Audit Event Analyzer

The macOS audit system records critical operational and security data. While this provides valuable insights for security monitoring, it can also be exploited by attackers to either gather sensitive information or manipulate logs to conceal unauthorized activities.

To enhance security through a 'defense-in-depth' approach, it is imperative that the files located in /var/audit be exclusively owned by the 'root' user and belong to the 'wheel' group, with read-only permissions. No other forms of access should be permitted. Additionally, the use of macOS Access Control Lists (ACLs) is not recommended for securing these files.

What does the Audit Event Analyzer do?

• Keyword Matching: AIR will search for customer-provided keywords within each event record. If a keyword is identified, the verdict is set to "Matched."

• Generic Hacker Tools Detection: Each event record is analyzed for the presence of known hacker tools. If such a tool is detected, the verdict is set according to pre-established criteria.

• Generic Hacker Commands Analysis: We evaluate each event record for the presence of commonly used hacker commands. If a command is detected, the verdict is determined based on predefined guidelines.

• Sigma Rules Assessment: Each event record is scanned against a set of Sigma rules. If a rule is matched, the verdict is set in accordance with predetermined standards.

This structured approach ensures a comprehensive and efficient analysis of Audit Events in macOS, facilitating timely and accurate verdicts.