macOS Endpoint Security (im_maces)
This module collects logs from Apple’s Endpoint Security auditing system on MacOS 10.15 and later. Endpoint Security is an audit subsystem for monitoring system events for potentially malicious activity.
To examine the supported platforms, see the list of installation packages. |
It is recommended that FlowControl be disabled for im_maces module instances. If the im_maces module instance is suspended, some events can be lost. |
macOS Security & Privacy settings
Due to the nature of security auditing, most auditing systems require special privileges to function properly.
To prepare macOS for use with this module, the nxlog
application requires Full Disk Access. If NXLog Agent is running, stop the nxlog
process.
sudo launchctl unload /Library/LaunchDaemons/com.nxlog.plist
Navigate to System Preferences > Security & Privacy and select Full Disk Access from the list on the left.
After unlocking the settings as an Administrator and checking nxlog
, the nxlog
process can be restarted:
sudo launchctl load /Library/LaunchDaemons/com.nxlog.plist
The module will then have sufficient privileges to capture events from Apple’s Endpoint Security auditing system.
Configuration
The im_maces module accepts the following directives in addition to the common module directives.
Optional directives
|
This optional directive specifies a path literal to mute. The client stops receiving events from the executable whose paths exactly matches this literal. |
||||
|
This optional directive specifies a prefix string to mute. The client stops receiving events from executables whose paths begin with this string. |
||||
This optional directive specifies a list of Apple Endpoint Security notify events to subscribe to.
You can use the value The complete list of supported notify events is listed in the supported event list section below. The Event name column contains the exact name you need to define in this directive.
|
Supported event list
The API versions of macOS ES determine which events you can collect with NXLog Agent. The tables below describe the required API versions for each event this module can collect.
File-system event types
Event name | macOS API version requirement | macOS API tag |
---|---|---|
|
10.15.1+ |
es_event_access_t |
|
10.15.1+ |
es_event_clone_t |
|
12.0+ |
es_event_copyfile_t |
|
10.15+ |
es_event_create_t |
|
10.15.1+ |
es_event_dup_t |
|
10.15.1+ |
es_event_fcntl_t |
|
10.15+ |
es_event_open_t |
|
10.15+ |
es_event_close_t |
|
10.15+ |
es_event_rename_t |
|
10.15+ |
es_event_truncate_t |
|
10.15+ |
es_event_exchangedata_t |
|
10.15+ |
es_event_write_t |
|
10.15+ |
es_event_lookup_t |
|
11.0+ |
es_event_searchfs_t |
File metadata event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15.1+ |
es_event_deleteextattr_t |
|
10.15.1+ |
es_event_fsgetpath_t |
|
10.15.1+ |
es_event_getattrlist_t |
|
10.15.1+ |
es_event_getextattr_t |
|
10.15.1+ |
es_event_listextattr_t |
|
10.15.1+ |
es_event_readdir_t |
|
10.15.1+ |
es_event_setacl_t |
|
10.15+ |
es_event_setattrlist_t |
|
10.15+ |
es_event_setextattr_t |
|
10.15+ |
es_event_setflags_t |
|
10.15+ |
es_event_setmode_t |
|
10.15+ |
es_event_setowner_t |
|
10.15.1+ |
es_event_stat_t |
|
10.15.1+ |
es_event_utimes_t |
File provider event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15+ |
es_event_file_provider_materialize_t |
|
10.15+ |
es_event_file_provider_update_t |
Link event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15+ |
es_event_link_t |
|
10.15+ |
es_event_readlink_t |
|
10.15+ |
es_event_unlink_t |
File system mounting event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15+ |
es_event_mount_t |
|
10.15+ |
es_event_unmount_t |
|
11.0+ |
es_event_remount_t |
Memory mapping event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15+ |
es_event_mmap_t |
|
10.15+ |
es_event_mprotect_t |
FProcess event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15.1+ |
es_event_chdir_t |
|
10.15.1+ |
es_event_chroot_t |
|
10.15+ |
es_event_exec_t |
|
10.15+ |
es_event_fork_t |
|
10.15.4+ |
es_event_proc_check_t |
|
10.15+ |
es_event__t |
|
10.15+ |
es_event_exit_t |
Interprocess events
Event name | macOS API version | macOS API tag |
---|---|---|
|
11.0+ |
es_event_proc_suspend_resume_t |
|
11.0+ |
