Endpoint Security client terminated by system

Hello,


our prototype of the Endpoint Security client (currently as root with SIP disabled) running in a terminal environment performs verry well and so far satisfies or needs of dicision makeing on AUTH_EXEC and/or AUTH_OPEN events. Thanks Apple, great job so far.


but...


once in a while (especially after sleep or just before sleep, I can not pinpoint it down) the Endpoint Security client gets terminated by the system. just sais "killed". We make sure we respond to all events by the deadline set in the event.


Q:

Is there any way to find out, what the reason was for the system to terminate the client?

Is there any debug logging that can be activated for these system extensions?


Frank Fenn

Sophos Inc.

Up vote post of frankfenn Down vote post of frankfenn
1.2k views
Posted by
frankfenn
Reply
Add a Comment

Replies

our prototype of the Endpoint Security client … running in a terminal environment performs very well

That’s good to hear.

once in a while … the Endpoint Security client gets terminated by the system

I do not, alas, have answers to your questions. My first step in investigating this would be to look at a sysdiagnose log, and specifically the system log archive within that. That’s beyond what I can do here on DevForums, so if you’d like some help with this I’m going to recommend that you open a DTS tech support incident.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi,

If you don't reply within the given deadline to an auth event your client will be killed. At least that was the behaviour I observed. Unfortuantely this behaviour is not documented so I don't know if it is intended or not.

Posted by
BoBKelso
Up vote reply of BoBKelso Down vote reply of BoBKelso
Add a Comment

I have also run into the same issue. I've filed a bug under FB7456608. This seems to happen even with a simple test application that hooks into the ES framework, where there is a sleep(1) during the exec auth hook. I've been able to reproduce this more conistently when doing file and process execution heavy tasks. An example would be like compiling clang/llvm with a `make -j8`. This also seems to happen more consistently upon reboot and immediately firing up the ES client and then attemping to compile clang/llvm. Additionally I have also made sure to respond to the auth event BEFORE the deadline.

Posted by
Will Yee
Up vote reply of Will Yee Down vote reply of Will Yee
Add a Comment