4 votos

Averiguar si se exportó algún archivo de mi MacBook

Dejé mi portátil con los compañeros de trabajo durante unos 30-40 minutos. Puedo averiguar si se exportó/abrió algún archivo desde mi portátil durante ese tiempo?

11/5/17 3:12:09.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 3:13:10.325 PM Microsoft Word[1299]: open on /Users/rakanalami/Library/Group Containers/UBF8T346G9.Office/MicrosoftShipAssertLog_MSWD1299_Send.txt: File exists
11/5/17 3:15:16.302 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:16:00.429 PM BezelServices 255.10[98]: ASSERTION FAILED: result == 0 -[KeyboardALSAlgorithmLegacy setDriverSuppressed] line: 135
11/5/17 3:16:00.436 PM com.apple.usbmuxd[84]: notice    failed to get the v3 runloopsource
11/5/17 3:16:00.438 PM AirPlayUIAgent[288]: 2017-11-05 03:16:00.437362 PM [AirPlayUIAgent] BecomingInactive: NSWorkspaceWillSleepNotification
11/5/17 3:16:00.444 PM CommCenter[236]: Telling CSI to go low power.
11/5/17 3:16:00.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0
11/5/17 3:16:00.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:00.529 PM sharingd[250]: 15:16:00.529 : BTLE scanner Powered Off
11/5/17 3:16:00.531 PM sharingd[250]: 15:16:00.530 : BTLE scanner Powered Off
11/5/17 3:16:00.559 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: notification observer: com.apple.iChat   notification: __CFNotification 0x7f83bae4e5f0 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.560 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: notification observer: com.apple.FaceTime   notification: __CFNotification 0x7fed39716020 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.573 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>:    NC Disabled: NO
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.572 : Purged contact hashes
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : Discoverable mode changed to Off
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : BTLE scanning stopped
11/5/17 3:16:00.588 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>:   DND Enabled: YES
11/5/17 3:16:00.589 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: Updating enabled: NO   (Topics: (
))
11/5/17 3:16:00.589 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>:    NC Disabled: NO
11/5/17 3:16:00.589 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: notification observer: com.apple.iChat   notification: __CFNotification 0x7f83bac619c0 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.600 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>:   DND Enabled: YES
11/5/17 3:16:00.600 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: Updating enabled: NO   (Topics: (
))
11/5/17 3:16:00.600 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>:    NC Disabled: NO
11/5/17 3:16:00.606 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>:   DND Enabled: YES
11/5/17 3:16:00.606 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: Updating enabled: NO   (Topics: (
))
11/5/17 3:16:01.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:01.429 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_desktop_screenshot: authw 0x7fcd03b74800(2000), shield 0x7fcd031ae400(2001)
11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_lock_screen_screenshot: authw 0x7fcd03b74800(2000)[0, 0, 0, 0] shield 0x7fcd031ae400(2001), dev [1440,900]
11/5/17 3:16:01.785 PM WindowServer[177]: no sleep images for WillPowerOffWithImages
11/5/17 3:16:01.906 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent
11/5/17 3:16:01.907 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent
11/5/17 3:16:11.800 PM loginwindow[98]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.
11/5/17 3:16:15.000 PM kernel[0]: AirPort: Link Down on en0. Reason 8 (Disassociated because station leaving).
11/5/17 3:16:15.000 PM kernel[0]: en0: channel changed to 1
11/5/17 3:16:15.000 PM kernel[0]: en0::IO80211Interface::postMessage bssid changed
11/5/17 3:16:15.655 PM symptomsd[256]: -[NetworkAnalyticsEngine _writeJournalRecord:fromCellFingerprint:key:atLOI:ofKind:lqm:isFaulty:] Hashing of the primary key failed. Dropping the journal record.
11/5/17 3:16:15.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0
11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 3:16:18.000 PM kernel[0]: PM response took 3119 ms (56, powerd)
11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io(28)
11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io took 0 ms
11/5/17 3:16:18.000 PM kernel[0]: error 0xe00002db opening polled file
11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000280
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.048948: AirPort_Brcm43xx::powerChange: System Sleep 
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049000: IOPMPowerSource Information: onSleep,  SleepType: Deep Idle,  'ExternalConnected': No, 'TimeRemaining': 312, 
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049020: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING.
11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:49:54.000 PM kernel[0]: en0: channel changed to 1
11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1659 us
11/5/17 3:49:54.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified).
11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.634907: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off.
11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds
11/5/17 3:49:54.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event
11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.650861: AirPort_Brcm43xx::syncPowerState: WWEN[disabled]
11/5/17 3:49:54.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:20.000 PM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2
11/5/17 3:49:54.000 PM kernel[0]: Wake reason: EC.LidOpen (User)
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000320
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 3:49:54.000 PM kernel[0]: Previous sleep cause: 5
11/5/17 3:49:54.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL
11/5/17 3:49:54.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 3:49:54.007 PM CommCenter[236]: Telling CSI to exit low power.
11/5/17 3:49:54.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host
11/5/17 3:49:54.033 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:49:54.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0

