filewatcher: auditing utility for macOS

filewatcher

a simple auditing utility for macOS

Filewatcher is an auditing and monitoring utility for macOS.

It can audit all events from the system auditpipe of macOS and filter them by process or by file.

If you want to read more about how it works, check my blog.

It can audit all events from the system auditpipe of macOS and filter them by process or by file You can use this utility to:

  • Monitor access to a file, or a group of files.
  • Monitor activity of a process, and which resources are accessed by that process.
  • Build a small Host-Based IDS by monitoring access or modifications to specific files.
  • Do a dynamic malware analysis by monitoring what the malware is using the filesystem.

Installation

git clone https://github.com/m3liot/filewatcher.git

make

 

To configure the auditpipe I used an example found here.
To parse the token’s structure I used the open source code from OpenBSM.
The code is still pretty messy but it works! The options are not so much at the moment, but my goal is to improve it to have a fully-working auditing tool. At the moment it is possible to specify which processor which file to monitor. By default, only some events are displayed, like open/read/write/close. Anyway, it’s possible to display all events thanks to an option. Check the help message!
It’s also possible, for now, to enable debug message logging into a file.

Just run make to compile it and then ./bin/filewatcher.

Usage

Usage: ./bin/filewatcher [OPTIONS]

-f, --file Set a file to filter
-p, --process Set a process name to filter
-a, --all Display all events (By default only basic events like open/read/write are displayed)
-d, --debug Enable debugging messages to be saved into a file
-h, --help Print this help and exit

Copyright (C) 2017 meliot

Source: https://github.com/m3liot/