While troubleshooting something on my Mac the other day via the built-in Consle.app, I ran across a lot of redacted entries that simply showed <private> rather than showing the actual data. This is because of security enhancements Apple has made over the past few years to help protect MacOS from vulnerabilities.
Background
It used to be on MacOS Sierra and up that you could simply run sudo log config --mode "private_data:on" inside of Terminal and it would allow you to see the content of protected log entries. Well, with Catalina that all changed.
Now the process is much more difficult. Thankfully, Saagar Jha did some fantastic research on this after Catalina’s release which can be found over on their blog, and George Garside did us the favor of compiling Saagar’s code into a simple binary that we can run to enable PrivateLogs on MacOS Catalina.
Unfortunately, Apple was not done yet.
Around the time that I began trying this, MacOS Catalina 10.15.3 had just been released. I attempted to run George’s compilation of Saagar’s code, yet I always received the response System mode = Info when I run the sudo log config --status command. I ran this by Saagar, and he looked into it and responded that Apple had placed the Private logs behind additional entitlement checks, so the method that George Garside had compiled would no longer work.
Enabling Private Logs on 10.15.3 and Up
To work around Apple’s new entitlement checks on 10.15.3, download the PrivateOn.dylib file below and copy it to your home folder ~/
Open Terminal and run the following command and enter your password when prompted:
sudo su
After you arrive at the sh-3.2# prompt, type:
sudo bash
which should take you to the bash-3.2# prompt. Now copy the code below and replace the file path with your user home folder path and press enter:
DYLD_INSERT_LIBRARIES="/Users/admin/PrivateOn.dylib" log config --mode private_data:on
If it doesn’t give you any errors and returns you to the bash-3.2# prompt, you were successful. Verify by running the command below:
sudo log config --status
which should display System mode = INFO PRIVATE_DATA
If for some reason it doesn’t work any step of the way, it may be that you need to partially disable System Integrity Protection in order for this to work. All of my machines have SIP partially disabled so that I can run TotalSpaces2, so that may be affecting my results.
To partially disable SIP, reboot to MacOS Recovery and enter the terminal and run the command below:
csrutil enable --without debug --without fs
More information on partially disabling SIP can be found here.
Manually Compiling PrivateOn.dylib
For the security conscious out there that want to manually compile the PrivateOn.dylib file linked above, you can do so by following the instructions below:
1. Open your favorite text editor and paste the code below and save it as PrivateOn.c and save it to ~/
int _os_trace_is_development_build();
int overriden__os_trace_is_development_build() {
return 1; // Look at me, I'm the development build now
}
__attribute__((used, section("__DATA,__interpose"))) static struct {
int (*overridden__os_trace_is_development_build)();
int (*_os_trace_is_development_build)();
} _os_trace_is_development_build_interpose = {overriden__os_trace_is_development_build, _os_trace_is_development_build};
Then open your terminal and change directory to ~/ and run the command below to create the PrivateOn.dylib file:
clang PrivateOn.c -shared -o PrivateOn.dylib
Comments