7.4. SUMMARY

Auditing involves collecting information about a system while it is in operation, so that users, administrators, and forensics officers can discover what happened to the system while it was in use. While this may seem less useful than concentrating on protective or prohibitive countermeasures, which stop attacks before they begin, it may actually be more efficient to provide auditing facilities, since the law of diminishing returns says that progressive attempts to reduce the likelihood of penetration will yield progressively fewer results. There may also be regulatory, legal, or policy requirements mandating the generation of audit records.

Many components of Mac OS X generate logs of interesting events, often associated with changes in privilege level, which could indicate a privilege-escalation attack. The majority of these components record information using Apple System Log, a system-wide log API that is also available to any third-party application on the system. The Apple System Log records log entries in a central database, and both application authors and users can configure additional log files in which to record interesting messages. Environments with strong data-protection requirements may require use of the Basic Security Module audit facility, which was designed to implement U.S. government and international requirements for operating system auditing. You should always try to use available standards rather than bespoke implementation to reflect the standards an organization might already have implemented for auditing.