EndpointSecurity and network events

Hello,

I know that EndpointSecurity doesn't support network events, save for some events related to Unix pipes.

In WWDC 2020 #10159 Apple says that:

Those of you who have already worked with the EndpointSecurity framework have likely noticed that we do not provide events related to networking operations. This is intentional as these are better covered by the NetworkExtension framework.

Could you please give me a short and high-level hint how I can use NetworkExtension to provide connect, disconnect events to a monitoring app, that tries to log those events in a database? I would like to receive the remote IP and remote port + local port.

From what I've researched, In NetworkExtension documentation it's stated that it's possible to create a "content filter", which would probably be a good source of information; the problem is that because of the privacy requirements, the "content filter" can't send back any information about user data, because it's separated in a restrictive sandbox. So I'm not sure the "content filter" would even be possible to be used as a source of network events. Other types of categories inside NetworkExtension doesn't seem to be a good match for my use case.

Is it possible to use NetworkExtension to get information about network events (connect/disconnect), like EndpointSecurity does for i.e. processes (process start/process end)?

Answered by DTS Engineer in 782834022

how I can use NetworkExtension to provide connect, disconnect events to a monitoring app, that tries to log those events in a database?

A content filter will work for that. You could also use a transparent proxy, but it’s probably overkill if you only care about connection metadata rather than the contents of the connection.

the problem is that because of the privacy requirements

Yeah, sadly, the docs need an update here. Those comments are aimed at iOS, where content filters were first introduced. On macOS there’s no split between data and control providers, and while the provider does run in a sandbox, it’s not particularly tight.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

how I can use NetworkExtension to provide connect, disconnect events to a monitoring app, that tries to log those events in a database?

A content filter will work for that. You could also use a transparent proxy, but it’s probably overkill if you only care about connection metadata rather than the contents of the connection.

the problem is that because of the privacy requirements

Yeah, sadly, the docs need an update here. Those comments are aimed at iOS, where content filters were first introduced. On macOS there’s no split between data and control providers, and while the provider does run in a sandbox, it’s not particularly tight.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for the information, it's really useful.

Although, do you know if macOS data providers will be more restricted in the future? I mean, is it intentional that data providers on macOS are less restrictive than on iOS? Or is it a temporary state, and they will be more restricted in future versions of macOS, to make it more similar to their iOS versions?

In other words, is it safe to base our business logic on that? (Because if you choose to restrict data providers in future versions of macOS, then our whole product will fail.)

do you know if macOS data providers will be more restricted in the future?

I can’t predict the future, alas )-:

is it intentional that data providers on macOS are less restrictive than on iOS?

Yes.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

EndpointSecurity and network events
 
 
Q