[Q] What type of profiles are officially reported by the ES_EVENT_TYPE_NOTIFY_PROFILE_ADD and ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVE events?
It looks like to be only Configuration Profiles. Which would make sense as the properties of es_profile_t match closely the payload keys of a configuration profile file.
Also only addition and removal of configuration profiles are reported when playing with configuration profiles and provisioning profiles.
Endpoint Security
RSS for tagDevelop system extensions that enhance user security using Endpoint Security.
Posts under Endpoint Security tag
79 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I am going through the list of ways to check if my app is given Full Disk Access (FDA) or not. Out of which only one method is supported by apple.
@note The only supported way to check if an application is properly TCC authorized for Full Disk Access
* is to call es_new_client and handling ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED in a way appropriate
* to your application.
I have implemented this method using EndpointSecurity and calling it from a root process as required. But when I disable System Integrity Protection (SIP) and call it, it succeeds without FDA. No error is thrown. Then I tested, in our app both EndpointSecurity and protected folder access (like Documents folder) functionalities are working fine even without FDA when SIP is disabled. Now my questions are
When SIP disabled, does every app has FDA access by default?.
Is there any use case that still needs FDA access when SIP is off?.
Is there any way to check for FDA permission given or not whenever SIP is off, since above method won't work in that case?.
Hello!
I'm trying to capture socket state changes for an endpoint security product and have tried the Endpoint Security APIs as well as a Network Extension but there doesn't seem to be a way to detect listening sockets in real time. I've so far been able to capture all process, file and network flow/packet information in real-time but I'm also interested in getting an event when a server socket is opened for listening for incoming connections. Is there a way to do this? If yes, can someone please point me to the documentation or any other information on how to go about it? Thanks!
IN endpoint security events related to user login/logout activity (as well in lock/unlock and remote session attach/detach) there is a graphical session identifier which is a 32 bit integer
typedef struct {
es_string_token_t username;
** es_graphical_session_id_t graphical_session_id;**
} es_event_lw_session_login_t;
Documentation describes it as an opague number
@brief es_graphical_session_id_t is a session identifier identifying a on-console or off-console graphical session.
A graphical session exists and can potentially be attached to via Screen Sharing before a user is logged in.
EndpointSecurity clients should treat the graphical_session_id as an opaque identifier and not assign
special meaning to it beyond correlating events pertaining to the same graphical session. Not to be confused with the audit session ID.
*/
typedef uint32_t es_graphical_session_id_t;
Question: is there a way to get this graphical session identifier outside of endpoint security framework, for ex. from process id or audit token?
Is there an API for that?
When you use the eslogger command line tool to dump 'profile add' and 'profile remove' notify events, the instigator process seems to always be reported to be the mdmclient process whatever the "real" instigator is:
the Profiles pane in System Settings.app.
a MDM solution
the profiles command line tool.
[Q] Is this expected?
Because for another family of notify events where there is also an instigator field, the instigator points to the "real" instigator.
I'm trying to sign a macOS application which includes a Endpoint Security system extension. The profile for the extension has capability added and the app profile has the System Extension capability added. Both targets also has the correct entitlements, but when validating the app after archiving I get the following error: "Profile doesn't support Endpoint Security." When looking in the logs I can see that Xcode is fetching a provisioning profile for the extension without the needed capability. If downloading the profile from the developer portal the correct capability is present. Could something be "out of sync" regarding what provisioning profiles Xcode fetches vs what I see on the developer portal?
If I try to archive using xcodebuild I get the following: "APP requires a provisioning profile with the System Extension feature." and ""BUNDLE_ID.systemextension" requires a provisioning profile with the Endpoint Security feature."
I have tried with automatic and manual signing but nothing seems to work.
Description says this event will be raised when "An identifier for a process that notifies endpoint security that it is updating a file." What does this mean ?
Similarly when will ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_MATERIALIZE event be raised ?
Do these events get raised if any cloud provider sync app like Google Drive/Dropbox/OneDrive that usages fileprovider framework to sync the data ?
In my endpoint secutiry app, I have registered for these events but i didnt receive any event
*i do receive other endpoint secutiry events like ES_EVENT_TYPE_NOTIFY_CLONE etc.
I mounted a 3rd file system on macOS, I want to monitor the copy event by Finder on this 3rd file system, so I use an Endpoint Security client.
