sudo.log & Authorization Logs

macosAuthentication & AccessDisk ImageSIEM / Log Aggregator

Location

/var/log/sudo.log (if configured), /var/log/authd.log, and Unified Log (subsystem: com.apple.authd)

Description

macOS authorization and privilege escalation logs capturing sudo command usage, authorization plugin decisions, and authentication dialog events. sudo usage is logged to the Unified Log and optionally to /var/log/sudo.log. The authd subsystem records authorization rights evaluations for password prompts, installer authentication, and system preference changes.

Forensic Value

Sudo log entries record the exact commands executed with elevated privileges, the requesting user, the target user (typically root), and the timestamp, providing a complete privileged command execution audit trail. Failed sudo attempts indicate password guessing or unauthorized privilege escalation attempts. The authd logs reveal when users were prompted for authentication and whether they approved, which is relevant for detecting social engineering attacks that trick users into entering passwords. Correlating sudo timestamps with shell history and process execution artifacts builds a comprehensive privileged activity timeline.

Tools Required

log (macOS CLI)mac_aptgrepCrowdstrike UAClog2timeline (Plaso)

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical