How do I review MacOS Parental Control overrides?

3

I use Parental Controls in MacOS 10.6.1 to limit the amount of time my kids use the computer. Sometimes, my kids seem to be getting more time than they're supposed to get, or at times of day when they should not. It is possible that the system is incorrectly letting them in (or stay in). Or, it is possible that they've found a way to authorize more time, e.g., by using an administrator's password.

How do I review a list of events in which an administrator password was used to override a parental control, eg, to allow them to log in, to give them more time, to authorize an application or website, ... ?

I've seen the (very useful) post about how to read the .data files kept by Parental Controls, but that file doesn't tell me the above sorts of things.

David

Posted 2011-11-21T11:35:12.760

Reputation: 31

Answers

1

The relevant information is logged in a very technical, very verbose way in the file /var/log/secure.log. Unfortunately, it does not log the exact action that was authorized, in most cases, it's just com.apple.familycontrols.override.

I just created a user account child (UID 503) that has parental controls enabled and it's still a "school night" as configured in System Preferences, so no permission to log in. I then entered my Administrator user (named danielbeck, UID 501) and password to allow it anyway, and this is what it looks like in the log file:

Dec 13 09:24:14 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'com.apple.familycontrols.loginwindow.override' by client '/System/Library/CoreServices/loginwindow.app' [6185] for authorization created by '/System/Library/CoreServices/loginwindow.app' [6185]

Dec 13 09:24:14 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'com.apple.familycontrols.loginwindow.override' by client '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/parentalcontrolsd' [6216] for authorization created by '/System/Library/CoreServices/loginwindow.app' [6185]

Dec 13 09:24:15 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'system.login.done' by client '/System/Library/CoreServices/loginwindow.app' [6185] for authorization created by '/System/Library/CoreServices/loginwindow.app' [6185]

Unfortunately, for the login itself, there doesn't seem to be a record of who authorized it. But the date and time of logins should be sufficient. A few lines above that, you will probably find the account name and UID of the user logging in though:

Dec 13 09:24:03 Servus10 authorizationhost[6209]: in pam_sm_setcred(): Establishing credentials

Dec 13 09:24:03 Servus10 authorizationhost[6209]: in pam_sm_setcred(): Got user: child

[...]

Dec 13 09:24:03 Servus10 authorizationhost[6209]: in ac_complete(): ac_complete returned: 0 for 503

Authorizing applications looks more informative though, with the authorizing user in the first quoted line:

Dec 13 09:36:33 Servus10 com.apple.SecurityServer[28]: UID 503 authenticated as user daniel beck (UID 501) for right 'com.apple.familycontrols.override'

Dec 13 09:36:33 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'com.apple.familycontrols.override' by client '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/ParentalControls.app' [6587] for authorization created by '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/ParentalControls.app' [6587]

Dec 13 09:36:33 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'com.apple.familycontrols.override' by client '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/parentalcontrolsd' [6449] for authorization created by '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/ParentalControls.app' [6587]

Coupled with the dated information in the program access logs, this should provide you some insight. Applications appear there even if not permanently authorized.

Web sites can only be visited when permanently authorized, so System Preferences should provide you some information about that. Again, coupled with the date and time of first access, look for the authorization in secure.log

If the restricted users are knowledgable and actually have administrative access, they can of course modify the contents of that log file, but it's probably obscure enough.

secure.log is rotated, with older parts stored using bzip2 compression in /var/log/secure.log.N.bz2, with N starting at 0.

Execute the following command in Terminal to make a copy of these files your home directory and unzip it:

cp /var/log/secure.*.bz2 ~ ; cd ; bunzip2 *.bz2

Afterwards, there'll be secure.log.N files in your home directory.

Daniel Beck

Posted 2011-11-21T11:35:12.760

Reputation: 98 421

Asked: 2011-11-21T11:35:12.760

Viewed: 1 097 times

Active: 2013-04-09T18:12:21.663