Scopri se alcuni file sono stati esportati dal mio MacBook

4

Ho lasciato il mio portatile in giro con i colleghi per circa 30-40 minuti. Posso scoprire se alcuni file sono stati esportati / aperti dal mio portatile durante quel periodo?

11/5/17 3:12:09.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 3:13:10.325 PM Microsoft Word[1299]: open on /Users/rakanalami/Library/Group Containers/UBF8T346G9.Office/MicrosoftShipAssertLog_MSWD1299_Send.txt: File exists
11/5/17 3:15:16.302 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:16:00.429 PM BezelServices 255.10[98]: ASSERTION FAILED: result == 0 -[KeyboardALSAlgorithmLegacy setDriverSuppressed] line: 135
11/5/17 3:16:00.436 PM com.apple.usbmuxd[84]: notice    failed to get the v3 runloopsource
11/5/17 3:16:00.438 PM AirPlayUIAgent[288]: 2017-11-05 03:16:00.437362 PM [AirPlayUIAgent] BecomingInactive: NSWorkspaceWillSleepNotification
11/5/17 3:16:00.444 PM CommCenter[236]: Telling CSI to go low power.
11/5/17 3:16:00.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0
11/5/17 3:16:00.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:00.529 PM sharingd[250]: 15:16:00.529 : BTLE scanner Powered Off
11/5/17 3:16:00.531 PM sharingd[250]: 15:16:00.530 : BTLE scanner Powered Off
11/5/17 3:16:00.559 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: notification observer: com.apple.iChat   notification: __CFNotification 0x7f83bae4e5f0 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.560 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: notification observer: com.apple.FaceTime   notification: __CFNotification 0x7fed39716020 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.573 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>:    NC Disabled: NO
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.572 : Purged contact hashes
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : Discoverable mode changed to Off
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : BTLE scanning stopped
11/5/17 3:16:00.588 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>:   DND Enabled: YES
11/5/17 3:16:00.589 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: Updating enabled: NO   (Topics: (
))
11/5/17 3:16:00.589 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>:    NC Disabled: NO
11/5/17 3:16:00.589 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: notification observer: com.apple.iChat   notification: __CFNotification 0x7f83bac619c0 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.600 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>:   DND Enabled: YES
11/5/17 3:16:00.600 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: Updating enabled: NO   (Topics: (
))
11/5/17 3:16:00.600 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>:    NC Disabled: NO
11/5/17 3:16:00.606 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>:   DND Enabled: YES
11/5/17 3:16:00.606 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: Updating enabled: NO   (Topics: (
))
11/5/17 3:16:01.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:01.429 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_desktop_screenshot: authw 0x7fcd03b74800(2000), shield 0x7fcd031ae400(2001)
11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_lock_screen_screenshot: authw 0x7fcd03b74800(2000)[0, 0, 0, 0] shield 0x7fcd031ae400(2001), dev [1440,900]
11/5/17 3:16:01.785 PM WindowServer[177]: no sleep images for WillPowerOffWithImages
11/5/17 3:16:01.906 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent
11/5/17 3:16:01.907 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent
11/5/17 3:16:11.800 PM loginwindow[98]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.
11/5/17 3:16:15.000 PM kernel[0]: AirPort: Link Down on en0. Reason 8 (Disassociated because station leaving).
11/5/17 3:16:15.000 PM kernel[0]: en0: channel changed to 1
11/5/17 3:16:15.000 PM kernel[0]: en0::IO80211Interface::postMessage bssid changed
11/5/17 3:16:15.655 PM symptomsd[256]: -[NetworkAnalyticsEngine _writeJournalRecord:fromCellFingerprint:key:atLOI:ofKind:lqm:isFaulty:] Hashing of the primary key failed. Dropping the journal record.
11/5/17 3:16:15.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0
11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 3:16:18.000 PM kernel[0]: PM response took 3119 ms (56, powerd)
11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io(28)
11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io took 0 ms
11/5/17 3:16:18.000 PM kernel[0]: error 0xe00002db opening polled file
11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000280
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.048948: AirPort_Brcm43xx::powerChange: System Sleep 
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049000: IOPMPowerSource Information: onSleep,  SleepType: Deep Idle,  'ExternalConnected': No, 'TimeRemaining': 312, 
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049020: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING.
11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:49:54.000 PM kernel[0]: en0: channel changed to 1
11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1659 us
11/5/17 3:49:54.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified).
11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.634907: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off.
11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds
11/5/17 3:49:54.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event
11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.650861: AirPort_Brcm43xx::syncPowerState: WWEN[disabled]
11/5/17 3:49:54.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:20.000 PM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2
11/5/17 3:49:54.000 PM kernel[0]: Wake reason: EC.LidOpen (User)
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000320
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 3:49:54.000 PM kernel[0]: Previous sleep cause: 5
11/5/17 3:49:54.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL
11/5/17 3:49:54.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 3:49:54.007 PM CommCenter[236]: Telling CSI to exit low power.
11/5/17 3:49:54.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host
11/5/17 3:49:54.033 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:49:54.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0

