cmdReporter Wiki

Open navigation

3.4 + Announcements - July 2020

Announcements:

DLP Beta Officially Live!

  • Our free public beta is available today and included as part of cmdReporter v3.4
  • Details about cmdReporter +DLP and the beta in 3.4 can be found here: Data Loss Prevention (DLP)
  • To test DLP, simply install a configuration profile with the com.cmdsec.cmdreporter.dlp domain
    • An example cmdReporter +DLP Profile is available for reference.
    • If the DLP preference domain is not configured, all DLP features are completely disabledso the same version of cmdReporter can be used in production environments.
  • Our invite-only closed beta with bi-weekly builds will begin next week

Product Announcements:

  • Host Intrusion Prevention: Coming in Fall 2020*
  • Data Loss Prevention (DLP): Coming in Fall 2020*

*Requires an additional license


v3.4 Release Notes:

Major Changes:

Prohibited Application Blocking

  • Prohibit execution of binaries based on executable name, team signing ID, or app signing ID.
  • Upon blocking an application or executable the prompt below will be shown to users.
  • IMPORTANT: LaunchDaemons executing as the root user are intentionally exempted from prohibited applications to allow restrictions of administrative tools. More detail available HERE

File Monitoring Events

  • After customer feedback, cmdReporter's file monitoring events have been enriched, extended, and redesigned for intrusion detection. As such, Host Intrusion Detection (Currently in Beta) is replacing File Event monitoring.
  • Removal of the following preferences
    • FileEventInclusionPaths
    • FileEventExclusionPaths
    • FileEventUseFuzzyMatch
  • More details about cmdReporter's included intrusion detections available HERE

Verbose Messages

  • New behavior to only additionally log non-privileged terminal activity

Minor Changes:

  • host_info.osversion
    • Old:   Version 10.15.5 (Build 19F96)
    • New:  macOS 10.15.5 (Build 19F96)
  • Speed Improvements to core processing engine
  • Unified Log search performance improvements
  • Event Filtering now additionally filters on responsible_process_name to mute child processes of a muted application
  • Rate limiting summarization logic speed improvements

New Event Types:

PROHIBITED_APP_BLOCKED

DLP_PROTECTED_FILE_MOVEMENT


New Preferences:

cmdReporter

KeyValue TypeExample Values
ProhibitedApplicationsenclosing dictionaryn/a
    PAExecutableNamesArray of Stringsfdesetup
Calculator
    PASigningIdentifiersArray of Stringscom.apple.TextEdit
    PATeamIdentifiersArray of StringsBD3YL53XT4


cmdReporter +DLP

KeyValue TypeExample Value
SensitiveUTIsArray of Stringsorg.openxmlformats.*

SensitivePathsArray of Strings/Users/.*/Documents/
SensitiveApplicationsenclosing dictionaryn/a
    DLPExecutableNamesArray of Stringsfdesetup
Calculator
    DLPSigningIdentifiersArray of Stringscom.apple.TextEdit
    DLPTeamIdentifiersArray of StringsBD3YL53XT4

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.