sudo.log & Authorization Logs

Location

Description

macOS authorization and privilege escalation logs capturing sudo command usage, authorization plugin decisions, and authentication dialog events. sudo usage is logged to the Unified Log and optionally to /var/log/sudo.log. The authd subsystem records authorization rights evaluations for password prompts, installer authentication, and system preference changes.

Forensic Value

Sudo log entries record the exact commands executed with elevated privileges, the requesting user, the target user (typically root), and the timestamp, providing a complete privileged command execution audit trail. Failed sudo attempts indicate password guessing or unauthorized privilege escalation attempts. The authd logs reveal when users were prompted for authentication and whether they approved, which is relevant for detecting social engineering attacks that trick users into entering passwords. Correlating sudo timestamps with shell history and process execution artifacts builds a comprehensive privileged activity timeline.

Tools Required

Collection Commands

log show --last 7d --predicate "process == 'sudo'" > /forensics/sudo_log.txt

log show --last 7d --predicate "subsystem == 'com.apple.authd'" > /forensics/authd_log.txt

sudo cp /var/log/sudo.log /var/log/authd.log /forensics/auth_logs/ 2>/dev/null

python mac_apt.py -i /path/to/image -o /forensics/output SUDOLOGS

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References