Collecting system wide provenance on Mac OS X

Ashish Gehani edited this page Aug 11, 2015 · 7 revisions

The OpenBSM reporter collects provenance from across the operating system using the Mac OS X kernel's auditing of system calls.

This reporter is built automatically when SPADE's top-level make command is issued.

Before this reporter can be used, the below commands must be executed from within the SPADE directory. The commands only need to be executed once after compiling SPADE. (Note: This will let normal users access the OpenBSM audit stream.)

sudo chown root lib/spadeOpenBSM
sudo chmod ug+s lib/spadeOpenBSM

No argument is needed when starting this reporter in the SPADE controller:

-> add reporter OpenBSM
Adding reporter OpenBSM... done
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.