Gatekeeper

Overview

Evidence: Gatekeeper Description: Collect Gatekeeper details Category: System Platform: macos Short Name: gatek Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Gatekeeper is macOS's security feature that controls which applications can run on the system. This data is essential for understanding application security policies, detecting bypassed controls, and investigating application-based incidents.

Data Collected

This collector gathers structured data about gatekeeper.

Gatekeeper Data

Field

Description

Example

AssessmentEnabled

Assessment Enabled

123

DevIDEnabled

Dev ID Enabled

123

Version

Version

Example value

OpaqueVersion

Opaque Version

Example value

Collection Method

This collector queries the gatekeeper table via osquery and collects related policy files under /var/db/SystemPolicyConfiguration/.

Forensic Value

This evidence is crucial for forensic investigations as it reveals Gatekeeper configuration and state, helping identify weakened protections or policy tampering.

PreviousGatekeeper Approved Apps NextHomebrew Logs

Last updated 2 days ago

Was this helpful?