es_event_trace_t |
|
11.0+ |
es_event_remote_thread_create_t |
Task port event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15+ |
es_event_get_task_t |
|
11.3+ |
es_event_get_task_read_t |
|
11.3+ |
es_event_get_task_inspect_t |
|
11.0+ |
es_event_get_task_name_t |
User and group ID types
Event name | macOS API version | macOS API tag |
---|---|---|
|
12.0+ |
es_event_setuid_t |
|
12.0+ |
es_event_setgid_t |
|
12.0+ |
es_event_seteuid_t |
|
12.0+ |
es_event_setegid_t |
|
12.0+ |
es_event_setreuid_t |
|
12.0+ |
es_event_setregid_t |
Code signing event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
11.0+ |
es_event_cs_invalidated_t |
Socket event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15.1+ |
es_event_uipc_bind_t |
|
10.15.1+ |
es_event_uipc_connect_t |
Clock event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15.1+ |
es_event_settime_t |
Kernel event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15+ |
es_event_iokit_open_t |
|
10.15+ |
es_event_kextload_t |
|
10.15+ |
es_event_kextunload_t |
Pseudoterminal event types
Event name | macOS API version | macOS API tag |
---|---|---|
|
10.15.4+ |
es_event_pty_close_t |
|
10.15.4+ |
es_event_pty_grant_t |
New endpoint security API
Event name | macOS API version | macOS API tag |
---|---|---|
|
13.0+ |
es_event_authentication_t |
|
13.0+ |
es_event_btm_launch_item_add_t |
|
13.0+ |
es_event_btm_launch_item_remove_t |
|
13.0+ |
es_event_login_login_t |
|
13.0+ |
es_event_login_logout_t |
|
13.0+ |
es_event_lw_session_lock_t |
|
13.0+ |
es_event_lw_session_login_t |
|
13.0+ |
es_event_lw_session_logout_t |
|
13.0+ |
es_event_lw_session_unlock_t |
|
13.0+ |
es_event_openssh_login_t |
|
13.0+ |
es_event_openssh_logout_t |
|
13.0+ |
es_event_screensharing_attach_t |
|
13.0+ |
es_event_screensharing_detach_t |
|
13.0+ |
es_event_xp_malware_detected_t |
|
13.0+ |
es_event_xp_malware_remediated_t |
|
14.0+ |
es_event_profile_add_t |
|
14.0+ |
es_event_profile_remove_t |
|
14.0+ |
es_event_su_t |
|
14.0+ |
es_event_sudo_t |
|
14.0+ |
es_event_authorization_petition_t |
|
14.0+ |
es_event_authorization_judgement_t |
|
14.0+ |
es_event_od_group_add_t |
|
14.0+ |
es_event_od_group_remove_t |
|
14.0+ |
es_event_od_group_set_t |
|
14.0+ |
es_event_od_modify_password_t |
|
14.0+ |
es_event_od_disable_user_t |
|
14.0+ |
es_event_od_enable_user_t |
|
14.0+ |
es_event_od_create_user_t |
|
14.0+ |
es_event_od_create_group_t |
|
14.0+ |
es_event_od_delete_user_t |
|
14.0+ |
es_event_od_delete_group_t |
|
14.0+ |
es_event_od_attribute_value_add_t |
|
14.0+ |
es_event_od_attribute_value_remove_t |
|
14.0+ |
es_event_od_attribute_set_t |
|
14.0+ |
es_event_xpc_connect_t |
|
15.0+ |
es_event_gatekeeper_user_override_t |
For detailed descriptions of each event, see Apple’s developer documentation page.
Procedures
The following procedures are exported by im_maces.
mute_path_literal(string path_literal);
-
Suppresses events from executables matching the given path literal.
mute_path_prefix(string path_prefix);
-
Suppresses events from executables matching the given path prefix.
subscribe(string event);
-
Subscribes to the specified event.
subscribe_all();
-
Subscribes to all supported events.
unmute_all_paths();
-
Unmutes all previously muted executable paths.
unsubscribe(string event);
-
Unsubscribes from the specified event.
unsubscribe_all();
-
Unsubscribes from all events.
Fields
The following fields are used by im_maces.
$raw_event
(type: string)-
A list of event fields in key-value pairs.
$AccessMode
(type: integer)-
The file-access flags that were used to acces the file (if applicable).
$AccessTime
(type: datetime)-
The time when the file was last accessed.
$ACL
(type: string)-
The ACL used for the file (if applicable). Field available only if
$MessageVersion
is greater than2
.
$ACLAction
(type: string)-
The operation that was performed on the file’s ACL (
set
orcear
).
$AvailableBlocks
(type: integer)-
Free blocks in filesystem that are available to non-superusers (if applicable).
$BlockSize
(type: integer)-
Fundamental filesystem block size (if applicable).
$ClientClass
(type: string)-
Meta class name of the user client instance for I/O Kit device events.
$ClientType
(type: string)-
User client type for I/O Kit device events.
