4 Replies
      Latest reply on May 14, 2020 2:49 AM by vlbenfed
      vlbenfed Level 1 Level 1 (0 points)

        We want to be immediately aware of user logins as they occur. Our interests are the security aspect (who/when) but also the performance (how long did it take). Basically, we aim for something similar equivalent to the NSWorkspace fast user switching notifications with will/did flavors. We did some digging but none of the available mechanisms seem like a good fit:

         

        • user accounting database, must be actively polled
        • launch agents, false positives can't be ruled out, also IPC
        • authorization plug-in, seems a bit much, only covers logins
        • login/logout script, to cite the documentation: There are numerous reasons to avoid using login and logout scripts.
        • EndpointSecurity, generally seems like a good fit but no support

         

        What's a good way to do this on macOS?

        • Re: Login notifications
          eskimo Apple Staff Apple Staff (13,885 points)

          I’d use the audit subsystem for this, and specifically auditpipe for learning about it promptly; see the auditpipe man page for details.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Login notifications
              vlbenfed Level 1 Level 1 (0 points)

              Thanks, Quinn!

               

              I'll admit we knew about auditpipe but ruled it our early with regards to FB6557481. However, your answer confirmed my belief that this feature should be a part of EndpointSecurity. I just filed the enhancement request FB7699856.

                • Re: Login notifications
                  eskimo Apple Staff Apple Staff (13,885 points)

                  However, your answer confirmed my belief that this feature should be a part of EndpointSecurity. I just filed the enhancement request FB7699856.

                  Thanks.

                  I still think auditpipe is your best option on current system software.  While FB6557481 is a real thing if you’re dealing with high-frequency events, for login and logout notifications you can set up the preselection to reduce the chance of this problem occurring in practice.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Login notifications
                      vlbenfed Level 1 Level 1 (0 points)

                      > you can set up the preselection to reduce the chance of this problem occurring in practice.

                       

                      Yes, you're absolutely right. While we did observe spurious failures unrelated to event frequency (also FB6557481), we will give auditpipe another thought. In the meantime, we hope for the addition to EndpointSecurity which we prefer a lot over the auditpipe for its reliability and configurability.