Skip to content

A macOS behavior audit / event monitoring system with scope of file, process and network events (based on Endpoint Security Framework).

License

Notifications You must be signed in to change notification settings

ConradSun/NuwaStone

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

NuwaStone

NuwaStone

A macOS behavior audit system with scope of file, process and network events.

It supports events as below

  • File: create, delete, close with modified, rename
  • Process: create, exit (only os11.x+)
  • Network: connect, dns query

Recommendation

If you want to monitor more event types, you can use X-Monitor. The project supports all events provided by Endpoint Security framework and will support the network/dns event in the future.

Documentation

NuwaStone supports macOS10.13+ with Kernel Extension (for os10.x) and System Extension (for os11.x+). The kext uses Kauth & SocketFilter for event collection and behavior auditing. The sext uses Endpoint Security & Network Extension for event collection and behavior auditing.

Installation

  1. Disable SIP by following here.
  2. Download the installation package here.
  3. Then double-click NuwaStone-vxx.pkg to follow the guide.
  4. Close the installation guide.

Uninstallation

  1. Select 'Uninstall NuwaStone' from the status bar menu of NuwaClient application.

Attention

NuwaStone wont't let unsigned app run without your authorization, but the app will run just this time if you do not authorize within 30 seconds.

Preferences

Select 'Preferences' or 'Settings' from the status bar menu of NuwaClient application to check or update user preferences. It provides 'Basic Settings', 'Event Muting' and 'System Info' sub viewers.

Sub viewer of 'Event Muting' support filtering events as below:

  • Mute file events by file paths or process paths
  • Mute network events by process paths or remote ip addresses
  • Mute process events by allowing or denying binary paths