With EndpointSecurity framework we are able to receive a process audit token for every event that was made by it.
However, we sometimes find ourselves in need to enumerate running processes, or validate an existing process matching the one on our memory. This can also happen after our daemon is installed, and we want to query current system information.
In this case we need to be able to get a process audit token on demand, and not by an even that it had made. Is it possible to do such query? is there a plan to add something like that?
However, we sometimes find ourselves in need to enumerate running processes, or validate an existing process matching the one on our memory. This can also happen after our daemon is installed, and we want to query current system information.
In this case we need to be able to get a process audit token on demand, and not by an even that it had made. Is it possible to do such query? is there a plan to add something like that?
OK, then first I want to stress that this approach is fundamentally insecure because of the race condition between when you get the process ID and when you get the audit token from that process ID. An audit token protects you from process ID wrap attacks, but if you’re starting with a process ID then you get no such protect.
Normally I’d recommend that you file a bug for a better solution but I happen to know that you’ve already done this (-:
As to how you do this, the best approach I’ve seen is to call task_info with the TASK_AUDIT_TOKEN selector.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Normally I’d recommend that you file a bug for a better solution but I happen to know that you’ve already done this (-:
As to how you do this, the best approach I’ve seen is to call task_info with the TASK_AUDIT_TOKEN selector.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"