MacOS – Correlation between Mac OS X GUI actions and Logs

command linelogsmacmacos

I am not sure if it is possible but I was trying to discover/view/analyze if there is any correlation between the actions that a regular user perform on the GUI side with some logs inside the system (logs, var, or console).

I would like to know if I can be able to see all the command line that are executed when the user interact with the Graphical Interface.

Let me give you an example.

In Mac OS X if you want to add a new user to the system, you use the System Preferences > Users and Groups > + add user > etc..

And more or less the same can be achieved with the usage of a command line:

sudo dscl . -create /Users/username
sudo dscl . -create /Users/username UserShell /bin/bash
sudo dscl . -create /Users/username RealName "John Smith"
sudo dscl . -create /Users/username UniqueID 1001
etc. etc.

My question is, there is any way for me to find the above code somewhere? Above it is just an example.

Another example.

The user create a new folder on his/her by using the regular GUI. right click on his/her Desktop and create a new folder.

Can I see somewhere in the system something like:

mkdir /Users/username/Desktop/directory_name

I hope I was clear.

Thank you so much in advance for your help.

Best Answer

There isn't a general way to do this.

Most of the things you do in the GUI don't run command-line tools, they use thing like system calls to do things directly. For example, when you run mkdir from the command line, it uses the mkdir() function to actually create the directory. Finder doesn't bother using the mkdir command, it simply calls mkdir() (or something equivalent) itself.

This causes two problems for what you want. First, system calls aren't generally logged; and second, there isn't always an easy way to figure out what command would do the equivalent thing (if there even is such a command -- there isn't always).

There are ways to get some info about what's going on behind the scenes of GUI programs, but they're not particularly easy to use (or interpret the output from).

The fs_usage command will list file system events (including things like directory creation) as they happen... but a lot of file system events happen all the time, most of them completely irrelevant to what you're interested in. Filtering out what you care about tends to be tricky. And of course it's only useful if it's a file system event you care about.
DTrace can be used to trace things like system calls in detail, if you know what calls you're interested in tracing. Recent versions of macOS restrict the ability to trace most Apple programs (Finder, System Preferences, ...), so you'll need to at-least-partly disable System Integrity Protection to use it effectively.

Best Answer

Related Solutions

MacOS – How to remove a user via single user mode in 10.7

MacOS – Destroyed user account on OS X with dscl; how to restore

Related Question