What are Audit Trails
Modern operating systems have the ability to record detailed records about activity that occurs on their system. These detailed records are called audit trails. Things that can be recorded in the audit trail include:
- starting of programs and how they were started
- starting an outbound connection
- accepting an inbound connection
- accessing a file
Why Audit Trails Are Important
Audit trails provide a foundation for doing a number of useful things on your computer, including:
- detecting attacks on your computer
- performing forensics analysis on your computer after an attack is detected or suspected
- verifying compliance with various industry requirements and government laws regarding access to data
There are many instances of malicious activity that simply cannot be detected with traditional detection tools (e.g., firewalls, network-based intrusion prevention systems, anti-virus software) or investigated by traditional disk-based forensics tools. Audit trail analysis can fill gaping holes in these areas.
Why Audit Trail Analysis Is Hard
Unfortunately, despite the potential power audit trails can give you, analyzing audit records can be almost impossible. For example, a typical Apple BSM audit record for a process opening a file does not contain:
- the program name for the process
- how that process was created
- the user's name who is running the program
These facts may be in the audit trail (if it is configured correctly), but they are scattered across multiple audit records, often separated by hundreds or thousands of other audit records.
Add in the fact that a well-configured auditing system may generate millions or billions of audit records each day, and you quickly realize that analyzing an audit trail by hand is virtually impossible.
Role of Audit Explorer
Audit Explorer analyzes Apple's BSM audit trails, detects interesting events, and lets you interactively explore what happened on your computer. When it finds an interesting event, such as a suspicious access to a file, it can stitch together relevant audit records scattered across the audit trail to provide you with the context in which that event happened.
For example, Audit Explorer tells you the program that the process was running (was it Safari, Word, or some previously unheard of program running out of a strange directory?), the user's name that was running the program (e.g., Bob, Mary, or Eve), and the history of events that led to the creation of that program (e.g., it was the copy program, "cp", running from a shell, started by the Terminal application, launched by Bob who is logged in at the console).
At a glance, Audit Explorer can tell you what other files the program accessed, any network connections it might have initiated or accepted, and any child processes it might have created. Want to know more about a child process it created? Just click on the child's ID to zoom in on it.
Interested in a particular file? Enter the file's path into the Dashboard and Audit Explorer can tell you all the programs that accessed that file and how. Interested in knowing more about one of those programs? Just double click on it to pull up the details.
Interested in any connections to or from a remote address or port? Enter in the information into the Dashboard and get a list of all processes that initiated or accepted TCP/IP connections with that address. Want details about that process? Just double click on the process.
Audit Explorer also contains a command line tool that lets you automate the analysis of the audit trails on many computers and ship them to a centralized web server (i.e., an "audit server"). This lets a single security administrator keep tabs on all the computers for which he is responsible.
Apple's BSM audit trails contains some of the most important information for detecting and analyzing suspicious or interesting events on your computer. They can provide you with information that no other security tools can.
Unfortunately, analyzing that audit data by hand is virtually impossible. Audit Explorer provides you the means to unlock the power hidden in the audit data.