https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
m

Mark

07/25/2019, 2:31 PM
Has anyone looked at EndpointSecurity in 10.15 yet?
m

Mike Myers

08/07/2019, 7:12 PM
not yet; is there documentation for this API yet? https://developer.apple.com/documentation/endpointsecurity
Ok I watched the WWDC presentation, looked at the Xcode beta 5 macOS SDK, and checked out the documentation that does exist. It looks like this API is tied to Entitlements, which the system will deny unless you are an app bundle (osquery is not built in an app bundle)
Beyond that there may be a need for an approval step from Apple.
m

Mark

08/09/2019, 2:41 AM
Ah right, interesting. Makes sense they’re pushing it through app store if that’s already got certain controls in place for approvals etc
m

Mike Myers

08/09/2019, 6:35 PM
Nice find! Maybe one of us with a 10.15 beta VM will test with it
s

sharvil

08/13/2019, 4:51 PM
@Mark @Mike Myers I managed to write my own demo in c++ yesterday and this works against the current ß5 — I have made some notes/thoughts, but will be brief here: • The functionality of this is really cool, and enables monitoring of all kinds of stuff from userspace! • On certain kind of events (
auth
), the client can decide whether to 
allow
or 
deny
those — example of 
deny
on 
mount
below • Lacking in documentation, but headers are commented and helpful • Buggy right now, I think there might be a few race conditions in 
endpointsecurityd
. In some instances there is a performance drag too. And an odd kernel panic too. • Will require codesigning and entitlements, production release will require a provisioning cert from Apple • There are a total of 44 events currently, but subscription is capped at 16. Subscribing to more than a handful of events seriously degrades the performance of the machine and the cpu is at 99% • Can be a firehose, the events are granular, and the challenge will be to collate these
m

Mike Myers

08/13/2019, 6:19 PM
Oh, that's really cool that you looked into that already. It sounds like it has the same challenges we've seen with other auditing frameworks: having to minimize collection
s

sharvil

08/14/2019, 3:20 AM
EndpointSecurity framework does have 
mute
APIs, which can mute by 
path
, 
path_prefix
or 
path_literal
. That might help a bit. Although I haven’t been able to use them — there is a known issue in beta 5 
Using APIs related to muting by paths and path prefixes might cause the kernel to panic. (53517643)
m

Mike Myers

08/14/2019, 4:28 PM
I guess this can wait until the APIs are stable 😆 . The bigger obstacle for osquery seems to be the need to be a SystemExtension in a notarized app bundle. We may want to take a baby step by notarizing the 
.pkg
during our releases, but that's a separate discussion
Powered by