Tools −> Audit Explorer −> Documentation −> Manual −> Notable Events
Notable Events
The Notable Events window shows a summary of the audit trail and highlights a number of events that might be of interest.
Basic Statistics
Basic Statistics displayes standard information about the audit trails that was processed. The fields include:
File
This field identifies the audit file that was processed. Currently Audit Explorer only analyzes a single audit trail file at a time.
Start, End
These fields identify the timestamps of the first and last audit records in the audit file.
Records
This field identifies the total number of audit records processed.
Sessions
This field identifies the total number of processes (we use the term "sessions") observed in the audit trail file.
System Modifications
This section identifies processes that modified system files. Modification of certain operating system files by rogue programs or users can compromise the security and integrity of your computer.
The list of protected system files begin with the following prefixes:
/usr/
/etc/
/private/etc/
/bin/
/sbin/
/System/
/Applications/
/mach_kernel
There are several exceptions. Writing to files with paths that begin with the following will not be reported here:
/System/Library/Caches/
/private/var/folders/
/Applications/.DS_Store
Security Accesses
This section identifies processes that read certain security files. Some processes need to read these files. For example, processes like sshd need to read audit configuration files to (presumably) set what actions for this process should generate audit records. The list of the programs that need to do this, and other progams accessing these files may indicate something suspicious.
The list of protected security files where just reading any of these files will get the process listed here are files that begin with the following prefixes:
/etc/security/
/private/etc/security/
/var/audit/
/private/var/audit/
Non-standard Programs
This section identify processes that run programs outside a standard set of directories (path prefixes actually). These standard directories are where program generally belong, and programs outside one of these directories might be a rogue program (e.g., an Advanced Persistent Threat).
The list of standard application paths begin with the following prefixes:
/bin/
/sbin/
/usr/bin/
/usr/sbin/
/usr/libexec/
/Applications/
/System/Library/
/Library/Application Support/
/Developer/
If you are a programmer, you will see your programs, as well as some interesting programs Xcode seems to create, in this list. Also, software updates include downloading installation scripts that must be run, and they will show up here. If you have Google Chrome installed, it has a little program that shows up here; there are serious security issues with this little program, but we will touch on those in a later article.
Authentications
Almost every time you need to enter a password on the Mac — to login at the console, to login over ssh or sftp, to mount the file system, to escalate privileges, and so on — that fact is recorded here.
In addition to the session ID, this section indicates whether the password was successfully entered or not (SUCC or FAIL), the user that was being authenticated, and the program that was requesting the user's password.

@NetSquared_USA  copyright Net Squared, Inc., 2008-2013