Gatekeeper & XProtect (System Security Policy)

Location

Common Names

Description

Gatekeeper enforces code signing and notarization requirements for launched applications, recording assessments in the SystemPolicy SQLite database. XProtect provides signature-based malware detection using YARA rules that are automatically updated by Apple. XProtect Remediator actively scans for and removes known malware families.

Forensic Value

The Gatekeeper SystemPolicy database records every code signing assessment performed when a user attempted to open an application, including the application path, code signing identity, assessment result (allowed/blocked), and timestamp. This provides a timeline of application launches with trust decisions. XProtect detection events captured in the Unified Log reveal known malware that was blocked or remediated. Gatekeeper bypass attempts visible in the database indicate deliberate circumvention of macOS security, often through right-click Open or xattr -d com.apple.quarantine techniques.

Tools Required

Collection Commands

sqlite3 /var/db/SystemPolicyConfiguration/SystemPolicy "SELECT * FROM authority ORDER BY ROWID DESC LIMIT 100"

spctl --assess --verbose /path/to/suspicious_app.app 2>&1 > /forensics/gatekeeper_assessment.txt

log show --last 7d --predicate "subsystem == 'com.apple.xprotect'" > /forensics/xprotect_events.txt

sudo cp /var/db/SystemPolicyConfiguration/SystemPolicy /forensics/gatekeeper_db.sqlite

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References