In the fall of 2012 I started working on Yet Another Log Aggregator (YALA) called the Free Audit Aggregation System (FAAS) (see concept paper). I didn't feel there was a good solution for efficiently collecting large (multi-gigabyte) log files that Apple's BSM system could generate.
Collecting detailed audit data like BSM data is important because it can reveal activity that is invisible to many other security sensors. Not only can BSM data be used for novel detection approaches, it can also provide context to alerts generated by other sensors. For example, if a network sensor detects a suspicious network connection, the audit data can tell you what process created that connection, how that process got started, what program image it was running, how the program executable got onto your system, and what files the process read from or wrote to.
By chaining these steps together, you can build control flows (e.g., detect and watch intruders penetrate a network and then move laterally; see DIDS slides) and data flows (e.g., how did that file leave my system; see Windows audit video).
Unfortunately, FAAS got sidelined when Mavericks broke a few pieces of it and I spent time developing Data Fence (currently in review), an update to Audit Viewer (approved (yay!) and will be released this week), and PS Logger (originally part of FAAS).
Data Fence has a couple of advantages over FAAS, including distributed analysis, live analysis, and leveraging your existing SIEM infrastructure (assuming your SIEM reads syslog data and can parse XML). However, collecting the detailed audit data via something like FAAS and doing deeper back-end analysis is still extremely valuable, so I hope to thaw it out and start working on it again.
In the meantime, I thought I'd resurrect a few old videos to give you an idea of the FAAS vision. If you have some suggestions (like "Use Amazon Web Services instead of Apple Server."), contact me (a tweet works well, at least for starts). The three videos cover
- Introduction to FAAS
- Using Log Browser to find a log of interest
- Applying server-side analysis to the logs