Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Marcus_D

macrumors newbie
Original poster
Jul 6, 2015
5
2
Does OS X store information in any log about when an administrator changes the user level of a certain user - by selecting “Allow user to administer this computer” under users in systems preferences?

Background: We noticed that a certain user suddenly has admin privileges but would like to know who granted them and when.

Which log file did we have to check? syslog doesn't seem the right one (in El Capitan and Sierra).

Thank you.
 
  • Like
Reactions: grahamperrin

KALLT

macrumors 603
Sep 23, 2008
5,380
3,415
(Lengthy reply incoming)

There are indeed logs for this, but they are a bit awkward to use. The system keeps audit trails in /var/audit and does log group changes (among many other things). One problem is that these logs have a particular format that requires a special program to read them. /usr/sbin/praudit is capable of doing this, but it is really not that great. Another problem is that the system splits logs into smaller files, named after their period. For instance: 20160728183231.20160729144515 (in reverse year-month-day-hour-minutes-seconds notation). Depending on how far back you want to go, you’d have to check each of them.

For more information about this audit system, you should check out the man page ‘audit’ (it leads to even more documentation). The system is quite complicated and I don’t recommend changing anything in the configuration, unless you know what you are doing.

With this command you can see a list of these files (read access is exclusive to root).
Code:
sudo ls /var/audit


To read a particular file, you can use this command:
Code:
sudo praudit /var/audit/insert_log_file_here


You will see a lot of noise there. You could limit the result with a regular expression to search for particular entries that concern membership change of the admin group:
Code:
sudo praudit /var/audit/insert_log_file_here | egrep -B2 "Groups membership username.+'admin'"


Then the result should look something like this (‘MyUserName’ is the user with which I am logged in):
Code:
header,159,11,AUE_remove_from_group,0,Sun Sep 18 10:36:00 2016, + 820 msec
subject,MyUserName,MyUserName,staff,MyUserName,staff,13138,100007,13139,0.0.0.0
text,Added Groups membership username from 'admin' node '/Local/Default', value = 'MyUserName'

The ‘header’ line tells you the date. ‘subject’ tells you which user was involved. You should pay attention only to the first two usernames. ’text’ tells you what action was taken, in this case changing the group membership to/from admin for the specified user (after ‘value’). If the second username in the ‘subject’ line is root, then the account change probably happened with sudo.

One caveat is that the Users & Groups panel in System Preferences allows an administrator to ‘bless’ the currently logged-in user to perform these changes themselves. In my example, MyUserName is actually not an administrator, but the logs tell me that I promoted myself. You could find out who unlocked the User & Groups panel by separately checking the logs with a different regular expression and then matching the dates yourself:
Code:
sudo praudit /var/audit/insert_log_file | egrep -B4 "authenticated as" | grep -B2 -A2 "system.preferences.accounts"


This is only an indication however, as this entry only shows when a specific user unlocked the panel. Depending on how far the unlocking and the group change happened, it might not be a good measure. The result tells you the date and the admin who unlocked the panel (‘MyAdmin’):
Code:
header,147,11,AUE_ssauthint,0,Sun Sep 18 10:19:56 2016, + 735 msec
subject,MyUserName, MyUserName,staff, MyUserName,staff,13138,100007,13139,0.0.0.0
text,system.preferences.accounts
argument,1,0x1f5,known UID
argument,2,0x1f6,authenticated as MyAdmin


You can search through multiple logs at once and then print the results (this takes a while):
Code:
sudo find /var/audit -type f -exec praudit {} \; | egrep -B2 "Groups membership username.+'admin'"


If you only want to check for entries that are after a specific date, you can use this (replace the file name below with one that you want to use as a starting point for the search).
Code:
sudo find /var/audit -type f -newer /var/audit/20160728183231.20160729144515 -exec praudit {} \; | egrep -B2 "Groups membership username.+'admin'"
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.