Ventura 13.4 makes network diagnostic logging harder

If you’ve ever looked in the macOS Unified log for information about network traffic, you’ll be aware that, while the log entries are there, their contents are usually of little help. Even removing log privacy to strip all the <private> entries doesn’t help much. The best solution is to enable network diagnostic logging, but as of macOS Ventura 13.4 that has changed and become more inaccessible, as it requires that SIP is disabled.

Enabling CFNetwork diagnostic logging for your own code should remain available as before, and as explained by Apple.

However, enabling this generally so that you can read decrypted TLS data and other content for third-party apps or macOS requires a command in Terminal, as described by Jeff Johnson. Prior to macOS 13.4, the command
sudo launchctl setenv CFNETWORK_DIAGNOSTICS 3
should do the trick for all processes launched thereafter. However, in macOS 13.4 that is only allowed when SIP is disabled. The impact of this is greatest on Apple silicon Macs, where disabling SIP requires downgrading Startup Security policy to Permissive Security. This in turn alters many behaviours, and will affect some network connections as a result.

The reason for this change appears to be in one or more of the security fixes that come in macOS 13.4. There are several that refer to improving privacy in the log, and CVE-2023-27940:
Impact: A sandboxed app may be able to observe system-wide network connections
Description: The issue was addressed with additional permissions checks.

Some of those changes may also be implemented in the fixes in macOS 12.6.6 and 11.7.7, so don’t be surprised if they now also require SIP to be disabled before you can enable network diagnostic logging there.

These don’t affect the general removal of privacy from the log, for which the profile I have provided still works as expected, and eliminates all those <private> entries.