MSAA is a local-first macOS audit, monitoring, and investigation platform. It is designed for analysts who need transparent evidence collection, reviewable alerts, and local-only reports without sending telemetry off the machine.
This repository is intended to be understandable, auditable, and safe enough for public review, institutional evaluation, and responsible internal deployment.
- Runs read-only macOS security audits
- Surfaces findings with evidence, confidence, and rule provenance
- Tracks review state, notes, suppression decisions, and case history
- Correlates events into investigation patterns and flight-recorder timelines
- Provides Apple Security Forecast summaries with low-noise grouping
- Supports optional user LaunchAgent mode and optional root-owned system LaunchDaemon mode
- Exports HTML and JSON reports locally
- Preserves evidence snapshots before cleanup or remediation
- No telemetry
- No cloud dependency
- No browser history extraction
- No cookie, token, password, or keychain extraction
- No hidden persistence
- No stealth behavior
- No offensive exploitation
- No hack-back or retaliation
- No automatic destructive cleanup
- No remediation without user approval
The default mode is conservative.
Safe by default:
- no packet capture unless explicitly chosen
- no aggressive scans unless explicitly chosen
- no full localhost scan unless explicitly chosen
- no destructive cleanup by default
- no system daemon install by default
- no remediation execution by default
- no automatic uploads
- no automatic cloud enrichment using private data
Important features that can increase risk always require explicit user action and a warning.
All data stays local on the Mac unless you explicitly export a report.
The app does not collect:
- browser history
- private browsing state
- cookies
- passwords
- keychain data
- tokens
- secrets
- ambient camera/microphone content
Redaction support is available for:
- usernames
- IP addresses
- MAC addresses
- hostnames
- filesystem paths
- URL secrets
The project is developed for current Apple silicon and Intel Macs running modern macOS releases. The codebase is intended to be reviewed and tested on current supported macOS versions from Apple, not on hidden or unsupported system behavior.
- LaunchAgent under the logged-in user
- Best for UI notifications and per-session alerts
- Default install mode
- Root-owned LaunchDaemon under
/Library/LaunchDaemons - Starts at boot
- Writes to the shared system database
- Does not show GUI alerts directly
- Uses the user notifier companion for visible alerts after login
The default scan mode is read-only and low impact.
Adds more evidence detail without changing system state.
Targets localhost-only port enumeration and related local checks. This is intentionally opt-in because it can be noisy.
The platform prefers evidence preservation over cleanup.
Before cleanup or remediation, the app can:
- warn about potential evidence loss
- create an evidence snapshot
- preserve logs, notes, reports, and case data
Do not delete logs automatically during an active investigation.
- Dashboard
- Intrusion Detection
- Investigation Priorities
- Flight Recorder
- Evidence Snapshots
- Apple Security Forecast
- Logs
- Settings
- Operational Health
- Skins
- Results
- Investigation Notes
- Command Preview
Placeholders for public release:
- Dashboard
- Intrusion Detection
- Investigation Priorities
- Flight Recorder
- Apple Security Forecast
- Operational Health
- Settings
python3 -m pip install -r requirements.txt
python3 launcher.pyBuild the bundled macOS app with the provided spec file:
pyinstaller "Mac Audit Agent.spec"- Remove the LaunchAgent or LaunchDaemon from Launch Services
- Remove the runtime copy if you installed system mode
- Preserve reports, snapshots, notes, and evidence unless you intentionally choose to remove them
Use this software only on systems and networks you own or are explicitly authorized to assess.
If you are unsure whether you are authorized, stop and obtain written approval before running scans, monitors, or exports.
- Architecture
- Threat Model
- Privacy
- Deployment
- Operational Safety
- Government / Enterprise Evaluation
- Public Release Checklist
- Thank you
The repository includes unit tests, storage tests, UI smoke tests, and report export tests. The public release checklist requires that the test suite, compile checks, and diff checks pass before distribution.