Retrieve random process audit token

With EndpointSecurity framework we are able to receive a process audit token for every event that was made by it.

However, we sometimes find ourselves in need to enumerate running processes, or validate an existing process matching the one on our memory. This can also happen after our daemon is installed, and we want to query current system information.

In this case we need to be able to get a process audit token on demand, and not by an even that it had made. Is it possible to do such query? is there a plan to add something like that?
Up vote post of obenshalom Down vote post of obenshalom
1.6k views
Posted by
obenshalom
Reply
Add a Comment

Accepted Reply

OK, then first I want to stress that this approach is fundamentally insecure because of the race condition between when you get the process ID and when you get the audit token from that process ID. An audit token protects you from process ID wrap attacks, but if you’re starting with a process ID then you get no such protect.

Normally I’d recommend that you file a bug for a better solution but I happen to know that you’ve already done this (-:

As to how you do this, the best approach I’ve seen is to call task_info with the TASK_AUDIT_TOKEN selector.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Let’s see if I understand this properly. You want to get the audit token for an arbitrary process. You don’t need this for the standard operation of your ES client, but rather you need it to establish a baseline when your ES client starts up.

Is that right?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

(FB6995261, r. 54181176)
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Exactly.
Posted by
obenshalom
Up vote reply of obenshalom Down vote reply of obenshalom
Add a Comment
OK, then first I want to stress that this approach is fundamentally insecure because of the race condition between when you get the process ID and when you get the audit token from that process ID. An audit token protects you from process ID wrap attacks, but if you’re starting with a process ID then you get no such protect.

Normally I’d recommend that you file a bug for a better solution but I happen to know that you’ve already done this (-:

As to how you do this, the best approach I’ve seen is to call task_info with the TASK_AUDIT_TOKEN selector.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment
Won't that just allow me to get audit_token for my own process? as I'm not able to call task_info for any other process (as I can't get it's task port)
Posted by
obenshalom
Up vote reply of obenshalom Down vote reply of obenshalom
Add a Comment
Use task_name_for_pid to get a task name for an arbitrary pid.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment