Averigüe si se exportaron archivos de mi MacBook

Question

Averigüe si se exportaron archivos de mi MacBook

#1 de Allan (2 votos)

4

Dejé mi computadora portátil con los compañeros durante unos 30-40 minutos. ¿Puedo saber si algún archivo se exportó / abrió desde mi computadora portátil durante ese tiempo?

11/5/17 3:12:09.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 3:13:10.325 PM Microsoft Word[1299]: open on /Users/rakanalami/Library/Group Containers/UBF8T346G9.Office/MicrosoftShipAssertLog_MSWD1299_Send.txt: File exists
11/5/17 3:15:16.302 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:16:00.429 PM BezelServices 255.10[98]: ASSERTION FAILED: result == 0 -[KeyboardALSAlgorithmLegacy setDriverSuppressed] line: 135
11/5/17 3:16:00.436 PM com.apple.usbmuxd[84]: notice    failed to get the v3 runloopsource
11/5/17 3:16:00.438 PM AirPlayUIAgent[288]: 2017-11-05 03:16:00.437362 PM [AirPlayUIAgent] BecomingInactive: NSWorkspaceWillSleepNotification
11/5/17 3:16:00.444 PM CommCenter[236]: Telling CSI to go low power.
11/5/17 3:16:00.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0
11/5/17 3:16:00.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:00.529 PM sharingd[250]: 15:16:00.529 : BTLE scanner Powered Off
11/5/17 3:16:00.531 PM sharingd[250]: 15:16:00.530 : BTLE scanner Powered Off
11/5/17 3:16:00.559 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: notification observer: com.apple.iChat   notification: __CFNotification 0x7f83bae4e5f0 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.560 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: notification observer: com.apple.FaceTime   notification: __CFNotification 0x7fed39716020 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.573 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>:    NC Disabled: NO
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.572 : Purged contact hashes
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : Discoverable mode changed to Off
11/5/17 3:16:00.573 PM sharingd[250]: 15:16:00.573 : BTLE scanning stopped
11/5/17 3:16:00.588 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>:   DND Enabled: YES
11/5/17 3:16:00.589 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bac3ed60>: Updating enabled: NO   (Topics: (
))
11/5/17 3:16:00.589 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>:    NC Disabled: NO
11/5/17 3:16:00.589 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: notification observer: com.apple.iChat   notification: __CFNotification 0x7f83bac619c0 {name = _NSDoNotDisturbEnabledNotification}
11/5/17 3:16:00.600 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>:   DND Enabled: YES
11/5/17 3:16:00.600 PM imagent[289]: <IMMacNotificationCenterManager: 0x7fed3971bae0>: Updating enabled: NO   (Topics: (
))
11/5/17 3:16:00.600 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>:    NC Disabled: NO
11/5/17 3:16:00.606 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>:   DND Enabled: YES
11/5/17 3:16:00.606 PM identityservicesd[255]: <IMMacNotificationCenterManager: 0x7f83bae6eb70>: Updating enabled: NO   (Topics: (
))
11/5/17 3:16:01.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:01.429 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_desktop_screenshot: authw 0x7fcd03b74800(2000), shield 0x7fcd031ae400(2001)
11/5/17 3:16:01.595 PM WindowServer[177]: device_generate_lock_screen_screenshot: authw 0x7fcd03b74800(2000)[0, 0, 0, 0] shield 0x7fcd031ae400(2001), dev [1440,900]
11/5/17 3:16:01.785 PM WindowServer[177]: no sleep images for WillPowerOffWithImages
11/5/17 3:16:01.906 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent
11/5/17 3:16:01.907 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.98" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent
11/5/17 3:16:11.800 PM loginwindow[98]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.
11/5/17 3:16:15.000 PM kernel[0]: AirPort: Link Down on en0. Reason 8 (Disassociated because station leaving).
11/5/17 3:16:15.000 PM kernel[0]: en0: channel changed to 1
11/5/17 3:16:15.000 PM kernel[0]: en0::IO80211Interface::postMessage bssid changed
11/5/17 3:16:15.655 PM symptomsd[256]: -[NetworkAnalyticsEngine _writeJournalRecord:fromCellFingerprint:key:atLOI:ofKind:lqm:isFaulty:] Hashing of the primary key failed. Dropping the journal record.
11/5/17 3:16:15.000 PM kernel[0]: Setting BTCoex Config: enable_2G:1, profile_2g:0, enable_5G:1, profile_5G:0
11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:16:16.743 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 3:16:18.000 PM kernel[0]: PM response took 3119 ms (56, powerd)
11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io(28)
11/5/17 3:16:18.000 PM kernel[0]: kern_open_file_for_direct_io took 0 ms
11/5/17 3:16:18.000 PM kernel[0]: error 0xe00002db opening polled file
11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000280
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.048948: AirPort_Brcm43xx::powerChange: System Sleep 
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049000: IOPMPowerSource Information: onSleep,  SleepType: Deep Idle,  'ExternalConnected': No, 'TimeRemaining': 312, 
11/5/17 3:16:18.000 PM kernel[0]: ARPT: 15988.049020: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING.
11/5/17 3:16:18.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:49:54.000 PM kernel[0]: en0: channel changed to 1
11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1659 us
11/5/17 3:49:54.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified).
11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.634907: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off.
11/5/17 3:49:54.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds
11/5/17 3:49:54.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event
11/5/17 3:49:54.000 PM kernel[0]: ARPT: 15988.650861: AirPort_Brcm43xx::syncPowerState: WWEN[disabled]
11/5/17 3:49:54.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:16:20.000 PM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2
11/5/17 3:49:54.000 PM kernel[0]: Wake reason: EC.LidOpen (User)
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000320
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 3:49:54.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 3:49:54.000 PM kernel[0]: Previous sleep cause: 5
11/5/17 3:49:54.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL
11/5/17 3:49:54.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 3:49:54.007 PM CommCenter[236]: Telling CSI to exit low power.
11/5/17 3:49:54.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host
11/5/17 3:49:54.033 PM WindowServer[177]: send_datagram_available_ping: pid 420 failed to act on a ping it dequeued before timing out.
11/5/17 3:49:54.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 3:49:54.046 PM ntpd[196]: sigio_handler: sigio_handler_active != 0

