Mac OS X OpenBSM Audit Log Parser

363968

OpenText OpenText Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

OpenText | OpenText Community

This EnScript parses Mac OS X OpenBSM audit-logs, which typically contain details of events relating to audit-control, user-logon and group/user creation/modification/deletion.

1,839 downloads

Product compatibility

EnCase App Central

Description

This script parses user-specified Mac OS X OpenBSM audit logs, which are usually found in the following folder -

The default audit configuration is such that events relating to audit-control, user-logon, and group/user creation/modification/deletion will be logged. That said, the audit-logging system is customizable and can be configured to log a wide range of other events.

Each audit-log will contain one or more records each one starting with a header token and ending with a trailer token. Stored between these tokens will be one or more additional tokens the number and content of which will depend on the nature of the record concerned.

The script determines the length of a record using information contained in the header token. This information is mirrored in the trailer token together with a magic number: this information allows the script to check that a record isn't corrupt.

When it comes to parsing additional tokens, the script has to parse each token in turn. If a token cannot be identified, or if it can't be parsed, then the script will have to skip to the next record. It will record the fact that it's done this in the bookmark created for the record; it will also write a warning to the console.

Some tokens contain a stream of binary data. These include those with the following token IDs -

AUT_OPAQUE - A sequence of one or more un-typed values each one having the same length.
AUT_DATA - A sequence of bytes.
AUT_IP - A 20-byte IP header.

The script will not make an effort to decode these bytes: it will simply report on their offset and length within the associated audit-log file.

The output of the script is in the form of bookmarks and XML files.

One XML file will be created per audit file. The script will assign GUIDs to certain XML entities including those that represent audit files, audit records and certain types of audit token. The GUID assigned to an audit file will be the GUID of the source entry.

The reason for assigning GUIDs is to facilitate import of the XML data into a database such as MS Access. Access will, on reading a given XML file, create tables for the file, the records it contains, and the different types of audit tokens contained therein. Using the GUIDs will allow the examiner to create queries that identify the tokens that belong to each record; also the records that belong to each file.

NOTE: The XML files created by the script will be larger than the binary source files due to the amount of text contained therein.

This script was developed for use in EnCase training. For more details, please click the following link:

OpenText EnCase Training

Releases

Release

Size

Date

Mac OS X OpenBSM Audit Log Parser 2.0.0

Aug 1, 2024

More info Less info

Product compatibility

Release notes

Tested with:
EnCase Forensic 7.09

Languages

English

Files

Marketplace

Marketplace

Mac OS X OpenBSM Audit Log Parser

Product compatibility

CATEGORY

Description

Releases

Sign in

Marketplace

Mac OS X OpenBSM Audit Log Parser

App Support Tiers

Product compatibility

CATEGORY

Description

Releases

Unsubscribe from notifications

Marketplace Terms of Service

Your download has begun