Hi eskimo, Thank you very much! I find the description : DEPRECATION NOTICE The audit(4) subsystem has been deprecated since macOS 11.0, disabled since macOS 14.0, and WILL BE REMOVED in a future version of macOS. Applications that require a security event stream should use the EndpointSecurity(7) API instead. On this version of macOS, you can re-enable audit(4) by renaming or copying /etc/security/audit_control.example to /etc/security/audit_control, re- enabling the system/com.apple.auditd service by running launchctl enable system/com.apple.auditd as root, and rebooting. But I want to confirm: with Audit Log, I can get the AUE_LISTEN/AUE_BIND event. I think these events should not be covered by EndpointSecurity, is it right? Will Network Extension cover these events? Thank you!

Hi eskimo, Thank you for your response. I do these steps : Use leaks command to get the memory graph Use footprint command to info: `Dirty      Clean  Reclaimable    Regions    Category     ---        ---          ---        ---    ---  925 MB        0 B          0 B      14012    Accounts framework` Use vmmap command to list the vm info, then vm info show addresses `Accounts framework          130e45000-130e56000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e56000-130e67000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e67000-130e78000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e78000-130e89000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e89000-130e9a000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e9a000-130eab000    [   68K     0K     0K    68K] r--/r-- SM=SHM  ` Then get above traceTrees with the address

Like this?    3 Region Accounts framework region + 0 0x121ff0000     2 0x7fcc3d023a00 [1536] +1341: 0x7fcc3d023f3d --> offset 65536     + 1 Region __DATA_DIRTY /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation __DATA_DIRTY __data: '__CFRuntimeClassTable' + 2224 0x7fff80292090     + 1 Region __DATA_DIRTY /System/Library/Frameworks/Security.framework/Versions/A/Security __DATA_DIRTY __bss: 'Security::KeychainCore::gTypes()::nexus' 0x7fff803182a0     1 0x7fcc3be10650 [784] +477: 0x7fcc3be1082d --> offset 65663      1 <icu::SharedDateFormatSymbols 0x7fcc3d02c000> [1536] +128: 0x7fcc3d02c080 --> offset 8       1 0x7fcc3c813200 [3072] +2480: 0x7fcc3c813bb0        1 0x7fcc3bf056a0 [80]  +0: 0x7fcc3bf056a0         1 <icu::UnifiedCache 0x7fcc3bf05660> [64]  +8: 0x7fcc3bf05668          1 Region __DATA_DIRTY /usr/lib/libicucore.A.dylib __DATA_DIRTY __bss + 3552 0x7fff8081cf30   2 VM: Accounts framework 0x112bb2000-0x112bc3000 [V=68K] r--/r--     2 Region Accounts framework region + 0 0x110ff0000     2 0x7fcc3be06ea0 [432] +197: 0x7fcc3be06f65 --> offset 65663      1 Region __DATA_DIRTY /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation __DATA_DIRTY __data: '__CFRuntimeClassTable' + 2176 0x7fff80292060      1 Region __DATA_DIRTY /System/Library/Frameworks/Security.framework/Versions/A/Security __DATA_DIRTY __bss: 'Security::CodeSigning::gCFObjects' 0x7fff803180d8