Skip to content

Instantly share code, notes, and snippets.

@nikolay-n
Last active October 26, 2021 23:14
Show Gist options
  • Save nikolay-n/20b7b7d49b58a8033f803e95caa502d2 to your computer and use it in GitHub Desktop.
Save nikolay-n/20b7b7d49b58a8033f803e95caa502d2 to your computer and use it in GitHub Desktop.
Gatekeeper events quering from unified logs
#!/usr/bin/env bash
# doesn't requires private data on
log show --style syslog --predicate 'process == "taskgated" && eventMessage CONTAINS[c] "no system signature"' --info --debug --last 1d
log show --style syslog --predicate 'eventMessage CONTAINS[c] "MalwareFileNameFullOrPart"' --info --debug --last 1d
log show --style syslog --predicate 'process == "kernel" && eventMessage CONTAINS[c] "Security policy would not allow process"' --info --debug --last 1d
# requires private data on
log show --style syslog --predicate 'process == "CoreServicesUIAgent" && eventMessage CONTAINS[c] "bundle="' --info --debug --last 1d
log show --style syslog --predicate 'subsystem == "com.apple.launchservices" && category == "code-evaluation"' --info --debug --last 1d
log show --style syslog --predicate 'process == "syspolicyd" && eventMessage CONTAINS[c] "Gatekeeper assessment"' --info --debug --last 1d
#shows only paths
log show --style syslog --predicate 'process == "syspolicyd" && eventMessage MATCHES "(GK process|Gatekeeper) assessment.*"' --info --debug --last 1d | perl -ne '/(?:ment|at): (.+?)(?: <--.*|$)/;$1 and print $1,"\n";' | sort | uniq
@nikolay-n
Copy link
Author

nikolay-n commented Oct 4, 2020

Need to enable unified log private data using profile from here https://georgegarside.com/blog/macos/sierra-console-private/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment