Hi guys
Following this topic : https://developer.apple.com/forums/thread/654443
I test this in macOS 14 beta, audit can't work now. Is it expected or a bug?
If it is expected, is there any announcement ? Thank you!
Command return error:
sudo audit -i Error sending trigger: (ipc/send) invalid destination port
My understanding is that this is expected. The audit subsystem isn’t gone completely, but you now have to explicit enable it. See the audit man page for details (on macOS 14 beta, not the macOS 13 one!).
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Hi eskimo,
Thank you very much!
I find the description :
DEPRECATION NOTICE
The audit(4) subsystem has been deprecated since macOS 11.0, disabled since macOS 14.0, and WILL BE REMOVED in a future version of macOS.
Applications that require a security event stream should use the EndpointSecurity(7) API instead.
On this version of macOS, you can re-enable audit(4) by renaming or copying /etc/security/audit_control.example to /etc/security/audit_control, re-
enabling the system/com.apple.auditd service by running launchctl enable system/com.apple.auditd as root, and rebooting.
But I want to confirm: with Audit Log, I can get the AUE_LISTEN/AUE_BIND event. I think these events should not be covered by EndpointSecurity, is it right? Will Network Extension cover these events?
Thank you!
Will Network Extension cover these events?
Yes. Most folks implement that sort of thing using an NE transparent proxy.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"