Dejé mi computadora portátil con mis compañeros de trabajo durante unos 30-40 minutos. ¿Puedo averiguar si se exportaron o abrieron archivos desde mi computadora portátil durante ese tiempo?
11/5/17 3:12:09.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 3:13:10.325 PM Microsoft Word[1299]: open on /Users/rakanalami/Library/Group Containers/UBF8T346G9.Office/MicrosoftShipAssertLog_MSWD1299_Send.txt: File exists
11/5/17 3:15:16.302 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:16:00.429 PM BezelServices 255.10[98]: ASSERTION FAILED: result == 0 -[KeyboardALSAlgorithmLegacy setDriverSuppressed] line: 135
11/5/17 3:16:00.436 PM com.apple.usbmuxd[84]: notice failed to get the v3 runloopsource
11/5/17 3:16:00.438 PM AirPlayUIAgent[288]: 2017-11-05 03:16:00.437362 PM [AirPlayUIAgent] BecomingInactive: NSWorkspaceWillSleepNotification
11/5/17 3:16:00.444 PM CommCenter[236]: Telling CSI to go low power.
11/5/17 3:16:00.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0
11/5/17 3:16:00.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:00.529 PM sharingd[250]: 15:16:00.529 : BTLE scanner Powered Off
11/5/17 3:16:00.531 PM sharingd[250]: 15:16:00.530 : BTLE scanner Powered Off
11/5/17 3:16:00.559 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: notification observer: com.apple.iChat notification: __CFNotification 0x7f83bae4e5f0 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.560 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: notification observer: com.apple.FaceTime notification: __CFNotification 0x7fed39716020 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.573 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: NC Disabled: NO
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.572 : Purged contact hashes
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : Discoverable mode changed to Off
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : BTLE scanning stopped
11/5/17 3:16:00.588 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: DND Enabled: YES
11/5/17 3:16:00.589 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: Updating enabled: NO (Topics: (
))
11/5/17 3:16:00.589 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: NC Disabled: NO
11/5/17 3:16:00.589 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: notification observer: com.apple.iChat notification: __CFNotification 0x7f83bac619c0 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.600 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: DND Enabled: YES
11/5/17 3:16:00.600 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: Updating enabled: NO (Topics: (
))
11/5/17 3:16:00.600 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: NC Disabled: NO
11/5/17 3:16:00.606 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: DND Enabled: YES
11/5/17 3:16:00.606 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: Updating enabled: NO (Topics: (
))
11/5/17 3:16:01.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:01.429 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_desktop_screenshot: authw 0x7fcd03b74800(2000), shield 0x7fcd031ae400(2001)
11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_lock_screen_screenshot: authw 0x7fcd03b74800(2000)[0, 0, 0, 0] shield 0x7fcd031ae400(2001), dev [1440,900]
11/5/17 3:16:01.785 PM WindowServer[177]: no sleep images for WillPowerOffWithImages
11/5/17 3:16:01.906 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent
11/5/17 3:16:01.907 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent
11/5/17 3:16:11.800 PM loginwindow[98]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.
11/5/17 3:16:15.000 PM kernel[0]: AirPort: Link Down on en0. Reason 8 (Disassociated because station leaving).
11/5/17 3:16:15.000 PM kernel[0]: en0: channel changed to 1
11/5/17 3:16:15.000 PM kernel[0]: en0::IO80211Interface::postMessage bssid changed
11/5/17 3:16:15.655 PM symptomsd[256]: -[NetworkAnalyticsEngine _writeJournalRecord:fromCellFingerprint:key:atLOI:ofKind:lqm:isFaulty:] Hashing of the primary key failed. Dropping the journal record.
11/5/17 3:16:15.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0
11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 3:16:18.000 PM kernel[0]: PM response took 3119 ms (56, powerd)
11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io(28)
11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io took 0 ms
11/5/17 3:16:18.000 PM kernel[0]: error 0xe00002db opening polled file
11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000280
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.048948: AirPort_Brcm43xx::powerChange: System Sleep
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049000: IOPMPowerSource Information: onSleep, SleepType: Deep Idle, 'ExternalConnected': No, 'TimeRemaining': 312,
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049020: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING.
