Does anyone know of a way to monitor admin actions. Like, when an admin account is created, or when you have to authenticate as an admin to do something?
Question
Auditing Admin Actions
+10
+12dscl . -read /Groups/admin GroupMembership | sed 's/^.*: //'Will give you the members of the admin group on the Mac. You should be able to check it for changes. Then if a new admin account is created you can be informed of this change.
I use this to compare to a list of authorised admin accounts, and demote any not authorised back to a standard account. The script also emails me the relevant information, so that I can investigate.
I haven't investigated logging admin authentications.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.