I know that ES_EVENT_TYPE_NOTIFY_CLONE will only be triggered by Apple File System clone operation. ES_EVENT_TYPE_NOTIFY_COPYFILE is triggered by the SYS_copyfile system call.
If I want to monitor the copy/paste operation by Finder(The copy can happens in the 3rd file system or between 3rd and Apple File System), which ES event should I register?
I have submitted an application for the Endpoint Security entitlement,
however,
I have yet to receive any feedback regarding its progress.
Could someone kindly advise on the proper procedure to track the current status of my permission request?
I'm finding a way to hook vnode operations, following is a snippet of the code:
IOReturn
FltIOKitKAuthVnodeGate::RegisterVnodeScopeCallback(void)
{
//
// register our listener
//
this->VnodeListener = kauth_listen_scope( KAUTH_SCOPE_VNODE, // for the vnode scope
FltIOKitKAuthVnodeGate::VnodeAuthorizeCallback, // using this callback
this ); // give a cookie to callback
if( NULL == this->VnodeListener ){
DBG_PRINT_ERROR( ( "kauth_listen_scope failed\n" ) );
return kIOReturnInternalError;
}
return kIOReturnSuccess;
}
Here use kauth_listen_scope to get the newly created vnode object, then will hook on it.
But now kauth_listen_scope is deprecated, and there is no way to get the vnode by using EndpointSecurity.
So is there any other way to get the newly created vnode object?
We have a huge project.
Until today we didn't use an .app but now we must in order to use Endpoint security and other stuff.
Until today our binary sat in /opt/XYZ/binary.bin
Now because of the .app, looks like it will have to be /opt/XYZ/Cool.app/Content/MacOs/binary.bin
This change really breaks our code and will cause a massive code change.
If I extract the binary from the app and place it in /opt/XYZ/binary.bin and run it, the process is killed.
Is there a way to extract it from the app and run it from /opt/XYZ ?
any tool, command, resource, etc' will be great.
As enterprise endpoint security/data loss prevention application, we need to detect data which is being transferred out of the enterprise context from their MacOS filesystem through applications like Cloud Sync or Email. Depending on the file content, type and size, we require some time for scanning the content being sent. This can range from milli seconds to few minutes for very large contents. But the Endpoint Security message has to be responded within the provided message deadline else application will be killed. This deadline is reducing with every macos release and its now only 15 seconds on macos sonoma which is blocking our use case of completing the scan before responding. We may scan it before but it imposes challenges of the data being modified before actual sent. So, we have to scan it on the fly and cant rely solely on the previous scans.
Is there any way an Enterprise can customize this deadline value depending on the ES message and scanning application may be through MDM setting?
Is there an API to query for SIP Protected Paths or someway that this information can be deciphered ?
Intent is to mute those paths or a subset for an ES client ?
I have an app that uses Endpoint security.
I have 1 client that registered many AUTH and NOTIFY event types.
When I I recive an Endpoint Security message (event) and my handler is called. Which thread does it use?
If I have 1 client will it always just use the same 1 thread?
If not, can it ever happen that I register 1 client, and he will handle more then 1 event in the same time? regardless of the event type or any thing else
I am developing an app that uses the Endpoint Security API.
I need to mute a few processes like: my own process, xcode, etc' ...
However, if the muted processes create child processes, I want these processes to be muted as well. The full process tree under muted processes should be muted.
How can that be done?
Cant see in docs and can't find an example.
If it can't be done, whats the closest thing to that I can implement.
Thanks!
I use sample code from [https://developer.apple.com/documentation/endpointsecurity/client?language=objc]
but replace ES_EVENT_TYPE_AUTH_EXEC to ES_EVENT_TYPE_AUTH_OPEN, this is the full code:
int main(int argc, const char** argv) {
@autoreleasepool {
es_client_t *client = NULL;
es_new_client_result_t newClientResult =
es_new_client(&client,
^(es_client_t * client, const es_message_t * message) {
switch (message->event_type) {
case ES_EVENT_TYPE_AUTH_OPEN:
printf("auth open\n");
es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true);
break;
default:
panic("Found unexpected event type: %i", message->event_type);
break;
}
});
// Handle any errors encountered while creating the client.
switch (newClientResult) {
case ES_NEW_CLIENT_RESULT_SUCCESS:
// Client created successfully; continue.
break;
case ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED:
panic("Extension is missing entitlement.");
break;
case ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED:
panic ("Extension is not running as root.");
break;
case ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED:
// Prompt user to perform Transparency, Consent,
// and Control (TCC) approval.
