NuwaStone

NuwaStone

A macOS behavior audit system with scope of file, process and network events.

It supports events as below

• File: create, delete, close with modified, rename
• Process: create, exit (only os11.x+)
• Network: connect, dns query

Documentation

NuwaStone supports macOS10.13+ with Kernel Extension (for os10.x) and System Extension (for os11.x+). The kext uses Kauth & SocketFilter for event collection and behavior auditing. The sext uses Endpoint Security & Network Extension for event collection and behavior auditing.

Installation

1. Disable SIP by following here.
2. Download the installation package here.
3. Then double-click NuwaStone-vxx.pkg to follow the guide.
4. Close the installation guide.

Uninstallation

1. Select 'Uninstall NuwaStone' from the status bar menu of NuwaClient application.

Attention

NuwaStone wont't let unsigned app run without your authorization, but the app will run just this time if you do not authorize within 30 seconds.

Preferences

Select 'Preferences' from the status bar menu of NuwaClient application to check or update user preferences. It supports 'add/remove/display' paths for filtering 'file/network' events or 'allowing/denying' execution.