- AuditEventLogVerboseMessages to toggle whether verbose events are logged.
What events are considered verbose
- Terminal activity and scripting-language executions without elevated permissions
- If the subject.audit_id and subject.effective_user_id are the same
- Unix socket connection events
- Execution fork events
When are verbose events logged
- AuditEventLogVerboseMessages preference is set to true
- AuditLevel is configured for level 3
Log Verbose Messages Detail
In order to support scientific and developer workflows the default value for cmdReporter is not to log any terminal or script activity that are run interactively without any user impersonation or privilege escalations. Any script, application, connection, or other action performed non-interactively (LaunchAgent|Daemon) or with elevated permissions will be logged by cmdReporter.
To better explain this behavior we will examine a single macOS computer with two users:
- Alice, a developer with administrative capabilities on the system.
- Bob, a developer who does not have administrative capabilities on the system.
Action: Alice is developing a python script run as herself to scrape the information from a website and display that information in her own format.
Result: No actions logged via cmdReporter
Action: Alice is attempting to edit her local /etc/hosts file via "sudo vim /etc/hosts" to try and break the company's security and mdm software.
Result: All actions attempting to escalate privileges or edit the /etc/hosts file are logged by cmdReporter
Action: Alice opens terminal and runs "sudo bash" to drop to a root shell and runs her same script as scenario 1 to scrape the website's information.
Result: All actions Alice performs in either the root shell, any scripts run, and any subprocess actions are logged by cmdReporter because she is running her entire session as the root user.
Action: Alice runs her website scraping script via "sudo -u bob website-script.py" which will run the script as the other example user Bob.
Result: All actions from Alice's script or its subprocesses are logged by cmdReporter because she is impersonating another user.