Audit logs on modern macOS?

Meet Logga

available soon in App store

Privacy first
Logga values your privacy: it doesn't collect/store user-related data or tap into any network traffic.
macOS native
Logga is a System Extension that runs in userspace. System Extensions are "drivers" or extensions to kernel functionality, replacing the legacy Kernel Extensions. By running in userspace, Logga promises not to compromise the security or stability of your macOS.
Endpoint Security
Logga produces (process) execution logs, permission/kext/file(descriptor) related events are not in scope. To achive this, Logga utilizes Endpoint Security by hooking on process executions.
Logga lets you have granular control over log format & rotation rules.
Logga has a templating engine that lets you customize log lines to your fancy.
JSON and auditd log format out of the box.
{ "log": { "args": ["ls","-G","-la"], "command": "\/bin\/ls", "env": ["..."], "group": "staff", "guid": 20, "pid": 80918, "ppid": [80882,1541,1476,1], "ruid": 501, "exit": 0, "username": "timcook" }, "timestamp": "1364481363" }
{ "log": { "args": ["date"], "command": "\/bin\/date", "env": ["..."], "group": "staff", "guid": 20, "pid": 80920, "ppid": [80890,1542,1480,1], "ruid": 501, "exit": 0, "username": "timcook" }, "timestamp": "1364481383" }
{ "log": { "args": ["go","build","./cmd/$*"], "command": "\/usr\/local\/Cellar\/go\/1.18\/libexec\/bin\/go", "env": ["..."], "group": "staff", "guid": 20, "pid": 80919, "ppid": [80872,1541,1499,1], "ruid": 501, "exit": 0, "username": "timcook" }, "timestamp": "1364481363" }
type=EXECVE msg=audit(1648591393): exit=0 argc=3 a0=ls al=G a2=la ppid=80882 pid=80928 uid=501 gid=20 euid=501 comm="ls" exe="/bin/ls"
type=EXECVE msg=audit(1648591394): exit=1 argc=1 a0=cat ppid=80888 pid=80928 uid=501 gid=20 euid=501 comm="cat" exe="/bin/cat"
type=EXECVE msg=audit(1648591395): exit=0 argc=1 ppid=8078 pid=80928 uid=501 gid=20 euid=501 comm="date" exe="/bin/date"
// ${username} ${ruid} ${guid} arbitrary text ${command} ${args}"
1648591395 timcook 501 20 arbitrary text /bin/ls ["ls","-G","-la"]
1648591396 timcook 501 20 arbitrary text /bin/rm ["rm","-rf","/Users/timcook/.oh-my-zsh/log/update.lock"]

Audit logging is a bit of a mess right now on macOS. OpenBSM is slowly being deprecated since Big Sur, to pave the way for Endpoint Security. Endpoint Security is far from being feature complete but already provides enough functionality to be able to watch & record running processes. If for some reason1 you or your company needs to collect logs about who/what runs processes on your Mac, you might find Logga useful.

1for example SOC2 compliance

Logga is a System Extension, that runs in the background as a userspace daemon. For this application type, Apple requires an accompanying macOS GUI application that enables the user to load, unload & remove the System Extension intuitively(?). The GUI application also makes it easier to package, sign1 and distribute the application via App Store.
Logga hooks on Endpoint Security "exec" events, then writes the event & meta information to log files. Logga takes care of log rotation as well.

1extend with special privileges to be able to access process information

Currently no. I know what needs to be done to support this use case, but it requires (a lot) more work, and Apple doesn't make things easier. I needed to keep the scope relatively small for the launch. If you are interested in this use case, please open an issue on Github.

(Please note that for this to work at scale, your organization will probably need MDM)

Good question. I have a strong desire to sell Logga as a "buy once, use forever" application instead of a subscription service. How will I earn millions, you might ask? Probably I won't, so let's say $5. Do you think this is too much? Or too little? Please don't hesitate to drop me an email!

Although, If there will ever be an Enterprise1 version of Logga, it will probably be a subscription service. The use case would require custom distribution, billing + maintenance, which has recurring costs. Regardless, I intend to keep the price low.

1Lets you install it on hundreds or thousands of Macs without the App Store

Yes, on Github! Feel free to suggest additional features or report bugs.

Not right now, but that might change with time.