Is there a way to determine if a system call like open() succeeded or failed using the data from the endpoint security system?
I tried a test where I created two files owned by another user. One was world readable and one was not.
Back in my account I started eslogger and watched for open calls to those two files.
% sudo eslogger open | egrep 'Secrets'
I then did the 'cat' command on each file. One call succeeded, and one call got a permission denied (as expected).
I've been combing through the JSON output from eslogger for both open() calls, but I cannot find any difference in the two system call outputs indicating success or failure.
(I'm guessing we get the NOTIFY event before a determination is made by the kernel whether to allow the system call or not)
Example output from the failed system call:
{
"schema_version": 1,
"mach_time": 1355207989229,
"event_type": 10,
"thread": {
"thread_id": 744065
},
"version": 7,
"seq_num": 32,
"event": {
"open": {
"fflag": 1,
"file": {
"path": "/Users/netsqllc/Secrets/UFOs",
"stat": {
"st_blocks": 8,
"st_blksize": 4096,
"st_rdev": 0,
"st_dev": 16777234,
"st_uid": 503,
"st_gid": 20,
"st_ino": 64075033,
"st_birthtimespec": "2023-04-14T23:31:43.252266533Z",
"st_flags": 0,
"st_nlink": 1,
"st_mtimespec": "2023-04-14T23:31:43.252436825Z",
"st_ctimespec": "2023-04-14T23:32:26.842642260Z",
"st_size": 27,
"st_gen": 0,
"st_mode": 33152,
"st_atimespec": "2023-04-14T23:32:15.095239992Z"
},
"path_truncated": false
}
}
},
"time": "2023-04-14T23:37:55.000772617Z",
"action": {
"result": {
"result": {
"flags": 4294967295
},
"result_type": 1
}
},
"process": {
"signing_id": "com.apple.cat",
"parent_audit_token": {
"asid": 100869,
"pidversion": 25015,
"ruid": 501,
"euid": 501,
"rgid": 20,
"auid": 501,
"egid": 20,
"pid": 9666
},
"codesigning_flags": 570506001,
"executable": {
"path": "/bin/cat",
"stat": {
"st_blocks": 32,
"st_blksize": 4096,
"st_rdev": 0,
"st_dev": 16777234,
"st_uid": 0,
"st_gid": 0,
"st_ino": 1152921500312435790,
"st_birthtimespec": "2023-04-01T16:46:50.000000000Z",
"st_flags": 524320,
"st_nlink": 1,
"st_mtimespec": "2023-04-01T16:46:50.000000000Z",
"st_ctimespec": "2023-04-01T16:46:50.000000000Z",
"st_size": 135408,
"st_gen": 0,
"st_mode": 33261,
"st_atimespec": "2023-04-01T16:46:50.000000000Z"
},
"path_truncated": false
},
"ppid": 9666,
"tty": {
"path": "/dev/ttys002",
"stat": {
"st_blocks": 0,
"st_blksize": 65536,
"st_rdev": 268435458,
"st_dev": 1683689770,
"st_uid": 501,
"st_gid": 4,
"st_ino": 795,
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_flags": 0,
"st_nlink": 1,
"st_mtimespec": "2023-04-14T23:37:54.994777000Z",
"st_ctimespec": "2023-04-14T23:37:54.994777000Z",
"st_size": 0,
"st_gen": 0,
"st_mode": 8592,
"st_atimespec": "2023-04-14T23:37:53.994681000Z"
},
"path_truncated": false
},
"start_time": "2023-04-14T23:37:54.994975Z",
"is_platform_binary": true,
"group_id": 9717,
"audit_token": {
"asid": 100869,
"pidversion": 25112,
"ruid": 501,
"euid": 501,
"rgid": 20,
"auid": 501,
"egid": 20,
"pid": 9717
},
"is_es_client": false,
"responsible_audit_token": {
"asid": 100869,
"pidversion": 24236,
"ruid": 501,
"euid": 501,
"rgid": 20,
"auid": 501,
"egid": 20,
"pid": 9371
},
"session_id": 9665,
"original_ppid": 9666,
"cdhash": "946128EF09844AABFF0A1E16D6D0C435D35AB098",
"team_id": null
},
"action_type": 1,
"global_seq_num": 32
}