We noticed that sometimes exec messages delivered by Endpoint Security contain unexpected data since Ventura:
When a script is executed by a shell, like zsh, the process data for the responsible and the target process are identical, including the pidversion - but only sporadically. At first, I thought that it might be the case that pidversions are not incremented when a process execs into the same image. But my tests showed that this is not the case, and the pidversion is incremented in any case.
I also tried to trigger this behavior with a program basically recursively execs into itself, but that worked as expected. So far, I've only observed this behavior with shell scripts.
Here is an example:
(lldb) p *(msg->process)
(es_process_t) $7 = {
audit_token = {
val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 12196, [6] = 100873, [7] = 29277)
}
ppid = 10691
original_ppid = 10691
group_id = 10691
session_id = 10691
codesigning_flags = 570493697
is_platform_binary = true
is_es_client = false
cdhash = "\U00000017\x8e$Y\xd0Z\x90\x8f\x92S\xc3s\xff<\x9c\xd6\xe2a\U00000011V"
signing_id = (length = 13, data = "com.apple.zsh")
team_id = (length = 0, data = 0x0000000000000000)
executable = 0x00000001036bb1e8
tty = nullptr
start_time = (tv_sec = 1669896286, tv_usec = 191693)
responsible_audit_token = {
val = ([0] = 501, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10682, [6] = 100349, [7] = 24944)
}
parent_audit_token = {
val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10691, [6] = 100873, [7] = 24963)
}
}
(lldb) p *(msg->event.exec.target)
(es_process_t) $8 = {
audit_token = {
val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 12196, [6] = 100873, [7] = 29277)
}
ppid = 10691
original_ppid = 10691
group_id = 10691
session_id = 10691
codesigning_flags = 570493697
is_platform_binary = true
is_es_client = false
cdhash = "\U00000017\x8e$Y\xd0Z\x90\x8f\x92S\xc3s\xff<\x9c\xd6\xe2a\U00000011V"
signing_id = (length = 13, data = "com.apple.zsh")
team_id = (length = 0, data = 0x0000000000000000)
executable = 0x00000001036bba00
tty = nullptr
start_time = (tv_sec = 1669896286, tv_usec = 191693)
responsible_audit_token = {
val = ([0] = 501, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10682, [6] = 100349, [7] = 24944)
}
parent_audit_token = {
val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10691, [6] = 100873, [7] = 24963)
}
}
Is this an error in Endpoint Security, or am I missing something here?
Steps to reproduce
execute a script repeatedly to trigger the behavior, e.g.
for i in {1..200000}; do
./script1.sh > /dev/null;
# sleep 1; still happens, but you have to wait longer
done
in another terminal you can use eslogger like this
sudo eslogger exec | jq 'if .process.audit_token.pidversion == .event.exec.target.audit_token.pidversion then "\(input_line_number) pidversion did not change: \(.process.audit_token.pidversion == .event.exec.target.audit_token.pidversion) \(.process.executable.path) -> \(.event.exec.target.executable.path)" else empty end'
which could output something like this:
"3211638 pidversion did not change: true /bin/zsh -> /bin/zsh"