// This error is recoverable; the user can try again after
// approving the TCC prompt.
// return YOUR_NEW_CLIENT_ERROR_CODE_PROMPT_TCC;
break;
case ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT:
panic ("Invalid argument to es_new_client(); client or handler was null.");
break;
case ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS:
panic ("Exceeded maximum number of simultaneously-connected ES clients.");
break;
case ES_NEW_CLIENT_RESULT_ERR_INTERNAL:
panic ("Failed to connect to the Endpoint Security subsystem.");
break;
}
// Subscribe the client to the ES_EVENT_TYPE_AUTH_EXEC event.
// When the client receives a message with this event type, it must authorize
// (allow or deny) the event.
es_event_type_t eventTypes[1] = { ES_EVENT_TYPE_AUTH_OPEN };
es_return_t subscribeResult = es_subscribe(client, eventTypes, sizeof(eventTypes));
if (subscribeResult != ES_RETURN_SUCCESS) {
panic ("Client failed to subscribe to event.");
}
NSRunLoop *runLoop = [NSRunLoop currentRunLoop];
[runLoop run];
}
}
I run this code in xcode, then mouse cursor be a colorful circle and rotating, application exited after about 10 seconds, xcode print:
Message from debugger: Terminated due to signal 9
Program ended with exit code: 9
if I subscribe ES_EVENT_TYPE_NOTIFY_OPEN ES_EVENT_TYPE_NOTIFY_CLOSE, it works.
What can I do for fix this?
Hello,
I know that EndpointSecurity doesn't support network events, save for some events related to Unix pipes.
In WWDC 2020 #10159 Apple says that:
Those of you who have already worked with the EndpointSecurity framework have likely noticed that we do not provide events related to networking operations. This is intentional as these are better covered by the NetworkExtension framework.
Could you please give me a short and high-level hint how I can use NetworkExtension to provide connect, disconnect events to a monitoring app, that tries to log those events in a database? I would like to receive the remote IP and remote port + local port.
From what I've researched, In NetworkExtension documentation it's stated that it's possible to create a "content filter", which would probably be a good source of information; the problem is that because of the privacy requirements, the "content filter" can't send back any information about user data, because it's separated in a restrictive sandbox. So I'm not sure the "content filter" would even be possible to be used as a source of network events. Other types of categories inside NetworkExtension doesn't seem to be a good match for my use case.
Is it possible to use NetworkExtension to get information about network events (connect/disconnect), like EndpointSecurity does for i.e. processes (process start/process end)?
I have an Endpoint system extension that, in theory, receives XProtect alerts.
I regularly see XProtectPluginService starting programs like XProtecteRemediatorSheepSwap on my Mac.
I would love to be able to put one or more files/bundles on my Mac that triggers the detectors, so I can see the alerts go from the Endpoint system extension through to the UI.
Does Apple have or recommend a way (short of being infected) for triggering the XProtect detectors for testing?
new to Apple, MacOS, SystemExtensions.
I don't see anything about my topic in system extensions documentation.
should I use XPC?
or we have a better way here?
Hello,
3 questions regarding Endpoint Security Framework:
Does ESF support tracing the dup2(2) function? There is the ES_EVENT_TYPE_NOTIFY_DUP event, but it seems that it only reports dup(2), not dup2(2)?
Does ESF support tracing the dup(2), and close(2) calls, if the file descriptor passed to these functions refer to a pipe handle instead of a file handle? If not, do you have any plans of extending the support for pipes as well?
Could the es_event_dup_t structure support reporting which file handle has been duplicated into which value (source file descriptor value, and target file descriptor value)? Currently this structure only supports the "target" file object, without any information which file descriptor has been cloned into which file descriptor, which is not helpful at all. For example, if we open file A and we get fd1, then open the same file A and we get fd2, then perform dup(fd1), then with ESF it seems that it's impossible to tell if we've duplicated fd1 or fd2. Also this model doesn't support dup2(2) usage at all.