Analysis & Correlation of Mac Logs - SANS

More documents

Recommendations

Info

Audit Log Records Each record is made up of “tokens”: Header Subject Text Return Trailer ! ! Verify password for record type Users 'root' node '/Local/Default'! ! ! oompa@csh.rit.edu | @iamevltwin
Audit Log Record - Tokens Variable number of tokens Each is described in the audit.log man page. Subject Token! The ``subject'' token contains information on the subject performing the operation described by an! audit record, and includes similar information to that found in the ``process'' and ``expanded! process'' tokens. However, those tokens are used where the process being described is the target of! the operation, not the authorizing party. A ``subject'' token can be created using au_to_subject32(3)! and au_to_subject64(3).! ! Field Bytes Description! Token ID 1 byte Token ID! Audit ID 4 bytes Audit user ID! Effective User ID 4 bytes Effective user ID! Effective Group ID 4 bytes Effective group ID! Real User ID 4 bytes Real user ID! Real Group ID 4 bytes Real group ID! Process ID 4 bytes Process ID! Session ID 4 bytes Audit session ID! Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)! Terminal Machine Address 4 bytes IP address of machine! oompa@csh.rit.edu | @iamevltwin
Page 1 and 2: Analysis & Correlation of Mac Logs
Page 3 and 4: Why? Volumes Network Location Backu
Page 5 and 6: General Location System Logs User L
Page 7 and 8: Console.app oompa@csh.rit.edu | @ia
Page 9 and 10: Log Friendly Software View the BZip
Page 11 and 12: Log Recovery Logs get “removed”
Page 13 and 14: Apple System Log Location: /private
Page 15 and 16: syslog Command Output Format (-F) b
Page 17 and 18: Audit Logs oompa@csh.rit.edu | @iam
Page 19: praudit -xn /var/audit/*! su Exampl
Page 23 and 24: system.log & daily.log Search “/V
Page 25 and 26: USBMSC - kernel.log System Informat
Page 27 and 28: ~/Library/Preferences/ com.apple.Di
Page 29 and 30: com.apple.sidebarlists.plist Volume
Page 31 and 32: Volume Alias Data Dates & Mount Poi
Page 33 and 34: Network Changes system.log Jun 12 1
Page 35 and 36: Library/Preferences/SystemConfigura
Page 37 and 38: Determine “Home” Network com.ap
Page 39 and 40: Wireless Networks Determine general
Page 41 and 42: Detailed Timeline system.log- searc
Page 43 and 44: system.log Search Hostname” (10.6
Page 45 and 46: User Activity oompa@csh.rit.edu | @
Page 47 and 48: Log Analysis monthly.out Account Au
Page 49 and 50: Account Creation Audit Logs • ! !
Page 51 and 52: Backups oompa@csh.rit.edu | @iamevl
Page 53 and 54: Backups - /Library/Preferences/ com
Page 55 and 56: Software oompa@csh.rit.edu | @iamev
Page 57 and 58: Library/Preferences/ com.apple.Soft
Page 59 and 60: Receipt Files /var/db/receipts/ oom
Page 61 and 62: System Version install.log - Search
Page 63 and 64: System Information & System State o
Page 65 and 66: System Boot kernel.log 10.7 10.6
Page 67 and 68: System Boot Kernel & Processor Coun
Page 69 and 70: System Boot Boot Device May 9 16:29
Page 71 and 72:
System Boot MAC Addresses Three dif
Page 73 and 74:
kernel.log Sleep Cause May 26 17:27
Page 75 and 76:
Disk Usage History daily.log oompa@
Page 77 and 78:
var/log/cups/page_log Printer Name
Page 79 and 80:
Printer Control Files /private/var/
Page 81 and 82:
Temporal Changes & Context oompa@cs
Page 83 and 84:
Time Changes: Time Zone - /etc/loca
Page 85 and 86:
Time Zone Changes daily.log - Searc
Page 87 and 88:
Date & Time Search Epoch & Other Fo
Page 89 and 90:
Bluetooth Devices system.log - Sear
Page 91 and 92:
Determine Bluetooth Class of Device
Page 93:
Analysis & Correlation of Mac Logs
show all

Analysis & Correlation of Mac Logs - SANS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?