General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

Defining Sensitive Data

Daniel Griggs

Modified on: Mon, 9 Nov, 2020 at 2:56 PM

SensitiveApplications

DLPExecutableNames

Array of strings with the executable names of applications. Any data created by an application with a matching process name will be considered sensitive.
example: /Applications/Xcode.app/Contents/MacOS/Xcode

DLPSigningIdentifiers

Array of strings with the app signing identifier of applications. Any data created by an application with a matching signing ID will be considered sensitive.
Example: com.microsoft.Word
Example command to obtain app ID for this preference:
- codesign -dv /Applications/Microsoft\ Word.app | grep Identifier

DLPTeamIdentifiers

Array of strings with the team signing identifier of applications. Any data created by an application with a matching team signing ID will be considered sensitive.
Example: UBF8T346G9
Example command to obtain team ID for this preference:
- codesign -dv /Applications/Microsoft\ Word.app | grep TeamIdentifier

SensitiveUTIs

Array of strings with the Uniform Type Identifier (UTI) of types of files to always consider sensitive irrespective of the application used to modify or create them.
Example: org.openxmlformats.wordprocessingml.document
Example command to obtain UTIs for a given file
- mdls -name kMDItemContentTypeTree /path/to/file
- Results are listed most to least specific when running this command.
  - "com.apple.quicktime-movie" could be used to track .mov files
  - "public.movie" could be used to track any video file
  - "public.audiovisual-content" could be used to track any audio or video file.
  - "public.data" could be used to track any file containing data on the system (not recommended)
Note: cmdReporter does not rely on spotlight indexing

SensitivePaths

Array of strings with the full path to folder(s) that should be considered sensitive. Any file contained in these folders will be considered sensitive.
Example /Volumes/Data/

Example Plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>SensitivePaths</key>
    <array>
        <string>/Volumes/Data/SensitiveData/</string>
        <string>/Volumes/CompanyData/SensitiveData/</string>
    </array>
    <key>SensitiveApplications</key>
    <dict>
        <key>DLPExecutableNames</key>
        <array>
            <string>/System/Applications/Calculator.app/Contents/MacOS/Calculator</string>
            <string>/Applications/Xcode.app/Contents/MacOS/Xcode</string>
        </array>
        <key>DLPSigningIdentifiers</key>
        <array>
            <string>com.apple.TextEdit</string>
        </array>
        <key>DLPTeamIdentifiers</key>
        <array>
            <string>VEKTX9H2N7</string>
        </array>
    </dict>
    <key>SensitiveUTIs</key>
    <array>
        <string>org.openxmlformats.wordprocessingml.document</string>
    </array>
</dict>
</plist>