Gatekeeper
Overview
Section titled “Overview”Evidence: Gatekeeper
Description: Collect Gatekeeper details
Category: System
Platform: macos
Short Name: gatek
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Gatekeeper is macOS’s security feature that controls which applications can run on the system. This data is essential for understanding application security policies, detecting bypassed controls, and investigating application-based incidents.
Data Collected
Section titled “Data Collected”This collector gathers structured data about gatekeeper.
Gatekeeper Data
Section titled “Gatekeeper Data”| Field | Description | Example |
|---|---|---|
AssessmentEnabled | Assessment Enabled | 123 |
DevIDEnabled | Dev ID Enabled | 123 |
Version | Version | Example value |
OpaqueVersion | Opaque Version | Example value |
Collection Method
Section titled “Collection Method”This collector queries the gatekeeper table via osquery and collects related policy files under /var/db/SystemPolicyConfiguration/.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals Gatekeeper configuration and state, helping identify weakened protections or policy tampering.