Receiving notifications for ES event ES_EVENT_TYPE_NOTIFY_UTIMES

Question

sa_i OP

Created Jan ’23

Replies 6

Boosts 0

Views 1.1k

Participants 2

Hi,

in my program, i would like to receive notifications via endpoint security for the event type ES_EVENT_TYPE_NOTIFY_UTIMES when a file's access or modification time changes. I registered for this event (along with some others) but do not receive any notifications, but for all others, I do.

So I tried to see if it works with eslogger. I ran "sudo eslogger utimes" and changed modification times of some text files via an editor, as well as touch (e.g. " touch -t 199212312158 test.txt").

But eslogger does not show any events happening, too, although the modification times are changed.

Maybe I misunderstand the documentation. Under what circumstances do I receive a notification for this event type? Is the file type relevant or the path?

Best regards

Saša Ilić

Boost

Answer 1

sa_i OP

Jan ’23

Small update. Suspecting that maybe path muting might be responsible, I tried unmuting a test directory and receiving the mentioned event for this directory with the following additional code:

es_invert_muting(client, ES_MUTE_INVERSION_TYPE_TARGET_PATH):
es_unmute_all_target_paths(client):
es_mute_path(client, "/Users/TestUser", ES_MUTE_PATH_TYPE_TARGET_PREFIX):

This did not work either. In the meantime, I also found out that I DO get notifications very seldomly for random apps like, e.g. "/System/Library/CoreServices/Applications/Screen Sharing.app/Contents/MacOS/Screen Sharing". My code should not be the problem, as I do get the same notifications as eslogger.

0

Answer 2

DTS Engineer OP

Apple

Jan ’23

This is working for me:

On macOS 13.1, I create a test.txt file:
```
% touch /Users/quinn/test.txt
```
I ran eslogger just like you:
```
% sudo eslogger utimes
```
In Xcode 14.2, I created a tiny test project that calls utimes on /Users/quinn/test.txt. The code is below.
I ran that directly from Xcode.
Back in Terminal, I saw this output from eslogger:

% sudo eslogger utimes       
{"schema_version":1,"mach_time":73743136883893,"event_type":59,"thread":{"thread_id":788321},"version":6,"seq_num":0,"event":{"utimes":{"target":{"path":"\/Users\/quinn\/test.txt","stat":{"st_blocks":0,"st_blksize":4096,"st_rdev":0,"st_dev":16777222,"st_uid":502,"st_gid":20,"st_ino":148323735,"st_birthtimespec":"2023-01-19T09:43:42.460731222Z","st_flags":0,"st_nlink":1,"st_mtimespec":"2023-01-19T09:43:46.467810000Z","st_ctimespec":"2023-01-19T09:43:46.467830846Z","st_size":0,"st_gen":0,"st_mode":33188,"st_atimespec":"2023-01-19T09:43:46.467810000Z"},"path_truncated":false},"atime":"2023-01-19T09:47:13.751173000Z","mtime":"2023-01-19T09:47:13.751173000Z"}},"time":"2023-01-19T09:47:13.751275909Z","action":{"result":{"result":{"auth":0},"result_type":0}},"process":{"signing_id":"xxst","parent_audit_token":{"asid":100006,"pidversion":54979,"ruid":502,"euid":502,"rgid":20,"auid":502,"egid":20,"pid":22626},"codesigning_flags":1912680500,"executable":{"path":"\/Users\/quinn\/Library\/Developer\/Xcode\/DerivedData\/xxst-gbdxgtdgxlnkwzaeesxwcecwxoqj\/Build\/Products\/Debug\/xxst","stat":{"st_blocks":352,"st_blksize":4096,"st_rdev":0,"st_dev":16777222,"st_uid":502,"st_gid":20,"st_ino":148324253,"st_birthtimespec":"2023-01-19T09:47:03.184631587Z","st_flags":0,"st_nlink":1,"st_mtimespec":"2023-01-19T09:47:03.524563320Z","st_ctimespec":"2023-01-19T09:47:03.524654654Z","st_size":176704,"st_gen":0,"st_mode":33261,"st_atimespec":"2023-01-19T09:47:13.750991749Z"},"path_truncated":false},"ppid":22626,"tty":null,"start_time":"2023-01-19T09:47:11.279286Z","is_platform_binary":false,"group_id":22623,"audit_token":{"asid":100006,"pidversion":54977,"ruid":502,"euid":502,"rgid":20,"auid":502,"egid":20,"pid":22623},"is_es_client":false,"responsible_audit_token":{"asid":100006,"pidversion":54977,"ruid":502,"euid":502,"rgid":20,"auid":502,"egid":20,"pid":22623},"session_id":3539,"original_ppid":3539,"cdhash":"00CBA2674B94C4CBA8AB0754F6199A3362DFF271","team_id":"SKMME9E2Y8"},"action_type":1,"global_seq_num":0}
^C

