Beyond the good ol' LaunchAgents - 31 - BSM audit framework

This is part 31 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction.

macOS implements the OpenBSM audit framework created by McAfee, which allows someone to audit system events, like login, file access, etc… This has been part of the system for very long time. Auditing has several components, the main one being the kernel, which handles all the events. The main user mode process is auditd, which is mainly responsible for logging. It’s a huge framework, detailed very well by Jonathan Levin in his *OS Internal Part 3 book. I suggest reading that part, but you can also find some information here:

Reading Mac BSM Audit Logs

Audit in a OS X System

auditd can be configured via various files, which are located at /etc/security/. The logs can be found under /private/var/audit/, but they are not important for us now.

max:~ root# ls -l /etc/security/
total 48
-r--r--r--  1 root  wheel    652 May 13 00:29 audit_class
-r--------  1 root  wheel    358 May 13 00:29 audit_control
-r--r--r--  1 root  wheel  26649 May 13 00:29 audit_event
-r--------  1 root  wheel     77 May 13 00:29 audit_user
-r-xr-xr-x  1 root  wheel   1326 May 13 00:29 audit_warn

audit_control is the main configuration file, by default it configures auditd to log login and authentication events. The file which is interesting for us is audit_warn. It’s a shell script, that is executed when an audit warning occurs.

max:~ root# cat /etc/security/audit_warn 

As root, we can edit this file, let’s add the following.

touch /tmp/createdbyauditd.txt

We can manually trigger a warning by forcing a log rotation by running the sudo audit -n command.

Then our file will be created.

Detection Consideration Link to heading

The most trivial way to detect this persistence is monitoring file modification of audit_warn.

Additionally the process tree when our command is executed will look like the following:

---->touch (or any command specified in the script)

Note, that the main interpreter can be also changed from #!/bin/sh to anything else, so other child processes can be suspicious as well.