I couldn't find an event type to subscribe to for identifying user logins (SSH, GUI). As an alternative approach I investigated the possibility of monitoring process events e.g. for loginwindow. However, I noticed that this doesn't seem to work either, because the user id and audit session id changes from root 0/system session 100001 right after exec to the respective user's id (e.g. 501) and his gui session id (e.g.100005) after successful authentication. Since I couldn't find any evidence for a fork or exec event, I assume that something like setuid is used internally. Is there any way one could get notified for events which change the process' context (like setuid or a session id change)? Are there events for user logins/sessions I've overlooked?

I'm working on an enterprise product and we need to be able to provide a meaningful mapping between processes and the session context they're running in. I know that we can get the asid of a process based on an exec event subscription via ES, but the asid is too detailed. Ultimately we want to be able to say process A is running in the system/console of user {a,b,c}/ssh session. One problem is that for what we would consider a system session (non interactive) there exist multiple asids. So we need to group all non user sessions a be able to distinguish them from user gui/ssh sessions. Is there a way to get more information about a process' session, maybe but querying its asid? Maybe based on bsm and the audit token? I was thinking along the lines of what launchctl procinfo provides under the section audit flags. There are flags like has_console_access,has_authenticated. But I haven't been able to find out where this information is coming from. There are related flags in the Security framework (SessionAttributeBits) but especially the two I mentioned are missing.

The man pages sysctl(3) state that sysctlbyname and the other mentioned functions return either 0 in case of success or -1 and set errno. But the Apple Documentation (for objective C) for sysctlbyname says the following about the the return values: Return value 0 on success, or an error code that indicates a problem occurred. Possible error codes include EFAULT, EINVAL, ENOMEM, ENOTDIR, EISDIR, ENOENT, and EPERM. So which is it? Or does it return something different in objective C than the C function mentioned in the man pages? But even the provided example in Apple's documentation only checks for return value -1 and then uses errno to log the error. Seems to me that the documentation is wrong.

When I want to add libcurl as a dependency I add libcurl.4.tbd under Link Binary with Libraries and it works. As I understand it these tbd files are stub libraries to enable the linking process for dynamic libraries while keeping the Xcode SDK download small (by replacing the actual dylib with a kind of placeholder). When I open the libcurl.4.tbd in Xcode, it lists under install-name /usr/lib/libcurl.4.dylib and I expected to find this file. But I can't find the actual libcurl.4.dylib at this dir nor anywhere else on my system. otool -L gives me same filepath. How is the linking handled in this case and where is the actual dylib located? I've learned that libcurl.4.dylib actually resides within a shared cache file unter /System/Library/dyld. I'm running macOS 11.1 What's the benefit instead of just placing the dylib under the specified path like /usr/lib/?