General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

Process Event Verbose Message Filtering

Daniel Griggs

Modified on: Wed, 16 Oct, 2019 at 9:05 PM

User-configurable preferences

AuditEventLogVerboseMessages to toggle whether verbose events are logged.

What events are considered verbose

Terminal activity and scripting-language executions without elevated permissions
If the subject.audit_id and subject.effective_user_id are the same
Unix socket connection events
Execution fork events

When are verbose events logged

AuditEventLogVerboseMessages preference is set to true
AuditLevel is configured for level 3

Log Verbose Messages Detail

In order to support scientific and developer workflows the default value for cmdReporter is not to log any terminal or script activity that are run interactively without any user impersonation or privilege escalations. Any script, application, connection, or other action performed non-interactively (LaunchAgent|Daemon) or with elevated permissions will be logged by cmdReporter.

To better explain this behavior we will examine a single macOS computer with two users:

Alice, a developer with administrative capabilities on the system.
Bob, a developer who does not have administrative capabilities on the system.

Scenario 1:

Action: Alice is developing a python script run as herself to scrape the information from a website and display that information in her own format.

Result: No actions logged via cmdReporter

Scenario 2:

Action: Alice is attempting to edit her local /etc/hosts file via "sudo vim /etc/hosts" to try and break the company's security and mdm software.

Result: All actions attempting to escalate privileges or edit the /etc/hosts file are logged by cmdReporter

Scenario 3:

Action: Alice opens terminal and runs "sudo bash" to drop to a root shell and runs her same script as scenario 1 to scrape the website's information.

Result: All actions Alice performs in either the root shell, any scripts run, and any subprocess actions are logged by cmdReporter because she is running her entire session as the root user.

Scenario 4:

Action: Alice runs her website scraping script via "sudo -u bob website-script.py" which will run the script as the other example user Bob.

Result: All actions from Alice's script or its subprocesses are logged by cmdReporter because she is impersonating another user.