Hola, ahora he encontrado más registros. ¿Alguien me puede decir si usb usb para extraer archivos en estos registros?

11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Down on awdl0. Reason 1 (Unspecified).
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.298447: wl0: leaveModulePoweredForOffloads: Wi-Fi will turn off.
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 1670 us
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 0 milliseconds
11/5/17 1:02:24.000 PM kernel[0]: Bluetooth -- LE is supported - Disable LE meta event
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15118.316263: AirPort_Brcm43xx::syncPowerState: WWEN[disabled]
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 10:02:23.000 AM kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 2
11/5/17 1:02:24.000 PM kernel[0]: Wake reason: EC.SleepTimer (SleepTimer)
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 1:02:24.000 PM kernel[0]: Previous sleep cause: 5
11/5/17 1:02:24.000 PM kernel[0]: AppleIntelLpssSpiController1::_reset: fDmacService is NULL
11/5/17 1:02:24.000 PM syslogd[47]: ASL Sender Statistics
11/5/17 1:02:24.000 PM kernel[0]: AppleHSSPIController::HandleMessage Device Wake by Host
11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b09384893 has no prefix
11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 1
11/5/17 1:02:24.030 PM ntpd[196]: sigio_handler: sigio_handler_active != 0
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 180137 us
11/5/17 1:02:24.000 PM kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 1 milliseconds
11/5/17 1:02:24.248 PM hidd[102]: [HID] [MT] MTSimpleHIDManager::deviceDidBootload device bootloaded
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 11 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: IOThunderboltSwitch<0>(0x0)::listenerCallback - Thunderbolt HPD packet for route = 0x0 port = 12 unplug = 0
11/5/17 1:02:24.000 PM kernel[0]: TBT W (2): 0x0100 [x]
11/5/17 1:02:24.000 PM kernel[0]: en0: channel changed to 1
11/5/17 1:02:24.000 PM kernel[0]: AirPort: Link Up on awdl0
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490079: AirPort_Brcm43xx::powerChange: System Wake - Full Wake/ Dark Wake / Maintenance wake
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490134: IOPMPowerSource Information: onWake,  SleepType: Deep Idle,  'ExternalConnected': No, 'TimeRemaining': 17276, 
11/5/17 1:02:24.000 PM kernel[0]: ARPT: 15120.490266: AirPort_Brcm43xx::platformWoWEnable: WWEN[disable]
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340
11/5/17 1:02:24.000 PM kernel[0]: AppleCamIn::wakeEventHandlerThread
11/5/17 1:02:24.000 PM kernel[0]: in6_unlink_ifa: IPv6 address 0xf0fcb63b093840b3 has no prefix
11/5/17 1:02:24.632 PM UserEventAgent[46]: Captive: CNPluginHandler en0: Inactive
11/5/17 1:02:24.637 PM configd[55]: network changed: v4(en0-:172.20.10.3) DNS- Proxy-
11/5/17 1:02:24.637 PM Dock[240]: -[UABestAppSuggestionManager notifyBestAppChanged:type:options:bundleIdentifier:activityType:dynamicIdentifier:when:confidence:deviceName:deviceIdentifier:deviceType:] (null) UASuggestedActionType=0 (null)/(null) opts=(null) when=2017-11-05 11:02:24 +0000 confidence=1 from=(null)/(null) (UABestAppSuggestionManager.m #319)
11/5/17 1:02:24.000 PM kernel[0]: PM response took 153 ms (56, powerd)
11/5/17 1:02:24.802 PM cdpd[539]: Saw change in network reachability (isReachable=0)
11/5/17 1:02:24.804 PM netbiosd[1945]: network_reachability_changed : network is not reachable, netbiosd is shutting down
11/5/17 1:02:24.809 PM symptomsd[256]: __73-[NetworkAnalyticsEngine observeValueForKeyPath:ofObject:change:context:]_block_invoke unexpected switch value 2
11/5/17 1:02:24.881 PM SubmitDiagInfo[2158]: Triggering diganostics messages cleanup
11/5/17 1:02:25.024 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.025 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.026 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.027 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.030 PM networkd[184]: nw_path_query_lqm Tried to query LQM on path with no interfaces
11/5/17 1:02:25.038 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.043 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.046 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.050 PM networkd[184]: -[NETClientConnection effectiveBundleID] using process name apsd as bundle ID (this is expected for daemons without bundle ID
11/5/17 1:02:25.000 PM kernel[0]: USBMSC Identifier (non-unique): 000000000820 0x5ac 0x8406 0x820, 3
11/5/17 1:02:26.000 PM kernel[0]: PM response took 1374 ms (56, powerd)
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096547: AirPort_Brcm43xx::powerChange: System Sleep 
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096595: IOPMPowerSource Information: onSleep,  SleepType: Standby,  'ExternalConnected': No, 'TimeRemaining': 17276, 
11/5/17 1:02:26.000 PM kernel[0]: ARPT: 15122.096612: wl0: powerChange: *** BONJOUR/MDNS OFFLOADS ARE NOT RUNNING.
11/5/17 1:02:26.000 PM kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340

