From radmind wiki
The following listing of directories and files for Mac OS X 10.5 has been compiled from discussions on the Radmind-users mailing list. It is not meant to be a negative transcrtipt in and of itself, but instead it is intended as a reference for on-going development of negative transcripts for Mac OS X 10.5.
/.Spotlight-V100/ Spotlight database directory. Every writable mounted volume gets one.
/.Trashes/ Every volume has its own .Trashes folder
/.fseventsd/ For FSEvents, a running log of all modifications made to the file system. Used by Time Machine and other applications that want to know what files have changed.
/.hotfiles.btree database of frequently-accessed small files
/.vol/ Used by Carbon applications
/Library/Application Support/Apple/ParentalControls/Users/ Items created for all local users. Probably can be actively managed. Might not want to manage in a desktop deployment with user accounts created locally on the machine.
/Library/Caches/ Cached information. Note: Can get large on a multi-user machine since items are created per user. Can be purged at any time.
/Library/Logs/ Console logs, crash reports, etc.
/Library/Managed Preferences/ Preferences that come from Workgroup Manager (MCX). Can be managed since they are recreated automatically as needed.
/Library/Preferences/DirectoryService/ for local use, per system? override with site-specific positive transcripts for specific files? Possibly could be managed with Radmind. Could be harder to manage if binding to AD. If you are using LDAP or OD as your Directory Service you can probably (and probably should) manage the contents of this directory.
/Library/Preferences/DirectoryService/.DSIsRunning Zero-length file that gets touched on each reboot, causing fsdiff to notice it. This is possibly a flag file so that other processes that are started by launchd can wait around for this file to be created so they know DirectoryService is up and running. Could probably be added to a negative transcript without issues, though that will cause lapply to create it if it's missing, which is probably rare, but important if it happens.
/Library/Preferences/SystemConfiguration/ May want to put the entire directory in the negative transcript and then only add on the few files that do not change or are not machine specific in positive ones. com.apple.Boot.plist may be the only file that is not dynamic or machine specific.
/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist Rebuilt at boot, if missing. Lists available network interfaces (Ethernet, wireless, etc)
/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist Recent Airport networks and other Airport settings. Could be managed on a desktop, but probably not on a mobile laptop.
/Library/Preferences/SystemConfiguration/com.apple.network.identification.plist Stores network information unique for the local computer
/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist Info about local Kerberos realm and a NetBIOSName and Server Description based on the machine name.
/Library/Preferences/SystemConfiguration/preferences.plist Network Locations and config info about all network interfaces. Machine's Bonjour name, AppleTalk name, DHCP settings, etc. This is also where system proxy settings are kept.
/Library/Preferences/com.apple.SoftwareUpdate.plist Always changing, after every software update run
/Library/Preferences/com.apple.TimeMachine.plist Contains references to files in user accounts - probably items to exclude from Time Machine backups???
/Library/Preferences/com.apple.audio.DeviceSettings.plist Varies per computer, gets crazier if you're on a KVM?
/Library/Preferences/com.apple.audio.SystemSettings.plist New in Leopard?
/Library/Preferences/com.apple.loginwindow.plist Stores the username of the last logged-in user. Also contains settings for autologin, display of login window lists versus fields, login window text, etc. Probably best to manage with Radmind.
/Library/Preferences/com.apple.security.systemidentities.plist Could be machine specific?? Contains hex strings identifying KDC and "systemdefault". (May be appropriate to manage this in a lab.)
/Library/Preferences/com.apple.smb.server.plist Stores SMB/CIFS server info unique for that local computer and network
/Library/Preferences/edu.mit.Kerberos for local use, per system, with Identity Services?
/Network/ Network share browsing and access
/System/Library/Caches Cached information (kernel cache, fonts). Helps speed bootup and other functions. Can be purged at any time.
/System/Library/Extensions/Caches/ /System/Library/Extensions/Caches/com.apple.kext.info New location for Extensions cache in 10.5. Replaces /System/Library/Extensions/Extensions.kextcache. Probably best to put the directory in the negative, not the file.
/System/Library/Extensions.mkext Part of the Extensions caching process. Delete this file when new items are added to /System/Library/Extensions so that it gets properly recreated.
/Users/ User home directories.
/Users/Shared/ Share User space. Required by some applicaitons. Make sure that this exists if you are not managing /Users entirely.
/Volumes/ Mount point for other volumes (local disks, some network shares, etc)
/cores/ If coring is enabled, here's where cores go.
/dev/ Mac OS X uses a devfs and fdesc filesystem to handle /dev and /dev/fd
/home/ used by autofs for home directory mounting
/net/ used by autofs for host mounting
/private/etc/auto_home Settings for auto_fs
/private/etc/auto_master Settings for auto_fs. If you comment out the entries for /home and /net, then those directories go away and do not need to be in a negative transcript.
/private/etc/authorization This is the rights database used by the System Authorization frameworks. This must be managed (and therefore must be in a positive transcript), yet it gets touched on each reboot, causing fsdiff to notice it.
