I'm watching NOTIFY_LINK and NOTIFY_CREATE events and symlinks are oddly not reported as link events but as create events. The problem with this is that I cannot get the path linked from without doing a manual readlink. Am I missing something? Is this an intentional design decision in ES?
With BSM we'd watch AUE_SYMLINK (which has its own issues with not reporting paths).
Is this an intentional design decision in ES?
Yes. To quote the documentation for ES_EVENT_TYPE_NOTIFY_LINK:
notifies endpoint security that it is creating a hard link.
On Unix-y systems symlinks are effectively a tiny text file that contains a path, making them a very different beast than hard links.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Thanks Quinn, I understand symlinks are quite different and that there's no path validation on them but ES is a replacement for BSM and BSM reported symlink events. Seems like ES should too. Oh and ES should also support user login/logout events like BSM (FeedbackID:FB9103833).
The login/logout requirement is a popular one, so thanks for filing a bug about that. It didn’t make the macOS 13 beta train )-: but let’s hope it catches the next one (-:
With regards symlinks, if you want better support there then you know what to do. Please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"