Array of Values Preference Key Note
Some preference keys will be an array of values. This following /usr/bin/defaults command can be used to easily add a string element to a plist array.
defaults write /Library/Preferences/com.cmdsec.cmdReporter.plist AuditEventExcludedProcesses -array-add '/usr/sbin/syslogd'
Event Filter Preference Keys
| Key | Value Type | Sample Value | Function |
|---|---|---|---|
| AuditEventExcludedProcesses | Array of Strings | /usr/local/jamf/bin/jamf /usr/sbin/mDNSResponder | Exclude specific process paths based on the subject.process_name field in cmdReporter logs. Multiple values can be defined to filter 3rd party programs. |
| AuditEventLogVerboseMessages | bool | false | Log all terminal, script, and other verbose events not included in default log output. |
Excluded Processes Filter
The AuditEventExcludedProcesses preference is the primary way to remove noisy or unhelpful logs from cmdReporter's log output. Configuration is straightforward, simply define the paths to the processes that you wish to exclude from cmdReporter logs and any process or child process from that path will be excluded from cmdReporter's logs.
There are a behaviors to note when defining processes to filter:
- No Regex:
- No wildcards or regular expressions are interpreted when matching defined path names.
- Includes child Processes:
- All processes forked or otherwise spawned off the filtered process will also be excluded from cmdReporter's logs.
Log Verbose Messages Detail
In order to support scientific and developer workflows the default value for cmdReporter is not to log any terminal or script activity that are run interactively without any user impersonation or privilege escalations. Any script, application, connection, or other action performed non-interactively (LaunchAgent|Daemon) or with elevated permissions will be logged by cmdReporter.
To better explain this behavior we will examine a single macOS computer with two users:
- Alice, a developer with administrative capabilities on the system.
- Bob, a developer who does not have administrative capabilities on the system.
Scenario 1:
Action: Alice is developing a python script run as herself to scrape the information from a website and display that information in her own format.
Result: No actions logged via cmdReporter
Scenario 2:
Action: Alice is attempting to edit her local /etc/hosts file via "sudo vim /etc/hosts" to try and break the company's security and mdm software.
Result: All actions attempting to escalate privileges or edit the /etc/hosts file are logged by cmdReporter
Scenario 3:
Action: Alice opens terminal and runs "sudo bash" to drop to a root shell and runs her same script as scenario 1 to scrape the website's information.
Result: All actions Alice performs in either the root shell, any scripts run, and any subprocess actions are logged by cmdReporter because she is running her entire session as the root user.
Scenario 4:
Action: Alice runs her website scraping script via "sudo -u bob website-script.py" which will run the script as the other example user Bob.
Result: All actions from Alice's script or its subprocesses are logged by cmdReporter because she is impersonating another user.
Example Configuration Profile Section
<key>AuditEventLogVerboseMessages</key> <false/> <key>AuditEventExcludedProcesses</key> <array> <string>/usr/sbin/mDNSResponder</string> <string>/usr/sbin/syslogd</string> <string>/Applications/splunk/bin/splunk-optimize</string> </array>
defaults write /Library/Preferences/com.cmdsec.cmdReporter.plist AuditEventExcludedProcesses -array-add '/usr/sbin/syslogd'