The relevant information is logged in a very technical, very verbose way in the file /var/log/secure.log
. Unfortunately, it does not log the exact action that was authorized, in most cases, it's just com.apple.familycontrols.override
.
I just created a user account child
(UID 503) that has parental controls enabled and it's still a "school night" as configured in System Preferences, so no permission to log in.
I then entered my Administrator user (named danielbeck
, UID 501) and password to allow it anyway, and this is what it looks like in the log file:
Dec 13 09:24:14 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'com.apple.familycontrols.loginwindow.override' by client '/System/Library/CoreServices/loginwindow.app' [6185] for authorization created by '/System/Library/CoreServices/loginwindow.app' [6185]
Dec 13 09:24:14 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'com.apple.familycontrols.loginwindow.override' by client '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/parentalcontrolsd' [6216] for authorization created by '/System/Library/CoreServices/loginwindow.app' [6185]
Dec 13 09:24:15 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'system.login.done' by client '/System/Library/CoreServices/loginwindow.app' [6185] for authorization created by '/System/Library/CoreServices/loginwindow.app' [6185]
Unfortunately, for the login itself, there doesn't seem to be a record of who authorized it. But the date and time of logins should be sufficient. A few lines above that, you will probably find the account name and UID of the user logging in though:
Dec 13 09:24:03 Servus10 authorizationhost[6209]: in pam_sm_setcred(): Establishing credentials
Dec 13 09:24:03 Servus10 authorizationhost[6209]: in pam_sm_setcred(): Got user: child
[...]
Dec 13 09:24:03 Servus10 authorizationhost[6209]: in ac_complete(): ac_complete returned: 0 for 503
Authorizing applications looks more informative though, with the authorizing user in the first quoted line:
Dec 13 09:36:33 Servus10 com.apple.SecurityServer[28]: UID 503 authenticated as user daniel beck (UID 501) for right 'com.apple.familycontrols.override'
Dec 13 09:36:33 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'com.apple.familycontrols.override' by client '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/ParentalControls.app' [6587] for authorization created by '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/ParentalControls.app' [6587]
Dec 13 09:36:33 Servus10 com.apple.SecurityServer[28]: Succeeded authorizing right 'com.apple.familycontrols.override' by client '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/parentalcontrolsd' [6449] for authorization created by '/System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/ParentalControls.app' [6587]
Coupled with the dated information in the program access logs, this should provide you some insight. Applications appear there even if not permanently authorized.
Web sites can only be visited when permanently authorized, so System Preferences should provide you some information about that. Again, coupled with the date and time of first access, look for the authorization in secure.log
If the restricted users are knowledgable and actually have administrative access, they can of course modify the contents of that log file, but it's probably obscure enough.
secure.log
is rotated, with older parts stored using bzip2 compression in /var/log/secure.log.N.bz2
, with N
starting at 0
.
Execute the following command in Terminal to make a copy of these files your home directory and unzip it:
cp /var/log/secure.*.bz2 ~ ; cd ; bunzip2 *.bz2
Afterwards, there'll be secure.log.N
files in your home directory.