Averigua si algún archivo fue exportado desde mi MacBook

Dejé mi computadora portátil con los compañeros durante unos 30-40 minutos. ¿Puedo saber si algún archivo se exportó / abrió desde mi computadora portátil durante ese tiempo?

11/5/17 3:12:09.000 PM syslogd[47]: ASL Sender Statistics 11/5/17 3:13:10.325 PM Microsoft Word[1299]: open on /Users/rakanalami/Library/Group Containers/UBF8T346G9.Office/MicrosoftShipAssertLog_MSWD1299_Send.txt: File exists 11/5/17 3:15:16.302 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out. 11/5/17 3:16:00.429 PM BezelServices 255.10[98]: ASSERTION FAILED: result == 0 -[KeyboardALSAlgorithmLegacy setDriverSuppressed] line: 135 11/5/17 3:16:00.436 PM com.apple.usbmuxd[84]: notice failed to get the v3 runloopsource 11/5/17 3:16:00.438 PM AirPlayUIAgent[288]: 2017-11-05 03:16:00.437362 PM [AirPlayUIAgent] BecomingInactive: NSWorkspaceWillSleepNotification 11/5/17 3:16:00.444 PM CommCenter[236]: Telling CSI to go low power. 11/5/17 3:16:00.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0 11/5/17 3:16:00.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340 11/5/17 3:16:00.529 PM sharingd[250]: 15:16:00.529 : BTLE scanner Powered Off 11/5/17 3:16:00.531 PM sharingd[250]: 15:16:00.530 : BTLE scanner Powered Off 11/5/17 3:16:00.559 PM identityservicesd[255]: : notification observer: com.apple.iChat notification: __CFNotification 0x7f83bae4e5f0 {name = _NSDoNotDisturbEnabledNotification} 11/5/17 3:16:00.560 PM imagent[289]: : notification observer: com.apple.FaceTime notification: __CFNotification 0x7fed39716020 {name = _NSDoNotDisturbEnabledNotification} 11/5/17 3:16:00.573 PM identityservicesd[255]: : NC Disabled: NO 11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.572 : Purged contact hashes 11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : Discoverable mode changed to Off 11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : BTLE scanning stopped 11/5/17 3:16:00.588 PM identityservicesd[255]: : DND Enabled: YES 11/5/17 3:16:00.589 PM identityservicesd[255]: : Updating enabled: NO (Topics: ( )) 11/5/17 3:16:00.589 PM imagent[289]: : NC Disabled: NO 11/5/17 3:16:00.589 PM identityservicesd[255]: : notification observer: com.apple.iChat notification: __CFNotification 0x7f83bac619c0 {name = _NSDoNotDisturbEnabledNotification} 11/5/17 3:16:00.600 PM imagent[289]: : DND Enabled: YES 11/5/17 3:16:00.600 PM imagent[289]: : Updating enabled: NO (Topics: ( )) 11/5/17 3:16:00.600 PM identityservicesd[255]: : NC Disabled: NO 11/5/17 3:16:00.606 PM identityservicesd[255]: : DND Enabled: YES 11/5/17 3:16:00.606 PM identityservicesd[255]: : Updating enabled: NO (Topics: ( )) 11/5/17 3:16:01.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340 11/5/17 3:16:01.429 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out. 11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_desktop_screenshot: authw 0x7fcd03b74800(2000), shield 0x7fcd031ae400(2001) 11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_lock_screen_screenshot: authw 0x7fcd03b74800(2000)[0, 0, 0, 0] shield 0x7fcd031ae400(2001), dev [1440,900] 11/5/17 3:16:01.785 PM WindowServer[177]: no sleep images for WillPowerOffWithImages 11/5/17 3:16:01.906 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent 11/5/17 3:16:01.907 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent 11/5/17 3:16:11.800 PM loginwindow[98]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces. 11/5/17 3:16:15.000 PM kernel[0]: AirPort: Link Down on en0. Reason 8 (Disassociated because station leaving). 11/5/17 3:16:15.000 PM kernel[0]: en0: channel changed to 1 11/5/17 3:16:15.000 PM kernel[0]: en0::IO80211Interface::postMessage bssid changed 11/5/17 3:16:15.655 PM symptomsd[256]: -[NetworkAnalyticsEngine _writeJournalRecord:fromCellFingerprint:key:atLOI:ofKind:lqm:isFaulty:] Hashing of the primary key failed. Dropping the journal record. 11/5/17 3:16:15.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0 11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 1 11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 0 11/5/17 3:16:18.000 PM kernel[0]: PM response took 3119 ms (56, powerd) 11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io(28) 11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io took 0 ms 11/5/17 3:16:18.000 PM kernel[0]: error 0xe00002db opening polled file 11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000280 11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.048948: AirPort_Brcm43xx::powerChange: System Sleep 11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049000: IOPMPowerSource Information: onSleep, SleepType: Deep Idle, 'ExternalConnected': No, 'TimeRemaining': 312, 11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049020: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING. 11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340 11/5/17 3:49:54.000 PM kernel[0]: en0: channel changed to 1 11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1659 us 11/5/17 3:49:54.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified). 11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.634907: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off. 11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds 11/5/17 3:49:54.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event 11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.650861: AirPort_Brcm43xx::syncPowerState: WWEN[disabled] 11/5/17 3:49:54.000 PM kernel[0]: IOThunderboltSwitch(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0 11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340 11/5/17 3:16:20.000 PM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2 11/5/17 3:49:54.000 PM kernel[0]: Wake reason: EC.LidOpen (User) 11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000320 11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340 11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread 11/5/17 3:49:54.000 PM kernel[0]: Previous sleep cause: 5 11/5/17 3:49:54.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL 11/5/17 3:49:54.000 PM syslogd[47]: ASL Sender Statistics 11/5/17 3:49:54.007 PM CommCenter[236]: Telling CSI to exit low power. 11/5/17 3:49:54.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host 11/5/17 3:49:54.033 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out. 11/5/17 3:49:54.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix 11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1 11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0 11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1 11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0 