$Command
(type: integer)-
The
cmd
argument given to fcntl(2).
$CommonAttributes
(type: integer)-
Common attributes (if applicable).
$CreateMode
(type: integer)-
The file-creation flags with which the file was created (if applicable).
$DeviceVersion
(type: integer)-
Major and minor version of the pseudoterminal device.
$Directory
(type: string)-
Target directory (if applicable).
$DirectoryAttributes
(type: integer)-
Directory attributes (if applicable).
$Domain
(type: integer)-
The communications domain of the socket (see
socket(2)
).
$EventTime
(type: datetime)-
The date and time of the event.
$EventType
(type: string)-
The type of Endpoint Security event.
$ExistingFile
(type: boolean)-
Field which set to
true
if the file was already present in the system (if applicable).
$ExitCode
(type: integer)-
The exit code that was passed to the
exit(2)
system call.
$ExtendedAttributes
(type: string)-
The extended attributes of the file (if applicable).
$ExtendedFlags
(type: integer)-
Extended flags for the
mount(2)
/unmount(2)
system calls.
$File
(type: string)-
Path to the main file that the event reffers to (if applicable).
$FileAttributes
(type: integer)-
File attributes (if applicable).
$FileFlags
(type: integer)-
The file flags that were applied to the file.
$FileMode
(type: integer)-
The new file mode of the file.
$Filename
(type: string)-
Target filename, relative to the
$Directory
path (if applicable).
$FilesystemID
(type: integer)-
The filesystem ID (if applicable).
$FilesystemSubType
(type: integer)-
The filesystem sub-type (flavor) (if applicable).
$FilesystemType
(type: integer)-
The filesystem type (if applicable).
$FilesystemTypeName
(type: string)-
The filesystem type name (if applicable).
$FirstFile
(type: string)-
The first file to be exchanged.
$ForkAttributes
(type: integer)-
Fork attributes (if applicable).
$FreeBlocks
(type: integer)-
Free blocks in filesystem (if applicable).
$FreeFileNodes
(type: integer)-
Free file nodes in filesystem (if applicable).
$GID
(type: integer)-
The new GID of the file.
$KernelExtension
(type: string)-
A string identifying the kernel extension.
$MachTimestamp
(type: string)-
The number of Mach system clock ticks, which is effectively elapsed nanoseconds.
$MemoryAddress
(type: integer)-
The base memory address.
$MemoryMapFilePosition
(type: integer)-
The file offset of the memory map.
$MemoryMapFlags
(type: integer)-
The type and attributes of the mapped file.
$MemoryMapMaxProtection
(type: integer)-
The maximum allowed protection value the operating system will respect.
$MemoryMapProtection
(type: integer)-
The protection (region accessibility) value.
$MemorySize
(type: integer)-
The size of the memory region.
$MessageSequence
(type: integer)-
Per-client, per-event-type sequence number that can be inspected to detect whether the kernel had to drop events for this client. Field available only if
$MessageVersion
is greater than2
.
$MessageVersion
(type: integer)-
The event message version.
$Modified
(type: boolean)-
true
if the file was modified before theclose(2)
system call.
$ModifiedTime
(type: datetime)-
The time when the file was last modified.
$MountedFrom
(type: string)-
Mounted filesystem for the
mount(2)
/unmount(2)
system calls.
$MountedOn
(type: string)-
Directory on which the filesystem is mounted (if applicable).
$MountFlags
(type: integer)-
The filesystem mount flags (if applicable).
$OpenFlags
(type: integer)-
The file-open kernel flags that were used to open the file (if applicable).
$OwnerUID
(type: integer)-
The UID of the user that mounted the filesystem (if applicable).
$ProcessCheckFlavor
(type: string)-
A representation of the process information that was requested, based on the
$ProcessCheckType
(if applicable).
$ProcessCheckType
(type: string)-
The type of call number used to check the access on the target process (if applicable).
$ProcessCodeDirectoryHash
(type: string)-
The code directory hash value of the source process.
$ProcessCodesigningFlags
(type: string)-
Formatted string containing the hexadecimal representation of the codesigning flags of the source process, as well as the logical expression used to obtain these flags.
$ProcessEffectiveGID
(type: integer)-
The effective GID of the source process.
$ProcessEffectiveUID
(type: integer)-
The effective UID of the source process.
$ProcessESClient
(type: boolean)-
Set to
true
if the source process is an Endpoint Security client.
$ProcessExecutable
(type: string)-
The path to the executable of the source process.
$ProcessOriginalParentPID
(type: integer)-
The PID of the source process' original parent. This field remains constant even when the process is reparented.
$ProcessParentPID
(type: integer)-
The PID of the source process' parent.
