Post

Replies

Boosts

Views

Activity

Success or failure of OPEN system calls
Is there a way to determine if a system call like open() succeeded or failed using the data from the endpoint security system? I tried a test where I created two files owned by another user. One was world readable and one was not. Back in my account I started eslogger and watched for open calls to those two files. % sudo eslogger open | egrep 'Secrets' I then did the 'cat' command on each file. One call succeeded, and one call got a permission denied (as expected). I've been combing through the JSON output from eslogger for both open() calls, but I cannot find any difference in the two system call outputs indicating success or failure. (I'm guessing we get the NOTIFY event before a determination is made by the kernel whether to allow the system call or not) Example output from the failed system call: { "schema_version": 1, "mach_time": 1355207989229, "event_type": 10, "thread": { "thread_id": 744065 }, "version": 7, "seq_num": 32, "event": { "open": { "fflag": 1, "file": { "path": "/Users/netsqllc/Secrets/UFOs", "stat": { "st_blocks": 8, "st_blksize": 4096, "st_rdev": 0, "st_dev": 16777234, "st_uid": 503, "st_gid": 20, "st_ino": 64075033, "st_birthtimespec": "2023-04-14T23:31:43.252266533Z", "st_flags": 0, "st_nlink": 1, "st_mtimespec": "2023-04-14T23:31:43.252436825Z", "st_ctimespec": "2023-04-14T23:32:26.842642260Z", "st_size": 27, "st_gen": 0, "st_mode": 33152, "st_atimespec": "2023-04-14T23:32:15.095239992Z" }, "path_truncated": false } } }, "time": "2023-04-14T23:37:55.000772617Z", "action": { "result": { "result": { "flags": 4294967295 }, "result_type": 1 } }, "process": { "signing_id": "com.apple.cat", "parent_audit_token": { "asid": 100869, "pidversion": 25015, "ruid": 501, "euid": 501, "rgid": 20, "auid": 501, "egid": 20, "pid": 9666 }, "codesigning_flags": 570506001, "executable": { "path": "/bin/cat", "stat": { "st_blocks": 32, "st_blksize": 4096, "st_rdev": 0, "st_dev": 16777234, "st_uid": 0, "st_gid": 0, "st_ino": 1152921500312435790, "st_birthtimespec": "2023-04-01T16:46:50.000000000Z", "st_flags": 524320, "st_nlink": 1, "st_mtimespec": "2023-04-01T16:46:50.000000000Z", "st_ctimespec": "2023-04-01T16:46:50.000000000Z", "st_size": 135408, "st_gen": 0, "st_mode": 33261, "st_atimespec": "2023-04-01T16:46:50.000000000Z" }, "path_truncated": false }, "ppid": 9666, "tty": { "path": "/dev/ttys002", "stat": { "st_blocks": 0, "st_blksize": 65536, "st_rdev": 268435458, "st_dev": 1683689770, "st_uid": 501, "st_gid": 4, "st_ino": 795, "st_birthtimespec": "1970-01-01T00:00:00.000000000Z", "st_flags": 0, "st_nlink": 1, "st_mtimespec": "2023-04-14T23:37:54.994777000Z", "st_ctimespec": "2023-04-14T23:37:54.994777000Z", "st_size": 0, "st_gen": 0, "st_mode": 8592, "st_atimespec": "2023-04-14T23:37:53.994681000Z" }, "path_truncated": false }, "start_time": "2023-04-14T23:37:54.994975Z", "is_platform_binary": true, "group_id": 9717, "audit_token": { "asid": 100869, "pidversion": 25112, "ruid": 501, "euid": 501, "rgid": 20, "auid": 501, "egid": 20, "pid": 9717 }, "is_es_client": false, "responsible_audit_token": { "asid": 100869, "pidversion": 24236, "ruid": 501, "euid": 501, "rgid": 20, "auid": 501, "egid": 20, "pid": 9371 }, "session_id": 9665, "original_ppid": 9666, "cdhash": "946128EF09844AABFF0A1E16D6D0C435D35AB098", "team_id": null }, "action_type": 1, "global_seq_num": 32 }
0
0
625
Apr ’23
trusting the team_id codesign naming scheme?
I have a question about the amount of trust I should have in the team_id for an executable. I've been looking at the signing_id and team_id values in Apple's endpoint es_process_t, and almost all code follows the reverse naming scheme for their team_id. They have names like: com.getdropbox.dropbox com.microsoft.teams.helper com.apple.mdworker_shared com.apple.spctl But Google (at least) violates this reverse DNS pattern when signing many of their binaries. They have team IDs such as ksfetch GoogleSoftwareUpdateDaemon crashpad_handler Should I not trust the TLD (e.g., com.apple or com.microsoft) for the team ID? For example, could Google (or a malicious organization) sign their binary com.microsoft.ksfetch making me think it came from Microsoft?
3
0
1.2k
Apr ’23
Codesign API?
Is there a Swift to C API that delivers the same functionality as the codesign command? I would like, given a path to an executable, determine if it has been signed, and if so, extract the TeamIdentifier and Identifier values.
1
0
882
Apr ’23
team_id is empty
In my own code I am seeing team_id (in es_process_t) is set to zero length. eslogger is also displaying this field as null. Is this expected going forward, or is this a bug? Environment: macOS Ventura: 13.0 Beta (22A5331f) CPU: Apple M1 Pro SIP disabled amfi_get_out_of_my_way=0x1
2
0
1.1k
Sep ’22
Communicating to endpoint security extension over XPC
I am having troubles communicating with my endpoint security system extension without setting com.apple.security.temporary-exception.mach-lookup.global-name The system is a MacBook Pro with M1 Pro running Ventura beta 22A5295i. The endpoint security is installed by a regular app, and it is running fine. Because we do not have the endpoint entitlement yet, SIP has been turned off and amfi_get_out_of_my_way set to 1. The endpoint security agent has NSEndpointSecurityMachServiceName set to the service name - (Team).bundle-ID.xpc All the apps are part of the same app group. I created a third app (with the same app group) to communicate with the endpoint agent over XPC, but it fails unless I do one of the following: Disable its sandbox Add com.apple.security.temporary-exception.mach-lookup.global-name Will this problem go away once we have the endpoint entitlement? Or am I doing something else wrong? Thanks
1
0
1.1k
Jul ’22
Endpoint code signature failure
I'm trying to build and run the Endpoint sample code from Apple's "Monitoring System Events with Endpoint Security", but the extension keeps crashing apparently because the code signature is invalid. Any help would be appreciated. Details: Because our endpoint entitlement isn't approved yet, I've disabled SIP. I am running on the latest macOS 13.0 beta (22A5295i). The extension is installed, and I grant it full disk access. systemextensionsctl shows it is installed, but launchctl shows its status is -9 Console shows a crash because Code Signature Invalid Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature I've set the Team ID to my organization. The signing certificate is my Apple Development certificate. Any other recommendations?
1
0
2.2k
Jul ’22