Title
#macos
j

Jean M

04/18/2020, 2:34 PM
Hi! not sure if this is the best channel to ask…. was it ever considered to use openbsm to do a process_file_events table on MacOS? From what I’m seeing openbsm can monitor file accesses and it provides the pid. Just want to know if it was thought before and possible problems I’m not seeing (same for socket_events I guess)
s

seph

04/18/2020, 5:22 PM
I don’t know the history, but I have sorta odd answers?
5:26 PM
There is a file events table, I think it’s using some of the underlying inode based things. This are, AFAIK, pretty standard for file monitoring. They also don’t require any additional host setup. (unlike most audit frameworks, which usually require additional configuration)
5:27 PM
I don’t have well developed thoughts about openbsm, but I could see the argument that it’s worth creating one. (Not sure how apple’s expected shift away from that works)
5:29 PM
I guess I’m saying I don’t know whether it was considered, you could look in the PR/issue history. If there’s interest, you could also PR something. It feels a little duplicative with the file_events, but it would also expose additional data. Which makes me wonder if there’s space for an alternate implementation
zwass

zwass

04/18/2020, 6:09 PM
socket_events was merged in 4.3.0!
a

alessandrogario

04/18/2020, 8:00 PM
process_file_events is rather heavy on cpu/memory, I think that is the only problem
8:01 PM
then again, Audit is not the best syscall tracer in the world, and the fact that it contains so much text that you need to parse is extremely bad
8:02 PM
I haven't looked at openbsm but if it supports all the required events then it can be implemented
8:03 PM
it requires1. syscalls that create file handles (open, mknod, create, ...) 2. syscalls that duplicate file handles (dup, dup2...) 3. write syscalls 4. mmap 5. fork and alternatives (to inherit fd from one process to the other) 6. execve (used to clear the fd map)
8:04 PM
alternative: if it is able to pass the full file information (like EndpointSecurity), then there is no need to track the whole fd map for each process
8:04 PM
EndpointSecurity is a good candidate, but good luck acquiring the entitlements from Apple 😞
j

Jean M

04/19/2020, 12:32 PM
Thanks all for the feedback. My idea was to try monitor file uploads / downloads from browsers and pontentially other applications. It wouldn’t never be 100% accurate but it would avoid sneaking into TLS connections. What you mean with EndpointSecurity @alessandrogario ? is this this other product ?
s

seph

04/19/2020, 12:36 PM
Endpoint security is apples new security framework. I expect it'll eventually replace openbsm
12:36 PM
It's a bit different, but you can monitor all file changes in the Downloads folder
j

Jean M

04/19/2020, 2:05 PM
I see, didn’t knew about it. This EndpointSecurity looks interesting, bad it is only supported 10.15+.
s

seph

04/19/2020, 5:08 PM
the existing file events will let you monitor all additions to the Downloads folder
j

Jean M

04/21/2020, 6:02 PM
Yes, but it doesn't give me the process that did the action, and I want to monitor uploads also