Find out if any files were exported from my MacBook

macos console logs

Solution 1:

You can't, retroactively.

However, you can turn this feature on to audit future events.

Important Note: This answer is to show that this type of auditing can be done and in no way is a guide or a HOWTO for setting up or administering OpenBSM* on macOS. Configuring and managing OpenBSM is considerably outside the scope of an answer here on Ask Different.

By default, the OpenBSM auditing tool is set for only authentication events like login and logout.

Looking at the config file /etc/security/audit/audit_control we see the following:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa                  <----------- What gets audited.
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated

There are a number of configuration directives that can be found on the FreeBSD BSM Audit Config section of the FreeBSD Handbook.

Additionally, OpenBSM is not configured for every user. Looking at /etc/security/audit_user we find only root is configured:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
#
root:lo:no

To see if we can audit when a file gets read, modify audit_control so that it has the value flags:lo,aa,fr for "login/logout", "authentication/authorization", and "file read"

Then add a user to audit in the audit_user file with the events we want to see (login and file read):

allan:lo:fr

Restart the service:

sudo audit -i

On one Terminal session, to view the real-time audit log being created, issue command

praudit -l /dev/auditpipe | grep test

to see if it will generate an event for when I read from a "test" file.

On a separate Terminal window:

$ touch test    #creates the file
$ cat test      #reads the file

Back on the first Terminal window we get a response:

sudo praudit -l /dev/auditpipe | grep test
Password:
header,140,11,open(2) - read,0,Tue Nov  7 19:44:45 2017, + 678 msec,argument,2,0x0,flags,path,test,path,/Users/allan/test,attribute,100644,allan,staff,16777218,724870,0,subject,allan,allan,staff,allan,staff,1277,100007,50331650,0.0.0.0,return,success,3,trailer,140,

There's the log entry.

Obviously watching a "pipe" would be counter productive and is only good for test and demos (such as this example). The log files are stored in the /var/audit directory and you can view them with the praudit command

sudo praudit -l /var/audit/XXXXXXXXXXXXX.XXXXXXXXXXXXXX

*OpenBSM is an open source implementation of Sun's Basic Security Module (BSM) Audit API and file format. OpenBSM is derived from the BSM audit implementation found in Apple's open source Darwin operating system, which upon request, Apple relicensed under a BSD licence to allow for integration into FreeBSD and other systems. The Darwin BSM implementation was created by McAfee Research under contract to Apple, and has since been extensively extended by the volunteer TrustedBSD team. OpenBSM is included in FreeBSD as of version 6.2 and later, and has been announced as a Mac OS X Snow Leopard feature.

Related

What procedure should be followed post spilling fluids onto a MacBook keyboard?
Drivers not working on Windows 10 installed (CLI process) on external SSD running on Macbook
sudo: /etc/sudoers is owned by uid 501, should be 0
How should I submit bug reports and feature requests?
Use internal speakers with others plugged into headphones jack
How to show hidden files on mac without Terminal
How could i use an iMac as secondary monitor for a Windows 7 laptop
How do I uninstall a program completely on a Mac?
MacBook Pro (mid-2012) Microphone Input
Connecting multiple screens to the 2016 MacBook Pro with Touch Bar
Bootcamp - No ISO Option
Disk space not freed up after deleting files and emptying Trash