PS Logger

Introduction

Downloads

Details

Support

ps_logger takes snapshots of your currently running processes.

Apple's BSM audit system is a fantastic audit system that can aid in the detection and forensic analysis of malicious activity on your system.

However, BSM has one glaring flaw. If a process existed before a BSM audit file is created (say /usr/local/fubar is running as process 392), there is no evidence in the in the audit file that the fubar program is running. The audit records in the audit file will only say "Process 392 did this" and "Process 392 did that". Looking at that file, you will never know what process 392 is.

ps_logger is designed to address this issue. At boot up and then every time a new audit trail file is created, ps_logger runs and captures the list of current processes (it actually just runs the "ps" command) and logs the information to the directory

/var/ps_audit

Then, if you every need to know "What was process 392 running?", you will have the answer.