RIP BSM, and the coming showdown

BSM, the auditing system that has been around since at least 1992, is dead, or at least it's in hospice care and on life support.

Having had a 32-year run, BSM is notably enduring for a piece of cybersecurity technology.

Originally developed by Sun Microsystems, BSM met the US National Security Agency’s C2 level auditing requirement. Apple adopted BSM for their auditing system in Mac OS X 10.3 (Panther) around 2003. By 2020, with macOS 11 (Big Sur), Apple announced BSM's deprecation. In 2023, macOS 14 (Sonoma) disabled BSM, although reactivation is possible for users or organizations. However, Apple's auditd man page signals BSM's definitive end in future macOS versions.

Apple’s man page for auditd

I am pretty sure BSM will be truly dead by the end of 2024.

When an Unstoppable Force Meets an Immovable Object

But a looming showdown between Apple and auditing-standard organizations like the Defense Information Systems Agency (DISA) and the National Institute of Standards and Technology (NIST) is evident.

The figure and text below illustrate the problem.

Apple’s new endpoint system extension approach vs. the old BSM approach

Applications use system calls for operations like opening a file: an application requests to open a file (1), the system call processes the request (3), and the system call returns the outcome to the application (4).

BSM's 32-year-old design logs the result after the system call completes (5), recording the success or failure of the event. Notably, DISA and NIST often require logging only failed events (i.e., failing to open a file or failing to execute a program).

Apple’s new endpoint system extension architecture pre-empts system calls, allowing a security program to assess and potentially block the call (2), aiming for prevention over BSM’s after-the-fact recording.

However, this new architecture falls short of DISA and NIST’s logging criteria, which emphasize failed event recording.

Three potential outcomes loom:

  1. Apple redesigns their endpoint system extension architecture to also log system call outcomes, effectively replacing BSM’s function (5).

  2. DISA, NIST, and similar bodies revise their logging standards to accommodate the new preventive approach.

  3. These compliance entities deem macOS non-compliant with their security standards, potentially barring its use in regulated environments.

Clarity on Apple’s compliance trajectory is likely at WWDC 2024, with the announcement of the next macOS version.