SUpraudit - An actually useful praudit(1) for MacOS

What is this?

You may or may not be familiar with BSM auditing. A legacy of the dearly departed Solaris OS, which lives on in FreeBSD, Linux and - of course - MacOS. Auditing is detailed in my *OS Internals::Security & Insecurity's Chapter 2, and is one of the diamonds in the rough as far as system monitoring is concerned. Though not as powerful as the MAC Framework (and unable to proact, only react to operations), no other framework combines the ease of live monitoring with the advantages of pure user mode. The kernel is still very much involved - but you neither can nor should modify its auditing logic, which is enabled by default.

Apple took the set of default Solaris tools (namely, praudit(1), auditreduce and audit(8), and hasn't really invested in them. At all. Notably, praudit(1), which is used to print audit records from files in /var/audit and the /dev/auditpipe, is a pretty terrible tool that is not grep(1) friendly even when used with -l (single line output). And its XML output (-x) isn't that shabby either.

Enter: SUpraudit

After 25 or so years(?) it's time for a revamp. I've reversed praudit paltry ~220 lines of assembly back to source, and then decided to rebuild it - better than before:

root@Zephr (~) # supraudit -h
supraudit: illegal option -- -h
usage: supraudit [-lnpx] [-r | -s] [-d del] [file ...]
       supraudit [-S [-C] |-J] [-F filter] [-O output]
       -S: SuperAudit records (much more readable)
       -C: Color (because everything looks better in color)
       -J: JSON
       -L: Relay to local syslog
       -F: Filter by predefined rules - files, net, proc
       -O: Log to specified outputfile

This is J's supraudit, compiled on May 22 2018. 
Latest version always free @

The usage mode is nearly identical to praudit - that is, supraudit can be used as the receiving end of a pipe (|) from an audit file, or run over one - commonly the /dev/auditpipe, since this provides the real-time audit firehose. The switches that are new to supraudit are all uppercase, so as to not collide with those of its precursor. These switches allow for a variety of output formats or filters (as is shortly explained in "Usage Examples", below).

Unlike praudit(1), my tool - when operating on /dev/auditpipe - configures the pipe via ioctl(2) codes, which allow it to set custom filters (or none at all) without affecting the local audit policy!. In simple words, you don't need to configure anything - just run supraudit directly on the pipe and see every BSD level operation! (Note, that Mach level operations cannot be audited, as the kernel does not support that).

Usage examples

The immediate and most useful feature is -S, which uses my own record format, rather than the default of Apple's. The format is very much like Linux's strace (and my own jtrace), and is super grep-friendly. You can toggle color (which really helps) using -C or the usual JCOLOR=1:

You can filter using grep and cut -d'|'.

. Some useful filters for grep are 'INET' (all network connections), 'INET4' (IPv4) and 'INET6'.

As another example, consider the equivalent of my filemon (sans reactive capabilities):

As a quick alternative to grep, you can use -F files, net or proc for builtin filters. This is recommended, since you can always apply grep(1) later. Also, doing so will automatically save an unfiltered audit log to /tmp, so you can then see the full picture at any time.

syslog/os_log integration

Using -L together with -S will log to local syslog/os_log:

MacOS 14: Code signing support

Remote loghost

One of the audit mechanism's most glaring omissions is that, unlike syslogd, it doesn't do remote logging to a centralized server - which is imperative if you want to ensure log integrity, and vital if you have more than 5 machines, like in an enterprise. Well, that's been fixed. Using supraudit with -R will relay to a centralized server, but that requires...

Oh, yes.. There's Supraudit-PRO

A 'pro' version of Supraudit has even more features, including:

The PRO version is in development, and will get a much more official and snazzier page when the fine folks at will get to it.



  • For nice ideas as to what to do with supraudit, Splunk, and smart scripting - Check Alfredo Albarca's OSXMON project!
  • TG Annoucement - The upcoming MOXiI training in NYC (Dec 2nd, 2019) is open for registration! SUpraudit is only one of the many cool tracing/RE methods we demonstrate. You might want to follow @Technologeeks for announcements! You can drop i/n/f/o at TG an email if you want more details or to register.


  • 12/13/2018 - Added 10.14 support, code signing detection
  • 05/22/2018 - Bugfixes (for JSON output), -L now available in non-PRO version (requires -S as well)
  • 10/01/2017 - Finally made supraudit its own webpage
  • 02/28/2018 - Misc changes: pipe mode (... | supraudit) works, JSON output (-J) (with thanks to @bruienne)