macOS遥测与EDR遥测——哪个更好？.pdf

《macOS遥测与EDR遥测——哪个更好？.pdf》由会员分享，可在线阅读，更多相关《macOS遥测与EDR遥测——哪个更好？.pdf（42页珍藏版）》请在三个皮匠报告上搜索。

1、Ayo AnimashaunSecurity Engineer(DART)|GIAC GREMSeptember 28,2025macOS telemetry vs.EDR telemetry,which is better?Ayo AnimashaunSecurity Engineer(DART)|GIAC GREMSeptember 28,2025whoamiPrevious employment:Detection&Response Analyst Rapid7 2021-20241.What are Unified Logs?2.Answering Investigative Ques

2、tions3.Private Data Logging4.Log Retention5.Unified Logs vs.EDR telemetry6.TakeawaysAgenda31What are Unified Logs?4Apples system-wide logging framework used across Apple platforms iOS,macOS,tvOS,watchOS,etc.Introduced in iOS 10.0 and later,macOS 10.12 and later,tvOS 10.0 and later,and watchOS 3.0 an

3、d later.Centralizes log data in memory and on disk rather than plain files.This talk primarily focuses on the Unified Logs on macOS.On disk:Undocumented compressed.tracev3 files under/var/db/diagnostics/Supporting metadata in/var/db/uuidtext/.Main tracev3 files for the log saved to disk in/var/db/di

4、agnostics/Persist/.Supplementary log content in/var/db/diagnostics/Special/.Time-sync data in/var/db/diagnostics/timesync/.logarchive files are a compressed combination of the files located in the directories above and represent the file format utilised to export these logs.In memory:os_log-shared p

5、ages-logd:logd aggregates&compresses logs,retaining them in a local ring buffer or committing them to disk based on policy.SOURCE-keith.github.ioIMPORTANT:THESE ARE NOT THE SAME AS/var/log5Where are Unified Logs stored?6How do we access these logs?log stream7How do we access these logs?log showUse t

6、o convert from local time to UTCStart/End time YYYY-MM-DD HH:MM:SS8Example LogTimestampThread IDLog LevelActivity IDProcess IDTime-to-liveProcess Name:(Sender)Subsystem:CategoryEvent Message9log stream&show-Filtering With -predicate10Log Predicates(How do we filter logs)Filter by startup itemslog sh