Ciao, ora ho trovato più log, qualcuno può dirmi se è stato usato un usb per estrarre i file in questi log

11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified).
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.298447: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off.
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1670 us
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds
11/5/17 1:02:24.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.316263: AirPort_Brcm43xx::syncPowerState: WWEN[disabled]
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 10:02:23.000 AM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2
11/5/17 1:02:24.000 PM kernel[0]: Wake reason: EC.SleepTimer (SleepTimer)
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 1:02:24.000 PM kernel[0]: Previous sleep cause: 5
11/5/17 1:02:24.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL
11/5/17 1:02:24.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 1:02:24.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host
11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix
11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 180137 us
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 1 milliseconds
11/5/17 1:02:24.248 PM hidd[102]: [HID] [MT] MTSimpleHIDManager::deviceDidBootload device bootloaded
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: TBT W (2): 0x0100 [x]
11/5/17 1:02:24.000 PM kernel[0]: en0: channel changed to 1
11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Up on awdl0
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490079: AirPort_Brcm43xx::powerChange: System Wake - Full Wake/ Dark Wake / Maintenance wake
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490134: IOPMPowerSource Information: onWake,  SleepType: Deep Idle,  'ExternalConnected': No, 'TimeRemaining': 17276, 
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490266: AirPort_Brcm43xx::platformWoWEnable: WWEN[disable]
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b093840b3 has no prefix
11/5/17 1:02:24.632 PM UserEventAgent[46]: Captive: CNPluginHandler en0: Inactive
11/5/17 1:02:24.637 PM configd[55]: network changed: v4(en0-:172.20.10.3) DNS- Proxy-
11/5/17 1:02:24.637 PM Dock[240]: -[UABestAppSuggestionManager notifyBestAppChanged:type:options:bundleIdentifier:activityType:dynamicIdentifier:when:confidence:deviceName:deviceIdentifier:deviceType:] (null) UASuggestedActionType=0 (null)/(null) opts=(null) when=2017-11-05 11:02:24 +0000 confidence=1 from=(null)/(null) (UABestAppSuggestionManager.m #319)
11/5/17 1:02:24.000 PM kernel[0]: PM response took 153 ms (56, powerd)
11/5/17 1:02:24.802 PM cdpd[539]: Saw change in network reachability (isReachable=0)
11/5/17 1:02:24.804 PM netbiosd[1945]: network_reachability_changed : network is not reachable, netbiosd is shutting down
11/5/17 1:02:24.809 PM symptomsd[256]: __73-[NetworkAnalyticsEngine observeValueForKeyPath:ofObject:change:context:]_block_invoke unexpected switch value 2
11/5/17 1:02:24.881 PM SubmitDiagInfo[2158]: Triggering diganostics messages cleanup
11/5/17 1:02:25.024 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.025 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.026 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.038 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.043 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.046 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.050 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.000 PM kernel[0]: USBMSC Identifier (non-unique): 000000000820 0x5ac 0x8406 0x820, 3
11/5/17 1:02:26.000 PM kernel[0]: PM response took 1374 ms (56, powerd)
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096547: AirPort_Brcm43xx::powerChange: System Sleep 
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096595: IOPMPowerSource Information: onSleep,  SleepType: Standby,  'ExternalConnected': No, 'TimeRemaining': 17276, 
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096612: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING.
11/5/17 1:02:26.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
    
