News

Poppy monitoring. Tracking system events in macOS

Security Parrot Editorial Team

Monitoring Events in macOS: A Guide to Free Event Tracking Tools

Introduction

Three things can be observed endlessly: burning fire, flowing water, and events in the operating system. And if in Windows monitoring and logging tools are already well understood by users and system administrators, then in macOS this is not so simple. Today we will talk about free event tracking tools for Mac and their practical application.

Monitoring Methods

There are three ways to monitor events in macOS: Commercial EDR, Osquery, and Eslogger (ESF). We will talk about the latter, trying to figure out how this tool works.
Previously, the OpenBSM auditing subsystem was used to monitor events in macOS. It was developed by McAfee Research on a custom order from Apple in 2004. Later, the source code was transferred to TrustedBSD for the needs of the community. This tool was removed from macOS in Big Sur and is no longer supported.
Endpoint Security Framework (ESF) is a native component of macOS, which serves to proactively search for events and respond to them. The tool allows you to subscribe to the Notification and Authorization events. Its principle of operation can be compared with Event Tracing For Windows (ETW). It allows you to view low-level events related to processes, files, a bit of network and memory, and much more!

How it Works

Previously, if a company took on the development of an Endpoint Security solution, it had to do the so-called Kernel Extension (kernel module). Examples of such solutions are OpenBSM, Kauth KPI, MAC Framework. Solutions based on the Kernel Extension were difficult to develop and maintain. Minor bugs could lead to kernel panics, and imperfect code punched new holes in macOS security.
Apple was well aware of this and therefore in 2019 (better late than never) they replaced Kernel Extensions that worked in kernel space with System Extensions that worked in user space. Now the developers have a free hand. Everything has become much more convenient.
Although Kernel Extensions are now obsolete, they can still be used on modern macOS – but with the caveat that the system will not receive any updates.

Conclusion

In conclusion, we can say that the Endpoint Security Framework (ESF) is a great tool for monitoring events in macOS. It is easy to use and provides a lot of useful information. It is also free and built into the system, so it is worth considering if you need to monitor events in macOS.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?