530 строки
17 KiB
JSON
530 строки
17 KiB
JSON
|
[
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_auth_user",
|
||
|
|
"EventName": "user authentication",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:20:50",
|
||
|
|
"SubjectAuditID": "ruser",
|
||
|
|
"SubjectUID": "ruser",
|
||
|
|
"SubjectGID": "staff",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "staff",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "Verify password for record type Users 'ruser' node '/Local/Default'",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.opendirectoryd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x4ab4c898fd4a994fd267ed1edeb21b9c9b5cb70f",
|
||
|
|
"TrailerCount": "198",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:20:50.761144-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthorize",
|
||
|
|
"EventName": "SecSrvr AuthEngine",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:33",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "begin evaluation",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "138",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:33.308356-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthorize",
|
||
|
|
"EventName": "SecSrvr AuthEngine",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:33",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "system.login.fus",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "158",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:33.309622-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:33",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism builtin:smartcard-sniffer,privileged",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "188",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:33.337214-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:38",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism loginwindow:login",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "169",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:38.641095-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:38",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism builtin:reset-password,privileged",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "185",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:38.646485-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:38",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism builtin:authenticate-nocred,privileged",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "190",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:38.892300-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:39",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism loginwindow:success",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "171",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:39.093626-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthorize",
|
||
|
|
"EventName": "SecSrvr AuthEngine",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:39",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "creator /System/Library/CoreServices/loginwindow.app",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "249",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:39.287141-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthorize",
|
||
|
|
"EventName": "SecSrvr AuthEngine",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:39",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "159",
|
||
|
|
"SubjectSID": "100006",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:316",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "end evaluation",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "136",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:39.290938-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthorize",
|
||
|
|
"EventName": "SecSrvr AuthEngine",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:39",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "1031",
|
||
|
|
"SubjectSID": "100061",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:2693",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "begin evaluation",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "138",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:39.702351-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:40",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "1031",
|
||
|
|
"SubjectSID": "100061",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:2693",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism loginwindow:FDESupport,privileged",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "189",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:40.520165-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:40",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "1031",
|
||
|
|
"SubjectSID": "100061",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:2693",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism builtin:forward-login,privileged",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "188",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:40.526217-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:40",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "1031",
|
||
|
|
"SubjectSID": "100061",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:2693",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism PKINITMechanism:auth,privileged",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "187",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:40.875058-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:41",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "1031",
|
||
|
|
"SubjectSID": "100061",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:2693",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism HomeDirMechanism:login,privileged",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "189",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:41.105265-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthmech",
|
||
|
|
"EventName": "SecSrvr AuthMechanism",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:41",
|
||
|
|
"SubjectAuditID": "4294967295",
|
||
|
|
"SubjectUID": "root",
|
||
|
|
"SubjectGID": "wheel",
|
||
|
|
"SubjectRealUID": "root",
|
||
|
|
"SubjectRealGID": "wheel",
|
||
|
|
"SubjectPID": "1031",
|
||
|
|
"SubjectSID": "100061",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:2693",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "mechanism CryptoTokenKit:login",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "176",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:41.467223-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"TokenVersion": "11",
|
||
|
|
"EventType": "AUE_ssauthorize",
|
||
|
|
"EventName": "SecSrvr AuthEngine",
|
||
|
|
"EventModifier": "",
|
||
|
|
"EventTime": "2021-01-06 21:23:43",
|
||
|
|
"SubjectAuditID": "ruser2",
|
||
|
|
"SubjectUID": "ruser2",
|
||
|
|
"SubjectGID": "staff",
|
||
|
|
"SubjectRealUID": "ruser2",
|
||
|
|
"SubjectRealGID": "staff",
|
||
|
|
"SubjectPID": "1045",
|
||
|
|
"SubjectSID": "100061",
|
||
|
|
"SubjectTerminal": "",
|
||
|
|
"SubjectTerminal.Port": "0:2740",
|
||
|
|
"SubjectTerminal.Host": "0.0.0.0",
|
||
|
|
"Text": "system.services.systemconfiguration.network",
|
||
|
|
"ReturnErrno": "success",
|
||
|
|
"ReturnRetval": "0",
|
||
|
|
"Identity": "",
|
||
|
|
"Identity.SignerType": "1",
|
||
|
|
"Identity.SignerId": "com.apple.authd",
|
||
|
|
"Identity.SignerIdTruncated": "0",
|
||
|
|
"Identity.TeamId": "",
|
||
|
|
"Identity.TeamIdTruncated": "0",
|
||
|
|
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
|
||
|
|
"TrailerCount": "212",
|
||
|
|
"EventReceivedTime": "2021-01-06T21:23:43.509730-08:00",
|
||
|
|
"SourceModuleName": "BSMmacOS",
|
||
|
|
"SourceModuleType": "im_bsm"
|
||
|
|
}
|
||
|
|
]
|