Hola, ahora he encontrado más registros, ¿alguien puede decirme si un usb se usó para extraer archivos en estos registros?

 11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified). 11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.298447: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off. 11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1670 us 11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds 11/5/17 1:02:24.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event 11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.316263: AirPort_Brcm43xx::syncPowerState: WWEN[disabled] 11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0 11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0 11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340 11/5/17 10:02:23.000 AM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2 11/5/17 1:02:24.000 PM kernel[0]: Wake reason: EC.SleepTimer (SleepTimer) 11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340 11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread 11/5/17 1:02:24.000 PM kernel[0]: Previous sleep cause: 5 11/5/17 1:02:24.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL 11/5/17 1:02:24.000 PM syslogd[47]: ASL Sender Statistics 11/5/17 1:02:24.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host 11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix 11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 1 11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 0 11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 180137 us 11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 1 milliseconds 11/5/17 1:02:24.248 PM hidd[102]: [HID] [MT] MTSimpleHIDManager::deviceDidBootload device bootloaded 11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0 11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0 11/5/17 1:02:24.000 PM kernel[0]: TBT W (2): 0x0100 [x] 11/5/17 1:02:24.000 PM kernel[0]: en0: channel changed to 1 11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Up on awdl0 11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490079: AirPort_Brcm43xx::powerChange: System Wake - Full Wake/ Dark Wake / Maintenance wake 11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490134: IOPMPowerSource Information: onWake, SleepType: Deep Idle, 'ExternalConnected': No, 'TimeRemaining': 17276, 11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490266: AirPort_Brcm43xx::platformWoWEnable: WWEN[disable] 11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340 11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread 11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b093840b3 has no prefix 11/5/17 1:02:24.632 PM UserEventAgent[46]: Captive: CNPluginHandler en0: Inactive 11/5/17 1:02:24.637 PM configd[55]: network changed: v4(en0-:172.20.10.3) DNS- Proxy- 11/5/17 1:02:24.637 PM Dock[240]: -[UABestAppSuggestionManager notifyBestAppChanged:type:options:bundleIdentifier:activityType:dynamicIdentifier:when:confidence:deviceName:deviceIdentifier:deviceType:] (null) UASuggestedActionType=0 (null)/(null) opts=(null) when=2017-11-05 11:02:24 +0000 confidence=1 from=(null)/(null) (UABestAppSuggestionManager.m #319) 11/5/17 1:02:24.000 PM kernel[0]: PM response took 153 ms (56, powerd) 11/5/17 1:02:24.802 PM cdpd[539]: Saw change in network reachability (isReachable=0) 11/5/17 1:02:24.804 PM netbiosd[1945]: network_reachability_changed : network is not reachable, netbiosd is shutting down 11/5/17 1:02:24.809 PM symptomsd[256]: __73-[NetworkAnalyticsEngine observeValueForKeyPath:ofObject:change:context:]_block_invoke unexpected switch value 2 11/5/17 1:02:24.881 PM SubmitDiagInfo[2158]: Triggering diganostics messages cleanup 11/5/17 1:02:25.024 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces 11/5/17 1:02:25.025 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces 11/5/17 1:02:25.026 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces 11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces 11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces 11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces 11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces 11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces 11/5/17 1:02:25.038 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID 11/5/17 1:02:25.043 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID 11/5/17 1:02:25.046 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID 11/5/17 1:02:25.050 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID 11/5/17 1:02:25.000 PM kernel[0]: USBMSC Identifier (non-unique): 000000000820 0x5ac 0x8406 0x820, 3 11/5/17 1:02:26.000 PM kernel[0]: PM response took 1374 ms (56, powerd) 11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096547: AirPort_Brcm43xx::powerChange: System Sleep 11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096595: IOPMPowerSource Information: onSleep, SleepType: Standby, 'ExternalConnected': No, 'TimeRemaining': 17276, 11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096612: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING. 11/5/17 1:02:26.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340 

