Login notifications

We want to be immediately aware of user logins as they occur. Our interests are the security aspect (who/when) but also the performance (how long did it take). Basically, we aim for something similar equivalent to the NSWorkspace fast user switching notifications with will/did flavors. We did some digging but none of the available mechanisms seem like a good fit:


  • user accounting database, must be actively polled
  • launch agents, false positives can't be ruled out, also IPC
  • authorization plug-in, seems a bit much, only covers logins
  • login/logout script, to cite the documentation: There are numerous reasons to avoid using login and logout scripts.
  • EndpointSecurity, generally seems like a good fit but no support


What's a good way to do this on macOS?

Up vote post of vlbenfed Down vote post of vlbenfed
440 views
Posted by
vlbenfed
Reply
Add a Comment

Replies

I’d use the audit subsystem for this, and specifically 

auditpipe
for learning about it promptly; see the 
auditpipe
man page for details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks, Quinn!


I'll admit we knew about auditpipe but ruled it our early with regards to FB6557481. However, your answer confirmed my belief that this feature should be a part of EndpointSecurity. I just filed the enhancement request FB7699856.

Posted by
vlbenfed
Up vote reply of vlbenfed Down vote reply of vlbenfed
Add a Comment

However, your answer confirmed my belief that this feature should be a part of EndpointSecurity. I just filed the enhancement request FB7699856.

Thanks.

I still think 

auditpipe
is your best option on current system software. While FB6557481 is a real thing if you’re dealing with high-frequency events, for login and logout notifications you can set up the preselection to reduce the chance of this problem occurring in practice.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

> you can set up the preselection to reduce the chance of this problem occurring in practice.


Yes, you're absolutely right. While we did observe spurious failures unrelated to event frequency (also FB6557481), we will give auditpipe another thought. In the meantime, we hope for the addition to EndpointSecurity which we prefer a lot over the auditpipe for its reliability and configurability.

Posted by
vlbenfed
Up vote reply of vlbenfed Down vote reply of vlbenfed
Add a Comment