MacOS – Activity & Hardware Audit

macosSecurity

I have an iMac running OS X 10.7 that stands in a public space. Recently, someone stole a Mighty Mouse that was connected to it. I know the time period when it happened so I was wondering if I can find out what sort of activity was going on during back then. For example, what users were logging in, what apps were they running and when was the last time when this USB mouse was connected. I already went through system and kernel logs and they provide just a bit of useful info. What are the best practices of auditing Mac usage?

Thanks!

Best Answer

If you didn't install system accounting on this Mac, there isn't any way for you to get the processes back at the time of this bad event.

You can find when this mouse was connected for the last time by searching in the /var/log/kernel.log. On more recent versions of OSX (Yosemite, El Capitan, Sierra) /var/log/kernel.log is merged in /var/log/system.log. Within a terminal or xterm just type:

grep -i usb /var/log/kernel.log

or on more recent versions of OSX:

grep -i usb /var/log/system.log

If you need to search back further, just use the compressed and saved previous versions with:

bzgrep -i usb /var/log/kernel.log.[3210].bz2

or on more recent versions of OSX:

zgrep -i usb /var/log/system.log.[3210].gz

To check who was connected on your system, just use the last command.

If you want to have a basic auditing function on your system, you may easily start by turning the system accounting on. Here is how to turn it on. All these commande have to be typed with the root account. (Be carefull any typed letter, even a space counts).

/usr/bin/sudo -s
[...]
mkdir /var/account
touch /var/account/acct
accton /var/account/acct
exit

You can immediatly check that from now on and forever the kernel is registering any program launched:

lastcomm

As a simple example of use, the following command will show you which commands where used since the startup of the kernel accounting:

lastcomm root
Related Question