Gatekeeper_approved_apps_macos

osquery

Retrieves all the gatekeeper exceptions on a macOS host

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Retrieves all the gatekeeper exceptions on a macOS host
--
-- tags: postmortem
-- platform: darwin
SELECT
  gap.ctime,
  gap.mtime,
  gap.path,
  file.mtime,
  file.uid,
  file.ctime,
  file.gid,
  hash.sha256,
  signature.identifier,
  signature.authority
FROM
  gatekeeper_approved_apps AS gap
  LEFT JOIN file ON gap.path = file.path
  LEFT JOIN hash ON gap.path = hash.path
  LEFT JOIN signature ON gap.path = signature.path
GROUP BY
  gap.requirement

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit