Collecting system wide provenance on macOS

The OpenBSM reporter collects provenance from across the operating system using the Mac OS X kernel's auditing of system calls.

This reporter is built automatically when SPADE's top-level make command is issued.

Before this reporter can be used, the below commands must be executed from within the SPADE directory. The commands only need to be executed once after compiling SPADE. (Note: This will let normal users access the OpenBSM audit stream.)

sudo chown root lib/spadeOpenBSM
sudo chmod ug+s lib/spadeOpenBSM

No argument is needed when starting this reporter in the SPADE controller:

-> add reporter OpenBSM
Adding reporter OpenBSM... done

This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Setting up SPADE
Storing provenance
Collecting provenance
- Across the operating system
- Limiting collection to a part of the filesystem
  - On Linux
  - On macOS
- From an external application
- With compile-time instrumentation
- Using the reporting API
- Of transactions in the Bitcoin blockchain
- Filtering provenance
  - Using filters
  - Available filters
Viewing provenance
- In a graph database
- In a relational database
Querying SPADE
- Illustrative example
- Transforming query responses
  - Using transformers
  - Available transformers
- Protecting query responses
Miscellaneous

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Collecting system wide provenance on macOS

Clone this wiki locally