Hola, ahora he encontrado más registros, ¿alguien puede decirme si se utilizó un usb para extraer archivos en estos registros

11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified).
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.298447: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off.
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1670 us
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds
11/5/17 1:02:24.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.316263: AirPort_Brcm43xx::syncPowerState: WWEN[disabled]
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 10:02:23.000 AM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2
11/5/17 1:02:24.000 PM kernel[0]: Wake reason: EC.SleepTimer (SleepTimer)
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 1:02:24.000 PM kernel[0]: Previous sleep cause: 5
11/5/17 1:02:24.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL
11/5/17 1:02:24.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 1:02:24.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host
11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix
11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 180137 us
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 1 milliseconds
11/5/17 1:02:24.248 PM hidd[102]: [HID] [MT] MTSimpleHIDManager::deviceDidBootload device bootloaded
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: TBT W (2): 0x0100 [x]
11/5/17 1:02:24.000 PM kernel[0]: en0: channel changed to 1
11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Up on awdl0
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490079: AirPort_Brcm43xx::powerChange: System Wake - Full Wake/ Dark Wake / Maintenance wake
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490134: IOPMPowerSource Information: onWake,  SleepType: Deep Idle,  'ExternalConnected': No, 'TimeRemaining': 17276, 
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490266: AirPort_Brcm43xx::platformWoWEnable: WWEN[disable]
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b093840b3 has no prefix
11/5/17 1:02:24.632 PM UserEventAgent[46]: Captive: CNPluginHandler en0: Inactive
11/5/17 1:02:24.637 PM configd[55]: network changed: v4(en0-:172.20.10.3) DNS- Proxy-
11/5/17 1:02:24.637 PM Dock[240]: -[UABestAppSuggestionManager notifyBestAppChanged:type:options:bundleIdentifier:activityType:dynamicIdentifier:when:confidence:deviceName:deviceIdentifier:deviceType:] (null) UASuggestedActionType=0 (null)/(null) opts=(null) when=2017-11-05 11:02:24 +0000 confidence=1 from=(null)/(null) (UABestAppSuggestionManager.m #319)
11/5/17 1:02:24.000 PM kernel[0]: PM response took 153 ms (56, powerd)
11/5/17 1:02:24.802 PM cdpd[539]: Saw change in network reachability (isReachable=0)
11/5/17 1:02:24.804 PM netbiosd[1945]: network_reachability_changed : network is not reachable, netbiosd is shutting down
11/5/17 1:02:24.809 PM symptomsd[256]: __73-[NetworkAnalyticsEngine observeValueForKeyPath:ofObject:change:context:]_block_invoke unexpected switch value 2
11/5/17 1:02:24.881 PM SubmitDiagInfo[2158]: Triggering diganostics messages cleanup
11/5/17 1:02:25.024 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.025 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.026 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.038 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.043 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.046 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.050 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.000 PM kernel[0]: USBMSC Identifier (non-unique): 000000000820 0x5ac 0x8406 0x820, 3
11/5/17 1:02:26.000 PM kernel[0]: PM response took 1374 ms (56, powerd)
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096547: AirPort_Brcm43xx::powerChange: System Sleep 
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096595: IOPMPowerSource Information: onSleep,  SleepType: Standby,  'ExternalConnected': No, 'TimeRemaining': 17276, 
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096612: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING.
11/5/17 1:02:26.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340

3voto

Douglas Puntos 10417

No se puede, con carácter retroactivo.

