Analysis & Correlation of Mac Logs - SANS

More documents

Recommendations

Info

User Logins / Logouts Local Terminal • May 28 14:48:04 byte login[693]: USER_PROCESS: 693 ttys000! • May 28 14:48:07 byte login[698]: USER_PROCESS: 698 ttys001! • May 28 15:07:29 byte login[812]: USER_PROCESS: 812 ttys002! • May 28 15:07:51 byte login[812]: DEAD_PROCESS: 812 ttys002! Login Window • May 28 12:42:23 byte loginwindow[66]: DEAD_PROCESS: 74 console! • May 28 14:28:04 byte loginwindow[66]: USER_PROCESS: 60 console! SSH • May 28 15:15:38 byte sshd[831]: USER_PROCESS: 842 ttys002! • May 28 15:15:52 byte sshd[831]: DEAD_PROCESS: 842 ttys002! Screen Sharing! • 5/28/12 3:31:33.675 PM screensharingd: Authentication: SUCCEEDED :: User Name: Sarah Edwards :: Viewer Address: 192.168.1.101 :: Type: DH! oompa@csh.rit.edu | @iamevltwin
Log Analysis monthly.out Account Audit Monthly Uses ac -p command to calculate account time on system. “Accumulated connected time in decimal hours” -- End of monthly output --! ! Wed Apr 4 09:15:54 EDT 2012! ! Rotating fax log files:! ! Doing login accounting:! !total 3678.85! !sledwards 3678.76! !root 0.09! ! -- End of monthly output --! ! Tue May 1 05:30:00 PDT 2012! ! Rotating fax log files:! ! Doing login accounting:! !total 4301.95! !sledwards 4301.77! !root 0.18! ! -- End of monthly output --! ! Fri Jun 1 06:46:13 PDT 2012! ! Rotating fax log files:! ! Doing login accounting:! !total 5047.22! !sledwards 5047.04! !root 0.18! ! -- End of monthly output --! oompa@csh.rit.edu | @iamevltwin
Page 1 and 2: Analysis & Correlation of Mac Logs
Page 3 and 4: Why? Volumes Network Location Backu
Page 5 and 6: General Location System Logs User L
Page 7 and 8: Console.app oompa@csh.rit.edu | @ia
Page 9 and 10: Log Friendly Software View the BZip
Page 11 and 12: Log Recovery Logs get “removed”
Page 13 and 14: Apple System Log Location: /private
Page 15 and 16: syslog Command Output Format (-F) b
Page 17 and 18: Audit Logs oompa@csh.rit.edu | @iam
Page 19 and 20: praudit -xn /var/audit/*! su Exampl
Page 21 and 22: Audit Log Record - Tokens Variable
Page 23 and 24: system.log & daily.log Search “/V
Page 25 and 26: USBMSC - kernel.log System Informat
Page 27 and 28: ~/Library/Preferences/ com.apple.Di
Page 29 and 30: com.apple.sidebarlists.plist Volume
Page 31 and 32: Volume Alias Data Dates & Mount Poi
Page 33 and 34: Network Changes system.log Jun 12 1
Page 35 and 36: Library/Preferences/SystemConfigura
Page 37 and 38: Determine “Home” Network com.ap
Page 39 and 40: Wireless Networks Determine general
Page 41 and 42: Detailed Timeline system.log- searc
Page 43 and 44: system.log Search Hostname” (10.6
Page 45: User Activity oompa@csh.rit.edu | @
Page 49 and 50: Account Creation Audit Logs • ! !
Page 51 and 52: Backups oompa@csh.rit.edu | @iamevl
Page 53 and 54: Backups - /Library/Preferences/ com
Page 55 and 56: Software oompa@csh.rit.edu | @iamev
Page 57 and 58: Library/Preferences/ com.apple.Soft
Page 59 and 60: Receipt Files /var/db/receipts/ oom
Page 61 and 62: System Version install.log - Search
Page 63 and 64: System Information & System State o
Page 65 and 66: System Boot kernel.log 10.7 10.6
Page 67 and 68: System Boot Kernel & Processor Coun
Page 69 and 70: System Boot Boot Device May 9 16:29
Page 71 and 72: System Boot MAC Addresses Three dif
Page 73 and 74: kernel.log Sleep Cause May 26 17:27
Page 75 and 76: Disk Usage History daily.log oompa@
Page 77 and 78: var/log/cups/page_log Printer Name
Page 79 and 80: Printer Control Files /private/var/
Page 81 and 82: Temporal Changes & Context oompa@cs
Page 83 and 84: Time Changes: Time Zone - /etc/loca
Page 85 and 86: Time Zone Changes daily.log - Searc
Page 87 and 88: Date & Time Search Epoch & Other Fo
Page 89 and 90: Bluetooth Devices system.log - Sear
Page 91 and 92: Determine Bluetooth Class of Device
Page 93: Analysis & Correlation of Mac Logs

Analysis & Correlation of Mac Logs - SANS

Create successful ePaper yourself

Delete template?

Save as template?