macos logs console

pregunta Rakan Alami 07.11.2017 - 09:46

1 respuesta

Lea otras preguntas en las etiquetas macos logs console

Dock sigue "moviéndose" o "rebotando" ¿Cuál es la diferencia entre descargar e instalar software desde AppStore y Terminal

score 2 · Answer 1

No puedes, retroactivamente.

Sin embargo, puede activar esta función para auditar eventos futuros.

Nota importante: esta respuesta es para mostrar que este tipo de auditoría se puede realizar y de ninguna manera es una guía o un CÓMO para configurar o administrar OpenBSM ^* en macOS. La configuración y administración de OpenBSM está fuera del alcance de una respuesta aquí en Ask Different.

De forma predeterminada, la herramienta de auditoría OpenBSM está configurada solo para eventos de autenticación como el inicio de sesión y el cierre de sesión.

Al mirar el archivo de configuración /etc/security/audit/audit_control , vemos lo siguiente:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa                  <----------- What gets audited.
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated

Hay una serie de directivas de configuración que se pueden encontrar en FreeBSD BSM Audit Config, sección del Manual de FreeBSD .

Además, OpenBSM no está configurado para todos los usuarios. Mirando a /etc/security/audit_user encontramos que solo root está configurado:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
#
root:lo:no

Para ver si podemos auditar cuando se lee un archivo, modifique audit_control para que tenga el valor flags:lo,aa,fr para "inicio de sesión / cierre de sesión", "autenticación / autorización" y "archivo leído"

Luego agregue un usuario para auditar en el archivo audit_user con los eventos que queremos ver (inicio de sesión y lectura del archivo):

allan:lo:fr

Reinicia el servicio:

sudo audit -i

En una sesión de Terminal, para ver el registro de auditoría en tiempo real que se está creando, ejecute el comando

praudit -l /dev/auditpipe | grep test

para ver si generará un evento para cuando lea un archivo de "prueba".

En una ventana de Terminal separada:

$ touch test    #creates the file
$ cat test      #reads the file

De vuelta en la primera ventana de Terminal, obtenemos una respuesta:

sudo praudit -l /dev/auditpipe | grep test
Password:
header,140,11,open(2) - read,0,Tue Nov  7 19:44:45 2017, + 678 msec,argument,2,0x0,flags,path,test,path,/Users/allan/test,attribute,100644,allan,staff,16777218,724870,0,subject,allan,allan,staff,allan,staff,1277,100007,50331650,0.0.0.0,return,success,3,trailer,140,

Hay una entrada de registro.

Obviamente, ver una "tubería" sería contraproducente y solo es bueno para pruebas y demostraciones (como este ejemplo). Los archivos de registro se almacenan en el directorio /var/audit y puede verlos con el comando praudit

sudo praudit -l /var/audit/XXXXXXXXXXXXX.XXXXXXXXXXXXXX

^* OpenBSM es una implementación de código abierto del Módulo de seguridad básica de Sun ( BSM) API de auditoría y formato de archivo. OpenBSM se deriva de la implementación de auditoría BSM que se encuentra en el sistema operativo de código abierto Darwin de Apple, que, a solicitud, Apple obtuvo la licencia bajo una licencia BSD para permitir la integración en FreeBSD y otros sistemas. La implementación de BSM de Darwin fue creada por McAfee Research bajo contrato con Apple, y desde entonces ha sido ampliamente extendida por el equipo voluntario de TrustedBSD. OpenBSM se incluye en FreeBSD a partir de la versión 6.2 y posterior, y se ha anunciado como una característica de Mac OS X Snow Leopard.