Post not yet marked as solved
We noticed that our daemon hangs while a user login occurs. This is awkward since we're subscribed as an EndpointSecurity client and feel this scenario betrays our cause quite a bit. I did one spindump that shows virtually zero activity over at least the default 10 seconds in our daemon.
Is this expected or known behavior? Can this be mitigated or ideally avoided, maybe by some launchd configuration option we're unaware of?
Our daemon also opens up a Unix domain socket connection to a user agent for every user session. These socket connections regularly exceed a 10 seconds timeout in select when a user logs in or out. I'm kinda okay with this if it happens for the same user session during logout but it also seems to occur for other session logins. Is this just a thing we have to live with when using sockets? Does XPC behave better in this regard?
Thanks for any insights.
Post not yet marked as solved
We'd like to retrieve the responsible PID and path for XPC Service processes programmatically. This information can be printed with launchctl procinfo. I know there's the private responsibility API that is used by Activity Monitor - https://lists.apple.com/archives/darwin-kernel/2015/Mar/msg00001.html.
Is there any public API available?
Also, EndpointSecurity provides NOTIFY and AUTH event types for UIPC, i.e. sockets, but there does not seem to exist an equivalent for XPC.
Is there no way to track this kind of process relationship with officially supported API?
Post not yet marked as solved
Is it possible to debug a launchd daemon during system start except by writing log messages to the console or to a file? My gut says no but I am curious if there might exist some exotic setup, like attaching LLDB remotely to a launch daemon in the VM while it is starting up or similar.
For the curious, the question came up while struggling with running MDQueries in that scenario. It seems Metadata might not be quite ready at that particular point in the system lifecycle but being able to actually peek in there at runtime would be priceless, of course.
Post not yet marked as solved
I am trying to make sense of the sessionIsRemote bit in SessionAttributeBits. In our tests this bit is false for local sessions, as expected, but also for remote sessions initiated via VNC.
Note that we do not just share the screen of an already running session that was started locally. Instead, we start a new session for another user and therefore expect to fulfill the documented condition:
A bit that indicates the session was initiated over the network. What's the supported way to find out if a session is remote or local or even a mixture of both, given the fact that macOS allows sharing a local session remotely?
Another thing seems off in this context: When we query kCGSessionOnConsoleKey from the dictionary obtained via CGSessionCopyCurrentDictionary(), the value is true for the local session but false for the remote session. While this seems fair at first glance, I find it slightly confusing that who still reports a console session for both, local and remote users. How can we make sense of these results? Or is this a case of sharing a name but meaning different things?
Post not yet marked as solved
We want to be immediately aware of user logins as they occur. Our interests are the security aspect (who/when) but also the performance (how long did it take). Basically, we aim for something similar equivalent to the NSWorkspace fast user switching notifications with will/did flavors. We did some digging but none of the available mechanisms seem like a good fit:user accounting database, must be actively polledlaunch agents, false positives can't be ruled out, also IPCauthorization plug-in, seems a bit much, only covers loginslogin/logout script, to cite the documentation: There are numerous reasons to avoid using login and logout scripts.EndpointSecurity, generally seems like a good fit but no supportWhat's a good way to do this on macOS?
Our goal is to match process events from the EndpointSecurity framework with user sessions. Process UID on its own seems unreliable as it can easily change within the same session, think root. We came up with the idea to match ASIDs with security session IDs. We searched the fringes of the known documentation, but all we came up with was:> A user-login domain is created when the user logs in at the GUI and is identified by the audit session identifier associated with that login. If a user domain has an associated login domain, the print subcommand will display the ASID of that login domain.launchctl man page> Each time a user is authenticated with the system, the Security layer of the system creates a unique ID to identify the user’s login session. This ID is the security session ID, often referred to simply as the session ID. Applications can use the session ID to distinguish among resources allocated in different login sessions. https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPMultipleUsers/Concepts/SystemContexts.htmlASIDs can be retrieved programmatically from ES message audit tokens or via launchctl procinfo. They look identical to the security session IDs that are returned by SessionGetInfo(). Are they the same and are they guaranteed to stay the same? Is there any documentation about their relationship?
vlbenfed.