11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:49:54.000 PM kernel[0]: en0: channel changed to 1
11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1659 us
11/5/17 3:49:54.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified).
11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.634907: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off.
11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds
11/5/17 3:49:54.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event
11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.650861: AirPort_Brcm43xx::syncPowerState: WWEN[disabled]
11/5/17 3:49:54.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:20.000 PM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2
11/5/17 3:49:54.000 PM kernel[0]: Wake reason: EC.LidOpen (User)
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000320
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 3:49:54.000 PM kernel[0]: Previous sleep cause: 5
11/5/17 3:49:54.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL
11/5/17 3:49:54.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 3:49:54.007 PM CommCenter[236]: Telling CSI to exit low power.
11/5/17 3:49:54.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host
11/5/17 3:49:54.033 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:49:54.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
Hola, ahora he encontrado más registros, ¿alguien puede decirme si se usó un usb para extraer archivos en estos registros?
11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified).
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.298447: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off.
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1670 us
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds
11/5/17 1:02:24.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.316263: AirPort_Brcm43xx::syncPowerState: WWEN[disabled]
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 10:02:23.000 AM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2
11/5/17 1:02:24.000 PM kernel[0]: Wake reason: EC.SleepTimer (SleepTimer)
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 1:02:24.000 PM kernel[0]: Previous sleep cause: 5
11/5/17 1:02:24.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL
11/5/17 1:02:24.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 1:02:24.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host
11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix
11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 180137 us
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 1 milliseconds
11/5/17 1:02:24.248 PM hidd[102]: [HID] [MT] MTSimpleHIDManager::deviceDidBootload device bootloaded
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: TBT W (2): 0x0100 [x]
11/5/17 1:02:24.000 PM kernel[0]: en0: channel changed to 1
11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Up on awdl0
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490079: AirPort_Brcm43xx::powerChange: System Wake - Full Wake/ Dark Wake / Maintenance wake
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490134: IOPMPowerSource Information: onWake, SleepType: Deep Idle, 'ExternalConnected': No, 'TimeRemaining': 17276,
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490266: AirPort_Brcm43xx::platformWoWEnable: WWEN[disable]
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b093840b3 has no prefix
11/5/17 1:02:24.632 PM UserEventAgent[46]: Captive: CNPluginHandler en0: Inactive
11/5/17 1:02:24.637 PM configd[55]: network changed: v4(en0-:172.20.10.3) DNS- Proxy-
11/5/17 1:02:24.637 PM Dock[240]: -[UABestAppSuggestionManager notifyBestAppChanged:type:options:bundleIdentifier:activityType:dynamicIdentifier:when:confidence:deviceName:deviceIdentifier:deviceType:] (null) UASuggestedActionType=0 (null)/(null) opts=(null) when=2017-11-05 11:02:24 +0000 confidence=1 from=(null)/(null) (UABestAppSuggestionManager.m #319)
11/5/17 1:02:24.000 PM kernel[0]: PM response took 153 ms (56, powerd)
11/5/17 1:02:24.802 PM cdpd[539]: Saw change in network reachability (isReachable=0)
11/5/17 1:02:24.804 PM netbiosd[1945]: network_reachability_changed : network is not reachable, netbiosd is shutting down
11/5/17 1:02:24.809 PM symptomsd[256]: __73-[NetworkAnalyticsEngine observeValueForKeyPath:ofObject:change:context:]_block_invoke unexpected switch value 2
11/5/17 1:02:24.881 PM SubmitDiagInfo[2158]: Triggering diganostics messages cleanup
11/5/17 1:02:25.024 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.025 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.026 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.038 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.043 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.046 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.050 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.000 PM kernel[0]: USBMSC Identifier (non-unique): 000000000820 0x5ac 0x8406 0x820, 3
11/5/17 1:02:26.000 PM kernel[0]: PM response took 1374 ms (56, powerd)
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096547: AirPort_Brcm43xx::powerChange: System Sleep
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096595: IOPMPowerSource Information: onSleep, SleepType: Standby, 'ExternalConnected': No, 'TimeRemaining': 17276,
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096612: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING.
