当前位置:首页 > 报告详情

macOS遥测与EDR遥测——哪个更好?.pdf

上传人: 可*** 编号:991797 2025-12-07 42页 3.57MB

1、Ayo AnimashaunSecurity Engineer(DART)|GIAC GREMSeptember 28,2025macOS telemetry vs.EDR telemetry,which is better?Ayo AnimashaunSecurity Engineer(DART)|GIAC GREMSeptember 28,2025whoamiPrevious employment:Detection&Response Analyst Rapid7 2021-20241.What are Unified Logs?2.Answering Investigative Ques

2、tions3.Private Data Logging4.Log Retention5.Unified Logs vs.EDR telemetry6.TakeawaysAgenda31What are Unified Logs?4Apples system-wide logging framework used across Apple platforms iOS,macOS,tvOS,watchOS,etc.Introduced in iOS 10.0 and later,macOS 10.12 and later,tvOS 10.0 and later,and watchOS 3.0 an

3、d later.Centralizes log data in memory and on disk rather than plain files.This talk primarily focuses on the Unified Logs on macOS.On disk:Undocumented compressed.tracev3 files under/var/db/diagnostics/Supporting metadata in/var/db/uuidtext/.Main tracev3 files for the log saved to disk in/var/db/di

4、agnostics/Persist/.Supplementary log content in/var/db/diagnostics/Special/.Time-sync data in/var/db/diagnostics/timesync/.logarchive files are a compressed combination of the files located in the directories above and represent the file format utilised to export these logs.In memory:os_log-shared p

5、ages-logd:logd aggregates&compresses logs,retaining them in a local ring buffer or committing them to disk based on policy.SOURCE-keith.github.ioIMPORTANT:THESE ARE NOT THE SAME AS/var/log5Where are Unified Logs stored?6How do we access these logs?log stream7How do we access these logs?log showUse t

6、o convert from local time to UTCStart/End time YYYY-MM-DD HH:MM:SS8Example LogTimestampThread IDLog LevelActivity IDProcess IDTime-to-liveProcess Name:(Sender)Subsystem:CategoryEvent Message9log stream&show-Filtering With -predicate10Log Predicates(How do we filter logs)Filter by startup itemslog sh

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要围绕macOS的统一日志(Unified Logs)展开,对比了统一日志与EDR(Endpoint Detection and Response)遥测技术的优缺点,并提供了调查和分析日志的最佳实践。 关键点如下: - 统一日志是苹果的系统级日志框架,用于iOS、macOS等平台,自iOS 10.0和macOS 10.12起引入。 - 统一日志存储在内存和磁盘上,提供详细的日志数据。 - 可以使用`log show`和`log stream`命令访问日志,并使用`--predicate`进行过滤。 - 私有数据日志允许查看敏感信息,但需注意隐私风险。 - 与EDR遥测相比,统一日志覆盖更全面,但缺乏专门的检测功能。 - 最佳实践包括使用统一日志验证事件、在事件响应中导出日志,并在分析恶意软件时启用私有日志。
EDR的完美补充?" 隐私与安全如何平衡?" 统一日志与EDR谁更胜一筹?"
客服
商务合作
小程序
服务号
折叠