BSM audit is deprecated

Replies

 

Is there any replacement?

Yes, EndpointSecurity.

A good place to start here is WWDC 2020 Session 10159 Build an Endpoint Security app.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of eskimo Down vote reply of eskimo

Add a Comment

 

Hi Eskimo,

Thank you for your nice reply!

But I want to confirm is there a feature list comparison?

For example,
with Audit log, there are Authentication and authorization (aa) and Login/Logout (lo) events,
but there seems be no such events with Endpoint Security now.

Is there any suggestion for such parts?

Thank you very much!

Posted by

Jacy_Jiang

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of Jacy_Jiang Down vote reply of Jacy_Jiang

Add a Comment

 

If you rely on things from BSM that aren’t present in EndpointSecurity, I encourage you to file a bug with the details (what’s missing and what you’re using them for). Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Copy to clipboard

Share this post

Copied to Clipboard

 

Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo

Add a Comment

 

Hi @Jacy_Jiang,

Were you able to find out the replacement for Login/Logout Events and Authentication/Authorization events from EndPoint Security? Because those are not mentioned in the events types present in EndPointSecurity.

Please let me know if you have found any replacement on how to capture login/Logout events in system-extensions.

Thank you very much!

Posted by

mvss_1998

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of mvss_1998 Down vote reply of mvss_1998

Add a Comment

 

EndpointSecurity does not currently support log{in,out} events, up to and including 11.0b9. I stand by my advice from my previous post: If you need this, file an enhancement request for it.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of eskimo Down vote reply of eskimo

Add a Comment

 

Thanks for you reply.

The case ID: FB8802252 (Open BSM being deprecated with Big Sur)

So Is there any other way to capture the login/logout events using system extensions?

Posted by

mvss_1998

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of mvss_1998 Down vote reply of mvss_1998

Add a Comment

 

FB8802252

Thanks.

Is there any other way to capture the login/logout events using system
extensions?

No. For the moment you can monitor login and logout events using using BSM, and specifically auditpipe (see its man page).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of eskimo Down vote reply of eskimo

Add a Comment

 

Is there any timeline when will login logout events be available in Endpoint security ?

Posted by

veerendra

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of veerendra Down vote reply of veerendra

Add a Comment

 

Is there any timeline when will login logout events be available in
Endpoint security?

Apple has not made any announcements about that.

Did you file your own bug enhancement request for that? If so, what was the bug number?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of eskimo Down vote reply of eskimo

Add a Comment

 

@eskimo, here's my feedback for the same enhancement request FB8603023 which has had no response for the last 2 months.

Posted by

kn-cs

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of kn-cs Down vote reply of kn-cs

Add a Comment

 

Where does it state that BSM Audit is deprecated? I am on Xcode 12 Beta 6, and compiling code that uses libbsm audit API (ioctl preselect token, aureadtok, aufetchtok, etc) are not indicated as being deprecated.

According to these notes from the Security Lab, libbsm audit is indeed deprecated but what does this mean? Will it go away completely in future version of Big Sur or macOS? Is there a stated timeline on this deprecation?

Posted by

kn-cs

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of kn-cs Down vote reply of kn-cs

Add a Comment

 

We were clear about this in WWDC 2020 Session 10159 Build an Endpoint Security app. I’m not sure how much that’s reflected in the current SDK headers.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Copy to clipboard

Share this post

Copied to Clipboard

 

Up vote reply of eskimo Down vote reply of eskimo

Add a Comment