7.1. EXAMPLES OF AUDITING

Mac OS X already provides logs and audits of a variety of operating system procedures, and exploring these defenses can help improve your picture of what auditing capabilities provide as part of an overall security approach.

7.1.1. Authorization Services

You already saw in Chapter 6 that Authorization Services maintains a log at /var/log/secure.log, detailing when processes attempt to gain authorization rights, and the results of such attempts. The log may be written to only by root (who also owns the securityd process), and is in a folder that likewise only root can modify. In order to repudiate any claim of having misused a privileged task, an attacker would need super-user access to the filesystem in order to remove the evidence from the log, which one may hope would be at least as hard as performing the initial misuse. Certainly, once an attacker has gotten root privilege on a system, the security game is usually up.