No puedes, retroactivamente.

Sin embargo, puede activar esta función para auditar eventos futuros.

Nota importante: esta respuesta es para mostrar que este tipo de auditoría se puede realizar y de ninguna manera es una guía o un CÓMO para configurar o administrar OpenBSM * en macOS. La configuración y administración de OpenBSM está considerablemente fuera del scope de una respuesta aquí en Ask Different.


De forma predeterminada, la herramienta de auditoría OpenBSM está configurada solo para eventos de autenticación como el inicio de sesión y el cierre de sesión.

Mirando el archivo de configuración /etc/security/audit/audit_control vemos lo siguiente:

 # # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $ # dir:/var/audit flags:lo,aa <----------- What gets audited. minfree:5 naflags:lo,aa policy:cnt,argv filesz:2M expire-after:10M superuser-set-sflags-mask:has_authenticated,has_console_access superuser-clear-sflags-mask:has_authenticated,has_console_access member-set-sflags-mask: member-clear-sflags-mask:has_authenticated 

Hay una serie de directivas de configuración que se pueden encontrar en la sección Configuración de auditoría BSM de FreeBSD del Manual de FreeBSD .

Además, OpenBSM no está configurado para todos los usuarios. Mirando a /etc/security/audit_user encontramos que solo la root está configurada:

 # # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $ # root:lo:no 

Para ver si podemos auditar cuando se lee un archivo, modifique audit_control para que tenga los flags:lo,aa,fr valor flags:lo,aa,fr para "inicio / cierre de sesión", "autenticación / autorización" y "lectura de archivo"

Luego agregue un usuario para auditar en el archivo audit_user con los eventos que queremos ver (inicio de sesión y lectura de archivo):

 allan:lo:fr 

Reinicie el servicio:

 sudo audit -i 

En una sesión de Terminal, para ver el registro de auditoría en tiempo real que se está creando, ejecute el comando

 praudit -l /dev/auditpipe | grep test 

para ver si generará un evento para cuando lea un archivo de "prueba".

En una ventana de Terminal separada:

 $ touch test #creates the file $ cat test #reads the file 

De vuelta en la primera ventana del terminal obtenemos una respuesta:

 sudo praudit -l /dev/auditpipe | grep test Password: header,140,11,open(2) - read,0,Tue Nov 7 19:44:45 2017, + 678 msec,argument,2,0x0,flags,path,test,path,/Users/allan/test,attribute,100644,allan,staff,16777218,724870,0,subject,allan,allan,staff,allan,staff,1277,100007,50331650,0.0.0.0,return,success,3,trailer,140, 

Ahí está la entrada de registro.

Obviamente, ver una "tubería" sería contraproducente y solo es bueno para pruebas y demostraciones (como este ejemplo). Los archivos de registro se almacenan en el directorio /var/audit y puede verlos con el comando praudit

 sudo praudit -l /var/audit/XXXXXXXXXXXXX.XXXXXXXXXXXXXX 

* OpenBSM es una implementación de código abierto de la API de auditoría del módulo de seguridad básica (BSM) y el formato de archivo de Sun. OpenBSM se deriva de la implementación de auditoría BSM que se encuentra en el sistema operativo de código abierto Darwin de Apple, que, a solicitud, Apple obtuvo la licencia bajo una licencia BSD para permitir la integración en FreeBSD y otros sistemas. La implementación de BSM de Darwin fue creada por McAfee Research bajo contrato con Apple, y desde entonces ha sido ampliamente extendida por el equipo voluntario de TrustedBSD. OpenBSM se incluye en FreeBSD a partir de la versión 6.2 y posterior, y se ha anunciado como una característica de Mac OS X Snow Leopard.