posta Rakan Alami 07.11.2017 - 09:46
fonte

1 risposta

2

Non puoi, retroattivamente.

Tuttavia, puoi attivare questa funzione per controllare gli eventi futuri.

Nota importante: questa risposta è per mostrare che questo tipo di controllo può essere fatto e in nessun modo è una guida o un HOWTO per l'impostazione o la gestione di OpenBSM * su macOS. La configurazione e la gestione di OpenBSM è notevolmente al di fuori dello scopo di una risposta qui su Chiedi diverso.

Per impostazione predefinita, lo strumento di auditing di OpenBSM è impostato solo per gli eventi di autenticazione come login e logout.

Guardando il file di configurazione /etc/security/audit/audit_control vediamo quanto segue:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa                  <----------- What gets audited.
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated

Esistono numerose direttive di configurazione che possono essere trovate su Sezione Audit Config di FreeBSD BSM del manuale di FreeBSD .

Inoltre, OpenBSM non è configurato per ogni utente. Guardando /etc/security/audit_user troviamo solo root configurato:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
#
root:lo:no

Per vedere se possiamo controllare quando un file viene letto, modifica audit_control in modo che abbia il valore flags:lo,aa,fr per "login / logout", "autenticazione / autorizzazione" e "file letto"

Quindi aggiungi un utente alla verifica nel file audit_user con gli eventi che vogliamo vedere (login e lettura file):

allan:lo:fr

Riavvia il servizio:

sudo audit -i

In una sessione Terminale, per visualizzare il log di controllo in tempo reale che viene creato, emettere il comando

praudit -l /dev/auditpipe | grep test 

per vedere se genererà un evento per quando leggo da un file "test".

In una finestra Terminale separata:

$ touch test    #creates the file
$ cat test      #reads the file

Indietro sulla prima finestra di Terminale otteniamo una risposta:

sudo praudit -l /dev/auditpipe | grep test
Password:
header,140,11,open(2) - read,0,Tue Nov  7 19:44:45 2017, + 678 msec,argument,2,0x0,flags,path,test,path,/Users/allan/test,attribute,100644,allan,staff,16777218,724870,0,subject,allan,allan,staff,allan,staff,1277,100007,50331650,0.0.0.0,return,success,3,trailer,140,

C'è la voce del registro.

Ovviamente guardare un "pipe" sarebbe controproducente e andrebbe bene solo per test e demo (come questo esempio). I file di registro sono memorizzati nella directory /var/audit e puoi visualizzarli con il comando praudit

sudo praudit -l /var/audit/XXXXXXXXXXXXX.XXXXXXXXXXXXXX

* OpenBSM è un'implementazione open source del modulo di sicurezza base di Sun ( BSM) API di controllo e formato file. OpenBSM è derivato dall'implementazione di controllo BSM trovata nel sistema operativo open source Apple di Darwin, che su richiesta, Apple ha concesso una licenza BSD per consentire l'integrazione in FreeBSD e altri sistemi. L'implementazione di Darwin BSM è stata creata da McAfee Research sotto contratto con Apple, e da allora è stata estesamente estesa dal team di volontari TrustedBSD. OpenBSM è incluso in FreeBSD dalla versione 6.2 e successive ed è stato annunciato come una funzionalità di Mac OS X Snow Leopard.

    
risposta data 08.11.2017 - 02:01
fonte

Leggi altre domande sui tag