Hi! not sure if this is the best channel to ask…. ...
# macosj
Jean M
04/18/2020, 2:34 PMHi! not sure if this is the best channel to ask…. was it ever considered to use openbsm to do a process_file_events table on MacOS? From what I’m seeing openbsm can monitor file accesses and it provides the pid. Just want to know if it was thought before and possible problems I’m not seeing (same for socket_events I guess)
s
seph
04/18/2020, 5:22 PM
I don’t know the history, but I have sorta odd answers?
seph
04/18/2020, 5:26 PM
There is a file events table, I think it’s using some of the underlying inode based things. This are, AFAIK, pretty standard for file monitoring. They also don’t require any additional host setup. (unlike most audit frameworks, which usually require additional configuration)
seph
04/18/2020, 5:27 PM
I don’t have well developed thoughts about openbsm, but I could see the argument that it’s worth creating one. (Not sure how apple’s expected shift away from that works)
seph
04/18/2020, 5:29 PM
I guess I’m saying I don’t know whether it was considered, you could look in the PR/issue history. If there’s interest, you could also PR something. It feels a little duplicative with the file_events, but it would also expose additional data. Which makes me wonder if there’s space for an alternate implementation
z
zwass
04/18/2020, 6:09 PM
socket_events was merged in 4.3.0!
👏 1
a
alessandrogario
04/18/2020, 8:00 PM
process_file_events is rather heavy on cpu/memory, I think that is the only problem
alessandrogario
04/18/2020, 8:01 PM
then again, Audit is not the best syscall tracer in the world, and the fact that it contains so much text that you need to parse is extremely bad
alessandrogario
04/18/2020, 8:02 PM
I haven't looked at openbsm but if it supports all the required events then it can be implemented
alessandrogario
04/18/2020, 8:03 PM
it requires
1. syscalls that create file handles (open, mknod, create, ...)
2. syscalls that duplicate file handles (dup, dup2...)
3. write syscalls
4. mmap
5. fork and alternatives (to inherit fd from one process to the other)
6. execve (used to clear the fd map)
alessandrogario
04/18/2020, 8:04 PM
alternative: if it is able to pass the full file information (like EndpointSecurity), then there is no need to track the whole fd map for each process
alessandrogario
04/18/2020, 8:04 PM
EndpointSecurity is a good candidate, but good luck acquiring the entitlements from Apple 😞
j
Jean M
04/19/2020, 12:32 PMThanks all for the feedback. My idea was to try monitor file uploads / downloads from browsers and pontentially other applications. It wouldn’t never be 100% accurate but it would avoid sneaking into TLS connections. What you mean with EndpointSecurity @alessandrogario ? is this this other product ?
s
seph
04/19/2020, 12:36 PM
Endpoint security is apples new security framework. I expect it'll eventually replace openbsm
seph
04/19/2020, 12:36 PM
It's a bit different, but you can monitor all file changes in the Downloads folder
j
Jean M
04/19/2020, 2:05 PMI see, didn’t knew about it. This EndpointSecurity looks interesting, bad it is only supported 10.15+.
s
seph
04/19/2020, 5:08 PM
the existing file events will let you monitor all additions to the Downloads folder
j
Jean M
04/21/2020, 6:02 PMYes, but it doesn't give me the process that did the action, and I want to monitor uploads also
9 Views