Data Collected by cmdReporter
Audit Level 1
Account Changes
- User account
- Creation
- Modification
- Deletion
- Group creation
- Creation
- Modification
- Deletion
Audio / Visual Device Activity
- Addition / Removal of any video or audio devices
- Video Device
- Activations (live preview)
- Recording
- Audio Device
- Activations (live preview)
- Recording
Authentication and Authorization
- Login events regardless of user, method, or protocol
- All non-login authentication events such as installing software
- Authorization and capability checks
Process Executions
- Applications and scripts run by the user
File Events
- All file modifications in monitored directories
Gatekeeper
- Version Information
- Manual Gatekeeper Bypasses (opt + open)
- Log of quarantined files
Hardware Changes
- Addition / Removal of any hardware devices
Network Events
- Incoming external connections
Network Listening Ports Events
- New processes listening on network ports
- Both bsd (inter-process) and IP listening ports are logged
Printing
- All print activity
Sessions
- Creation or modification of any login session
- Sessions created for background processes are also logged
Unified Logs
- Any custom predicates defined in the preference file
Xprotect
- Definition version information on cmdReporter start and xprotect version change
- Xprotect evaluation results
Audit Level 2 adds
Process Executions
- Applications and scripts run by background processes
Network Events
- Outgoing network connections
Audit Level 3
Inter-process communications
- bsd port activity
- XPC activity
Note: Exclusion filters are ignored at audit level 3
Ignored Filters:
- AuditEventExcludedProcesses
- AuditEventLogVerboseMessages
- AuditEventExcludedUsers