I did an admittedly quick search through the histo...
# macosl
lvferdi
12/06/2023, 3:22 PMI did an admittedly quick search through the history for this and didn’t find an answer. With the depreciation of OpenBSM, is there a new prescribed way to collect network socket event data on Mac. According to the docs it appears that socket_events are collected by OpenBSM with no callout to a secondary table to pull these events from after depreciation
s
Stefano Bonicatti
12/06/2023, 3:30 PMNot yet really, for what I know and found (and @sharvil might know better), through the Endpoint Security framework there are only events for unix socket basically, but not the rest.
A table should come soon™ for unix socket, but that's it.
Network Extensions have a deeper access, but I'm not sure they are necessarily the best layer to detect things like bind/listen/connect, but I haven't checked all the available data, just that from the description it seems more limited in some ways.
We also have to explore how osquery packaging and deployment might need to change if a Network Extension is needed (and probably a new entitlement is necessary).
So for now OpenBSM it is, which might also be the reason why it's not yet being fully removed.
l
lvferdi
12/06/2023, 4:31 PMThank you
lvferdi
12/06/2023, 4:34 PMAny plans to write tables for any of the other notify events in the ESF?
b
Brian Bergstrand
12/06/2023, 4:37 PMApples prescribed way is Network Extensions, but they have limitations. 1) They must run as a SYSEXT (unlike ES), 2) there can only be 4 of the same filter type active at once. This limit will be hit easily if every vendor is forced to use them and 3) you are hooked into the network auth stack. There is no “notify” only.
Brian Bergstrand
12/06/2023, 4:38 PMI’ve opened Feedback with Apple to add socket notify events to ES. Suggest everyone file duplicates to hopefully nudge Apple to fix this oversight
l
lvferdi
12/06/2023, 4:39 PMWhere did you share this feedback. Happy to add my vote.
lvferdi
12/06/2023, 4:39 PMThank you for the info
b
Brian Bergstrand
12/06/2023, 4:39 PMApple has a “Feedback Assistant” app
👍 1
Brian Bergstrand
12/06/2023, 4:41 PMScreenshot 2023-12-06 at 10.41.05 AM.png
s
sharvil
12/06/2023, 4:50 PMAny plans to write tables for any of the other notify events in the ESF?@lvferdi No concrete plans/timelines, but there is some exploratory PoC that I am working o. What other notify events are you looking forward to? (heads up, I am OOO today my replies might be slow)
l
lvferdi
12/06/2023, 4:52 PMBeing greedy I’d say any data that can’t be collected by other tables in osquery. But I can get a list based on our hunt team needs
👍 1
s
sharvil
12/06/2023, 4:52 PMAnd yeah, adopting NextworkExtensions means repackaging osquery to deploy as a SYSEXT, among other things. That will be on a much bigger timeline
sharvil
12/06/2023, 4:54 PM@lvferdi Sounds good, I can share exactly what I have when I am back at the computer tomorrow. There are some that are macOS Ventura only, and others that are macOS Sonoma only. My current focus is for login/logout and profile events.
b
Brian Bergstrand
12/06/2023, 5:02 PMWe’ve added 3 new tables to expose all (relevant) ES events in our agent fork, but we use a custom SYSEXT that houses ES and Network Extensions.
👍 1
3 Views