I couldn't find an event type to subscribe to for identifying user logins (SSH, GUI). As an alternative approach I investigated the possibility of monitoring process events e.g. for loginwindow
.
However, I noticed that this doesn't seem to work either, because the user id and audit session id changes from root 0/system session 100001 right after exec to the respective user's id (e.g. 501) and his gui session id (e.g.100005) after successful authentication. Since I couldn't find any evidence for a fork or exec event, I assume that something like setuid
is used internally.
- Is there any way one could get notified for events which change the process' context (like
setuid
or a session id change)? - Are there events for user logins/sessions I've overlooked?
Are there events for user logins/sessions I've overlooked?
No. This is one place where you must continue to use the (otherwise deprecated) audit subsystem (BSM).
Use an audit pipe to get interactive updates; see the auditpipe
man page for the details.
Oh, and I’m pretty sure we have an enhancement request on file for ES support for user session events, but it wouldn’t hurt to file your own, discussing your specific requirements.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"