be used to filter there. I also have all of our JAMF logs, of course, and I know there are a few other random ones scattered around, just trying to find as complete of a list as possible.

Our focus is mostly forensic, so BSM probably covers the essential (login/out, etc.) also will eventually want things like failed login attempts/etc. Not too worried about being told "log ALL THE THINGS!" but that's always a risk once you tell them all the data that you CAN capture.

Like