Sin embargo, puede activar esta función para auditar futuros eventos.

Nota importante: Esta respuesta es para mostrar que este tipo de auditoría se puede hacer y de ninguna manera es una guía o un CÓMO para configurar o administrar OpenBSM * en MacOS. Configurar y administrar OpenBSM está considerablemente fuera del alcance de una respuesta aquí en Ask Different.


Por defecto, la herramienta de auditoría de OpenBSM está configurada sólo para eventos de autenticación como el inicio y el cierre de sesión.

Mirando el archivo de configuración /etc/security/audit/audit_control vemos lo siguiente:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa                  <----------- What gets audited.
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated

Hay una serie de directivas de configuración que se pueden encontrar en el Sección de configuración de auditoría de BSM de FreeBSD del Manual de FreeBSD .

Además, OpenBSM no está configurado para todos los usuarios. Mirando /etc/security/audit_user sólo encontramos root está configurado:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
#
root:lo:no

Para ver si podemos auditar cuando se lee un archivo, modifica audit_control para que tenga el valor flags:lo,aa,fr para "login/logout", "autenticación/autorización" y "lectura de archivos"

A continuación, añada un usuario para auditar en el audit_user con los eventos que queremos ver (inicio de sesión y lectura de archivos):

allan:lo:fr

Reinicie el servicio:

sudo audit -i

En una sesión de Terminal, para ver el registro de auditoría en tiempo real que se está creando, emita el comando

praudit -l /dev/auditpipe | grep test 

para ver si genera un evento para cuando lea de un archivo "de prueba".

En una ventana de Terminal separada:

$ touch test    #creates the file
$ cat test      #reads the file

De vuelta en la primera ventana de la Terminal obtenemos una respuesta:

sudo praudit -l /dev/auditpipe | grep test
Password:
header,140,11,open(2) - read,0,Tue Nov  7 19:44:45 2017, + 678 msec,argument,2,0x0,flags,path,test,path,/Users/allan/test,attribute,100644,allan,staff,16777218,724870,0,subject,allan,allan,staff,allan,staff,1277,100007,50331650,0.0.0.0,return,success,3,trailer,140,

Ahí está la entrada del registro.

Obviamente, ver una "tubería" sería contraproducente y sólo es bueno para pruebas y demostraciones (como este ejemplo). Los archivos de registro se almacenan en el /var/audit y puede verlos con la función praudit comando

sudo praudit -l /var/audit/XXXXXXXXXXXXX.XXXXXXXXXXXXXX

* OpenBSM es una implementación de código abierto de la API y el formato de archivo del Módulo de Seguridad Básica (BSM) de Sun. OpenBSM se deriva de la implementación de auditoría BSM que se encuentra en el sistema operativo de código abierto Darwin de Apple, que a petición, Apple relicenció bajo una licencia BSD para permitir la integración en FreeBSD y otros sistemas. La implementación de BSM en Darwin fue creada por McAfee Research bajo contrato con Apple, y desde entonces ha sido ampliamente ampliada por el equipo voluntario de TrustedBSD. OpenBSM está incluido en FreeBSD a partir de la versión 6.2, y ha sido anunciado como una característica de Mac OS X Snow Leopard.

AppleAyuda.com

AppleAyuda es una comunidad de usuarios de los productos de Apple en la que puedes resolver tus problemas y dudas.
Puedes consultar las preguntas de otros usuarios, hacer tus propias preguntas o resolver las de los demás.

Powered by:

X