Last active
October 26, 2021 23:14
-
-
Save nikolay-n/20b7b7d49b58a8033f803e95caa502d2 to your computer and use it in GitHub Desktop.
Gatekeeper events quering from unified logs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # doesn't requires private data on | |
| log show --style syslog --predicate 'process == "taskgated" && eventMessage CONTAINS[c] "no system signature"' --info --debug --last 1d | |
| log show --style syslog --predicate 'eventMessage CONTAINS[c] "MalwareFileNameFullOrPart"' --info --debug --last 1d | |
| log show --style syslog --predicate 'process == "kernel" && eventMessage CONTAINS[c] "Security policy would not allow process"' --info --debug --last 1d | |
| # requires private data on | |
| log show --style syslog --predicate 'process == "CoreServicesUIAgent" && eventMessage CONTAINS[c] "bundle="' --info --debug --last 1d | |
| log show --style syslog --predicate 'subsystem == "com.apple.launchservices" && category == "code-evaluation"' --info --debug --last 1d | |
| log show --style syslog --predicate 'process == "syspolicyd" && eventMessage CONTAINS[c] "Gatekeeper assessment"' --info --debug --last 1d | |
| #shows only paths | |
| log show --style syslog --predicate 'process == "syspolicyd" && eventMessage MATCHES "(GK process|Gatekeeper) assessment.*"' --info --debug --last 1d | perl -ne '/(?:ment|at): (.+?)(?: <--.*|$)/;$1 and print $1,"\n";' | sort | uniq |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Need to enable unified log private data using profile from here https://georgegarside.com/blog/macos/sierra-console-private/