11/5/17 1:02:26.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
Sin embargo, puede activar esta función para auditar eventos futuros.
Nota importante: esta respuesta es para mostrar que este tipo de auditoría se puede realizar y de ninguna manera es una guía o un CÓMO para configurar o administrar OpenBSM * en macOS. La configuración y administración de OpenBSM está considerablemente fuera del alcance de una respuesta aquí en Ask Different.
De forma predeterminada, la herramienta de auditoría de OpenBSM está configurada solo para eventos de autenticación como inicio y cierre de sesión.
Mirando el archivo de configuración /etc/security/audit/audit_control
vemos lo siguiente:
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa <----------- What gets audited.
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
Hay una serie de directivas de configuración que se pueden encontrar en la sección FreeBSD BSM Audit Config del Manual de FreeBSD .
Además, OpenBSM no está configurado para todos los usuarios. Mirando /etc/security/audit_user
solo encontramos root
que está configurado:
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
#
root:lo:no
Para ver si podemos auditar cuándo se lee un archivo, modifíquelo audit_control
para que tenga el valor flags:lo,aa,fr
de "iniciar/cerrar sesión", "autenticación/autorización" y "lectura de archivo".
Luego agregue un usuario para auditar en el audit_user
archivo con los eventos que queremos ver (inicio de sesión y lectura de archivo):
allan:lo:fr
Reiniciar el servicio:
sudo audit -i
En una sesión de Terminal, para ver el registro de auditoría en tiempo real que se está creando, emita el comando
praudit -l /dev/auditpipe | grep test
para ver si generará un evento para cuando lea de un archivo de "prueba".
En una ventana de Terminal separada:
$ touch test #creates the file
$ cat test #reads the file
Volviendo a la primera ventana de Terminal, obtenemos una respuesta:
sudo praudit -l /dev/auditpipe | grep test
Password:
header,140,11,open(2) - read,0,Tue Nov 7 19:44:45 2017, + 678 msec,argument,2,0x0,flags,path,test,path,/Users/allan/test,attribute,100644,allan,staff,16777218,724870,0,subject,allan,allan,staff,allan,staff,1277,100007,50331650,0.0.0.0,return,success,3,trailer,140,
Ahí está la entrada de registro.
Obviamente, ver una "tubería" sería contraproducente y solo es bueno para pruebas y demostraciones (como este ejemplo). Los archivos de registro se almacenan en el /var/audit
directorio y puede verlos con el praudit
comando
sudo praudit -l /var/audit/XXXXXXXXXXXXX.XXXXXXXXXXXXXX
* OpenBSM es una implementación de código abierto de la API de auditoría y el formato de archivo del Módulo de seguridad básico (BSM) de Sun. OpenBSM se deriva de la implementación de auditoría de BSM que se encuentra en el sistema operativo Darwin de código abierto de Apple, que, previa solicitud, Apple volvió a otorgar una licencia BSD para permitir la integración en FreeBSD y otros sistemas. La implementación de Darwin BSM fue creada por McAfee Research bajo contrato con Apple y, desde entonces, el equipo voluntario de TrustedBSD la ha ampliado ampliamente. OpenBSM está incluido en FreeBSD a partir de la versión 6.2 y posteriores, y se ha anunciado como una característica de Mac OS X Snow Leopard.
klanomath
sin ladera
Rakan Alami
Monomeeth
Rakan Alami
Monomeeth
Monomeeth
Rakan Alami
sin ladera
Rakan Alami
sin ladera
Rakan Alami
sin ladera