Audit Log Levels

You can determine the audit log verbosity by configuring the Compliance Reporter audit log level that meets the needs of your organization. The following table describes what information is collected and reported in the Compliance Reporter audit logs depending on the configured log level.

  • Level 0
    Suitable for when you only want to monitor authentication events and administrative change events, such as when a low-level kernel setting, firewall status, or user object is changed on a computer.
    Important:

    Level 0 does not meet auditing requirements for security benchmarks.

  • Level 1Suitable for most computers.
  • Level 2Suitable for computers handling sensitive information regularly.
  • Level 3Suitable for short-term use on computers that are traveling to high-risk security environments or to confirm a compromise of a system remotely.
SettingLevel 0Level 1Level 2Level 3

Log in events

  • Login window and screensaver
  • SSH, screen sharing, and Apple Remote Desktop
  • File sharing, and any other service that requires a local account

Authorizations

Includes all system events determining if an authenticated user or process has the permission to perform an action

User and group creation or modification
Hardware change events

Other system operation events

Includes mounting external or network drives and reboot, shutdown, and macOS updates

External drive and volume events
Compliance Reporter tamper events
Network and firewall changes
System configuration file changes

Application process executions

Includes app execution and any security actions an app performs.

Terminal and shell script actions

Includes commands executed by the following: root, administrator, impersonated user, and root or administrator shell script commands.

1

Processes listening for network connections

Includes all connections from outside computers.

2
Gatekeeper evaluations and overrides
XProtect evaluations and updates
Incoming network connections
Outgoing user network connections
System-level outgoing network connections

File events on external drives

Includes the following file events by default, but is overridden by the FileEventInclusionPaths preference key:

  • /etc/pam.d/
  • /Library/Extensions/
  • /var/db/ConfigurationProfiles/
  • /Library/Preferences/
  • /Library/LaunchAgents/
  • /Library/LaunchDaemons/
All network traffic
File event monitoring custom paths
Application Exclusions
User Exclusions3
1 Includes all commands and shell script history, no matter the user or permission level.
2 localhost is ignored.
3 All configured user and process drop filters are ignored and all events are logged.