/private/etc/cups/ppd/ Parsed PPD files being used by CUPS. Should be in negative if users can manage their own printers.
/private/etc/cups/printers.conf Printer configuration details for CUPS. Should be in negative if users can manage their own printers.
/private/etc/krb5.keytab Kerberos Keytab file. Most likely should be unique for each machine. AD can have problems in 10.5 if it's a 0 length file. Should be in exclude, not negative, as a result. DS will autocreate if it does not exist, but will not fix a 0 length file.
/private/etc/ssh_host_rsa_key.pub ssh authentication keys. For proper management, us sshd-key-gen.sh post-apply script
/private/tmp temporary files, managed by system
/private/var/agentx/ AgentX snmp protocol. Probably should be in positive.
/private/var/amavis/ anti-virus/antispam mail scanner for Mac OS X Server. Not on normally on clients. Probably should be in positive.
/private/var/at/ at jobs. Probably should be in positive.
/private/var/at/spool Spool location for at jobs. If using at, should probably be in negative.
/private/var/db/ May want to put the entire directory in the negative transcript and then only add on the few files that do not change or are not machine specific in positive ones.
/private/var/db/BootCache.playlist Cache used by Apple for ???
/private/var/db/CodeEquivalenceCandidates Used by Apple when installing updates to show that the old and new binaries are equivalent?? Seems to not change often.
/private/var/db/CodeEquivalenceDatabase Used by Apple when installing updates to show that the old and new binaries are equivalent?? Dynamically generated??
/private/var/db/DirectoryService/ Directory Services configuration.
/private/var/db/DirectoryService/flatfile.db Dynamically generated??
/private/var/db/PanicReporter Kernel panic reports??
/private/var/db/Spotlight-V100 More Spotlight data. Not always used - but seems to be used in environments using network home directories. If you see this on your machines, it should be in a negative transcript.
/private/var/db/SystemEntropyCache Cache used by Apple for ???
/private/var/db/SystemKey Could be unique per machine
/private/var/db/crls Certificate Revocation LIsts???
/private/var/db/dhcpclient/leases DHCP leases
/private/var/db/dslocal/indices/Default/index Local directory for user accounts, groups, etc. Replaces NetInfo.
/private/var/db/dslocal/nodes/Default/ Local directory for user accounts, groups, etc. Replaces NetInfo. May be OK to manage this since each item is a separate plist file.
/private/var/db/dyld/ Cache files that replace prebinding that occured in previous versions of Mac OS X. Managed automatically by the OS. This folder contains files that should not be ignored (the shared_region_roots folder).
/private/var/db/krb5kdc/ Data for the Local Kerberos Distribution Center (LKDC), which is presumably unique on each machine. But what about its non-unique contents, such as the .acl and .conf file?
/private/var/db/krb5dc/kdc.conf autogenerated by KDCSetup??
/private/var/db/locate.database Database used by locate(1). Rebuilt weekly by /private/etc/periodic/weekly/310.locate
/private/var/db/ntp.drift Contains the latest estimate of clock frequency error for ntpd
/private/var/db/shadow/hash/ MD5 hashes of user passwords
/private/var/db/statd.status managed by rpc.statd(8)
/private/var/db/sudo/ sudo timestamps
/private/var/db/volinfo.database used by vsdbutil(8) which controls ownership/permissions on removable volumes
/private/var/folders Appears to contain various caches for fonts and icons???
/private/var/log system log directory. If you do not have this in the negative, all Radmind will erase all log files. Here's a standard list the files in the log. The syslogd will not create these if they are missing, so you must prime it with empty files via items in a negative transcript, if you want logs kept.
/private/var/msgs/bounds Managed by msgs(1). Tracks which system messages have been viewed.
/private/var/radmind/client/ Radmind's client files - command files and transcripts. Managed by ktcheck.
/private/var/run/ where pid information is stored for running processes
/private/var/samba/shares/ contains data for samba shares, including per-user items. contents created with the user account?
/private/var/spool/ spool directories for fax, printing (cups), and mail (postfix, etc)
/private/var/spool/cups/cache/ spool for CUPS printing queues
/private/var/tmp Temporary items, managed by the system
/private/var/virusmails/ Associated with amavis or clamav??
/private/var/vm Virtual memory swap files
Directories used by cron - if you allow your users to create their own crontabs, you'll want to put /usr/lib/cron/tabs in a negative transcript at least.
/usr/share/servermanagerd/ Found on Mac OS X 10.5 client. This is the for the Server Manager Daemon for Mac OS X Server. No servermanagerd is on client. Could be removed entirely?
/usr/share/wikid/ Found on Mac OS X 10.5 client. This is the for the Wiki Server Daemon for Mac OS X Server. No wikid is on client. Could be removed entirely?
/usr/X11/man/whatis X11 man whatis database. Rebuilt weekly by /private/etc/periodic/weekly/320.whatis
/usr/X11/var/cache/ font caches and other cached data for X11
/usr/share/man/whatis man whatis database. Rebuilt weekly by /private/etc/periodic/weekly/320.whatis