Find out if any files were exported from my MacBook
Solution 1:
You can't, retroactively.
However, you can turn this feature on to audit future events.
Important Note: This answer is to show that this type of auditing can be done and in no way is a guide or a HOWTO for setting up or administering OpenBSM* on macOS. Configuring and managing OpenBSM is considerably outside the scope of an answer here on Ask Different.
By default, the OpenBSM auditing tool is set for only authentication events like login and logout.
Looking at the config file /etc/security/audit/audit_control
we see the following:
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa <----------- What gets audited.
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
There are a number of configuration directives that can be found on the FreeBSD BSM Audit Config section of the FreeBSD Handbook.
Additionally, OpenBSM is not configured for every user. Looking at /etc/security/audit_user
we find only root
is configured:
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $
#
root:lo:no
To see if we can audit when a file gets read, modify audit_control
so that it has the value flags:lo,aa,fr
for "login/logout", "authentication/authorization", and "file read"
Then add a user to audit in the audit_user
file with the events we want to see (login and file read):
allan:lo:fr
Restart the service:
sudo audit -i
On one Terminal session, to view the real-time audit log being created, issue command
praudit -l /dev/auditpipe | grep test
to see if it will generate an event for when I read from a "test" file.
On a separate Terminal window:
$ touch test #creates the file
$ cat test #reads the file
Back on the first Terminal window we get a response:
sudo praudit -l /dev/auditpipe | grep test
Password:
header,140,11,open(2) - read,0,Tue Nov 7 19:44:45 2017, + 678 msec,argument,2,0x0,flags,path,test,path,/Users/allan/test,attribute,100644,allan,staff,16777218,724870,0,subject,allan,allan,staff,allan,staff,1277,100007,50331650,0.0.0.0,return,success,3,trailer,140,
There's the log entry.
Obviously watching a "pipe" would be counter productive and is only good for test and demos (such as this example). The log files are stored in the /var/audit
directory and you can view them with the praudit
command
sudo praudit -l /var/audit/XXXXXXXXXXXXX.XXXXXXXXXXXXXX
*OpenBSM is an open source implementation of Sun's Basic Security Module (BSM) Audit API and file format. OpenBSM is derived from the BSM audit implementation found in Apple's open source Darwin operating system, which upon request, Apple relicensed under a BSD licence to allow for integration into FreeBSD and other systems. The Darwin BSM implementation was created by McAfee Research under contract to Apple, and has since been extensively extended by the volunteer TrustedBSD team. OpenBSM is included in FreeBSD as of version 6.2 and later, and has been announced as a Mac OS X Snow Leopard feature.