Does macOS keep a log of all access to the keychain?

macos keychain security

I want to see which applications accessed my keychain of my Mac. Do know which apps have access and how often they do. Does macOS keep a log of that somewhere ?


Yes, on MacOS Sierra or newer you can monitor every access to the Keychain, using the Unified Logging system in two operation modes:

  1. Realtime

  2. Query the database log to get past access events

Use this command on a Terminal window for Realtime monitoring:

log stream --predicate 'subsystem == "com.apple.securityd" AND message CONTAINS[cd] "Keychain Access"' --info --debug --signpost --style compact

Here is the output of the above command, in realtime, while some keychain items were being accessed:

enter image description here

You can also query past events by specifying some date range, and changing stream to show. Like the example below:

log show --start "2019-08-11 14:21:45" --end "2019-08-11 14:22:00" --predicate 'subsystem == "com.apple.securityd" AND message CONTAINS[cd] "Keychain Access"' --info --debug --signpost --style compact

More detailed information can be obtained by modifying the command line and grouping other process interactions. See man log for more options, or just ask here :)

Related

What is silhouette?
Can Applescript be multithreaded?
How can I see which app/process is using up my VRAM?
How graceless is shutdown?
Why does Safari autofill login information with weird username?
Updating SSL root certs on old Mac (running Lion)
Free PDF reader for iPad with 2 pages side-by-side layout (like a book)
Where macOS keeps VPN Network configuration?
Certificates not updating
Is winebottler safe to install?
How to see <private> data in iOS logs?
what does the pie symbol mean in macOS finder?