Endpoint Security AUTH event for file deletion?

However, this does not seem to work.

Can you be more specific about what you mean by “does not seem to work”?

Also, did you try the corresponding notification event,

ES_EVENT_TYPE_NOTIFY_UNLINK

Also the name sounds like it refers to something else.

You have misunderstood the context here. Traditional UNIX file system semantics represent files as standalone entities (inodes) which can then be referenced by multiple directory entries (links). When you delete a directory entry, it removes the link from that directory. The file isn’t deleted until you remove its last link. Thus, the UNIX system call to ‘delete a file’ is called

unlink

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I tried intercepting ES_EVENT_TYPE_AUTH_UNLINK events. It worked for me. One thing to note is that, if you use the Finder UI to delete files, you'll not get deletion events. What I mean is, if you right-click on the file and select "Move to Trash", the file doesn't get deleted. Instead, if you use the "rm" command for deletion, you'll see ES_EVENT_TYPE_AUTH_UNLINK event being processed. "Move to Trash" is basically moving the file to the folder "~/.Trash/" so that it could be recovered in future unless you delete the file ("Delete Immediately...") from Trash or "Empty Trash" (which is basically nothing but invoking "rm"). So, "/bin/rm" is actually the binary that would trigger the event ES_EVENT_TYPE_AUTH_UNLINK. And we could subscribe to this event type for authorizing the deletion of a file.
For instance, here's my code:

es_handler_block_t deletion_cbk = ^(es_client_t *client, const es_message_t *msg)
{
     log_events(msg); //logging events to console
     NSString *path = esstring_to_nsstring(&msg->event.unlink.target->path); //casting es_string_token_t to NSString
     es_auth_result_t flag = 
([path rangeOfString:@"dont_delete_me"].location == NSNotFound) ? ES_AUTH_RESULT_ALLOW : ES_AUTH_RESULT_DENY;
     // checking if the substring "dont_delete_me" is found in the event message
     es_respond_result_t res = es_respond_auth_result(client, msg, flag, false);
     if(ES_RESPOND_RESULT_SUCCESS != res)
          LOG_ERROR("es_respond_auth_result: %d", res);
};

After subscribing to ES_EVENT_TYPE_AUTH_UNLINK with es_new_client(), I am intercepting the file deletion event messages inside this es_handler_block_t callback. The esstring_to_nsstring() function (to cast es_string_token_t to NSString) implementation is similar to: https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba#file-endpointsecuritydemo-m-L47-L56

OUTPUT

Uddalak:Desktop qwerty$ echo "this file should be deleted" > delete_me.txt
Uddalak:Desktop qwerty$ echo "this file should not be deleted" > dont_delete_me.txt
Uddalak:Desktop qwerty$ rm delete_me.txt
Uddalak:Desktop qwerty$ rm dont_delete_me.txt
rm: dont_delete_me.txt: Operation not permitted
Uddalak:Desktop qwerty$ ls -ltrh | grep "dont"
-rw-r--r--   1 qwerty  staff    32B May 28 15:01 dont_delete_me.txt
Uddalak:Desktop qwerty$

As you can see the file, "dont_delete_me.txt" doesn't get deleted as I set ES_AUTH_RESULT_DENY for files containing the substring "dont_delete_me". Additionally, once I had selected "Move to Trash" and then deleted the file ("Delete Immediately..." from the Trash) or "Empty Trash", then I was able to intercept the deletion event (like I said, which is basically nothing but invoking "rm").

Thanks 🙂 I was moving to trash via the Finder UI thinking that should trigger the event.

In that case, is there a way to allow/deny moving a file? (so that deleting via Finder UI would be caught)

Couldn't find such an event.

I assume you're only interested in "Move to Trash" and not deletion. "ES_EVENT_TYPE_AUTH_UNLINK" would get triggered if you use the "rm" command or Delete/Empty a file from Trash after it was moved.
I don't know if I can be of any help here but following is the only answer I have off the top of my head:
If I want to intercept events for "Move to Trash" operation, then I would probably use "ES_EVENT_TYPE_AUTH_CREATE" (https://developer.apple.com/documentation/endpointsecurity/es_event_type_t/es_event_type_auth_create?language=objc).

After subscribing to "ES_EVENT_TYPE_AUTH_CREATE", I need to use "es_event_create_t (https://developer.apple.com/documentation/endpointsecurity/es_event_create_t?language=objc) to parse the "destination" path. For each destination path received, I would check if my path contains the string, "~/.Trash". If I find a path matching "~/.Trash", I would set "ES_AUTH_RESULT_DENY" else "ES_AUTH_RESULT_ALLOW". This is because a file can only be created in Trash if it was "Moved to Trash". In short, If you want to deny moving a specific file to trash, you might want to deny that specific file being created in Trash.
However, I might be incorrect here and you would probably need to have your own set of rules implemented using the ES AUTH events.

Thanks for the assistance Uddalak, unfortunately this does not work. The ES_EVENT_TYPE_AUTH_CREATE does not trigger when deleting a file via the Finder UI.

I have also tried many other events and did not manage to trigger it.

@Eskimo - is there any other way to achieve this?

Thank you!

I think that is a ES_EVENT_TYPE_AUTH_RENAME event. I don't have anything setup right now to verify this, but if you think about how you'd do it from a command line, you'd use a mv command to either rename the file or move it to another location, i.e., the trash

E.g., my code has this in the rename event handler

if (msg->event.rename.destination_type == ES_DESTINATION_TYPE_NEW_PATH)

We're checking to see if there's a new path. Just look to see if someone is moving the file you care about somewhere else.

Thank you friend, this works great 🙂

Glad I could help