Collecting system wide provenance on macOS - ashish-gehani/SPADE GitHub Wiki

The OpenBSM reporter collects provenance from across the operating system using the Mac OS X kernel's auditing of system calls.

This reporter is built automatically when SPADE's top-level make command is issued.

Before this reporter can be used, the below commands must be executed from within the SPADE directory. The commands only need to be executed once after compiling SPADE. (Note: This will let normal users access the OpenBSM audit stream.)

sudo chown root lib/spadeOpenBSM
sudo chmod ug+s lib/spadeOpenBSM

---

No argument is needed when starting this reporter in the SPADE controller:

-> add reporter OpenBSM
Adding reporter OpenBSM... done