Please try these steps in your environment and let me know what you get.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

import Foundation

func main() {
    let u = URL(fileURLWithPath: "/Users/quinn/test.txt")
    print("will set times")
    let success = utimes(u.path, nil) >= 0
    guard success else {
        print("did not set times")
        return
    }
    print("did set times")
}

main()

0

Answer 3

sa_i OP

Jan ’23

Hi Quinn,

the code you posted works fine, the output I get is:

{"schema_version":1,"mach_time":567075211518,"event_type":59,"thread":{"thread_id":344982},"version":6,"seq_num":0,"event":{"utimes":{"target":{"path":"\/Users\/sasailic\/test.txt","stat":{"st_blocks":8,"st_blksize":4096,"st_rdev":0,"st_dev":16777232,"st_uid":501,"st_gid":20,"st_ino":14704426,"st_birthtimespec":"1991-12-21T20:12:00.000000000Z","st_flags":64,"st_nlink":1,"st_mtimespec":"2023-01-19T12:57:02.679729000Z","st_ctimespec":"2023-01-19T12:57:02.679759924Z","st_size":11,"st_gen":0,"st_mode":33188,"st_atimespec":"2023-01-19T12:57:03.507743494Z"},"path_truncated":false},"atime":"2023-01-19T12:57:32.692218000Z","mtime":"2023-01-19T12:57:32.692218000Z"}},"time":"2023-01-19T12:57:32.692264799Z","action":{"result":{"result":{"auth":0},"result_type":0}},"process":{"signing_id":"utimes_test","parent_audit_token":{"asid":100006,"pidversion":20612,"ruid":501,"euid":501,"rgid":20,"auid":501,"egid":20,"pid":8304},"codesigning_flags":1912680500,"executable":{"path":"\/Users\/sasailic\/Library\/Developer\/Xcode\/DerivedData\/utimes_test-dfdvixksrrdvdeffdzhdryzpkzlu\/Build\/Products\/Debug\/utimes_test","stat":{"st_blocks":152,"st_blksize":4096,"st_rdev":0,"st_dev":16777232,"st_uid":501,"st_gid":20,"st_ino":14780081,"st_birthtimespec":"2023-01-19T12:56:18.414093520Z","st_flags":0,"st_nlink":1,"st_mtimespec":"2023-01-19T12:56:18.582642868Z","st_ctimespec":"2023-01-19T12:56:18.582709826Z","st_size":77808,"st_gen":0,"st_mode":33261,"st_atimespec":"2023-01-19T12:57:32.687173868Z"},"path_truncated":false},"ppid":8304,"tty":null,"start_time":"2023-01-19T12:57:32.303492Z","is_platform_binary":false,"group_id":8303,"audit_token":{"asid":100006,"pidversion":20610,"ruid":501,"euid":501,"rgid":20,"auid":501,"egid":20,"pid":8303},"is_es_client":false,"responsible_audit_token":{"asid":100006,"pidversion":20610,"ruid":501,"euid":501,"rgid":20,"auid":501,"egid":20,"pid":8303},"session_id":6115,"original_ppid":6115,"cdhash":"E5984AF63EBBFCF8EB6546EDEE7A6F50BACE798C","team_id":"64N35HHH3F"},"action_type":1,"global_seq_num":0}

And now I understand where the problem is. I misread the documentation at https://developer.apple.com/documentation/endpointsecurity/es_event_type_t/es_event_type_notify_utimes as if I get a notification when a process changes the modification or access time of a file, not when a process does this using the utime function. That was not clear to me, sorry and thanks for taking the time.

0

Answer 4

sa_i OP

Jan ’23

On the other hand, doesn't touch use the utimes function internally? Because I do not get events with eslogger when changing the date via touch (as stated in the OP).

0

Answer 5

DTS Engineer OP

Apple

Jan ’23

On the other hand, doesn't touch use the utimes function internally?

Yeah, I was curious about that too. According to Darwin, touch uses utimensat [1]. I think you could reasonably argument that this should generate a ES_EVENT_TYPE_NOTIFY_UTIMES event, or generate some other event. The best place to make that argument is in a bug report.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] In the file exists case. In the file doesn’t exist case, it calls open with O_CREAT to create the file.

0

Answer 6

sa_i OP

Jan ’23

Ok, thanks. I filed a bug report with the number FB11958895.

0