$ProcessPID
(type: integer)-
The PID of the source process.
$ProcessPIDVersion
(type: integer)-
The PID version of the source process.
$ProcessPlatformBinary
(type: boolean)-
Set to
true
if the source process is a platform binary (signed with Apple certificates).
$ProcessRealGID
(type: integer)-
The real GID of the source process.
$ProcessRealUID
(type: integer)-
The real UID of the source process.
$ProcessSessionID
(type: integer)-
The session ID of the source process.
$ProcessSigningID
(type: string)-
The identifier used to sign the source process.
$ProcessTeamID
(type: string)-
The team identifier used to sign the source process.
$ProcessTty
(type: string)-
The tty from which the source process was invoked. Note: this field is only available if
$MessageVersion
is greater than2
.
$ProcessUID
(type: integer)-
The audit UID of the source process.
$Protection
(type: integer)-
The new memory protection flags.
$Protocol
(type: integer)-
The protocol of the socket (see
socket(2)
).
$SecondFile
(type: string)-
The second file to be exchanged.
$Signal
(type: string)-
Signal name and number, as passed to the
kill(2)
system call.
$SocketMode
(type: integer)-
The mode of the socket file.
$SocketType
(type: integer)-
The type of the socket.
$TargetFile
(type: string)-
Full path to the target file (if applicable).
$TargetProcessArgs
(type: string)-
Formatted list of command-line arguments that were passed to the target process via the
exec(2)
system call.
$TargetProcessCodeDirectoryHash
(type: string)-
The code directory hash value of the target process.
$TargetProcessCodesigningFlags
(type: string)-
Formatted string containing the hexadecimal representation of the codesigning flags of the target process, as well as the logical expression used to obtain these flags.
$TargetProcessEffectiveGID
(type: integer)-
The effective GID of the target process.
$TargetProcessEffectiveUID
(type: integer)-
The effective UID of the target process.
$TargetProcessESClient
(type: boolean)-
Set to
true
if the target process is an Endpoint Security client.
$TargetProcessExecutable
(type: string)-
The path to the executable of the target process.
$TargetProcessOriginalParentPID
(type: integer)-
The PID of the target process' original parent. This field remains constant even when the process is reparented.
$TargetProcessParentPID
(type: integer)-
The PID of the target process' parent.
$TargetProcessPID
(type: integer)-
The PID of the target process.
$TargetProcessPIDVersion
(type: integer)-
The PID version of the target process.
$TargetProcessPlatformBinary
(type: boolean)-
Set to
true
if the target process is a platform binary (signed with Apple certificates).
$TargetProcessRealGID
(type: integer)-
The real GID of the target process.
$TargetProcessRealUID
(type: integer)-
The real UID of the target process.
$TargetProcessSessionID
(type: integer)-
The session ID of the target process.
$TargetProcessSigningID
(type: string)-
The identifier used to sign the target process.
$TargetProcessTeamID
(type: string)-
The team identifier used to sign the target process.
$TargetProcessTty
(type: string)-
The tty from which the target process was invoked. Note: this field is only available if
$MessageVersion
is greater than2
.
$TargetProcessUID
(type: integer)-
The audit UID of the target process.
$TotalDataBlocks
(type: integer)-
Total data blocks in filesystem (if applicable).
$TotalFileNodes
(type: integer)-
Total file nodes in filesystem (if applicable).
$TransferBlockSize
(type: integer)-
Optimal transfer block size (if applicable).
$UID
(type: integer)-
The new UID of the file.
$VolumeAttributes
(type: integer)-
Volume attributes (if applicable).
Examples
With this configuration, NXLog Agent will collect the events listed in the Events directive.
<Input in>
Module im_maces
NotifyEvents get_task, proc_check, write
</Input>
With this configuration, NXLog Agent will only collect up to MAX_WRITE_EVENTS
write
events.
define MAX_WRITE_EVENTS 100
<Input in>
Module im_maces
<Exec>
create_stat("nwrites", "COUNT");
if ( get_stat("nwrites") == 0 )
{
subscribe("write");
}
if ( get_stat("nwrites") == %MAX_WRITE_EVENTS% )
{
unsubscribe("write");
}
if ( $EventType == "write" )
{
add_stat("nwrites", 1);
}
</Exec>
</Input>
With this configuration, NXLog Agent will collect write
events from all processes, except for events generated by /usr/bin/tail
, /usr/bin/less
and all executables under /usr/local/bin/
.
<Input in>
Module im_maces
NotifyEvents write
MutedPathLiteral '/usr/bin/tail'
MutedPathLiteral '/usr/bin/less'
MutedPathPrefix '/usr/local/bin'
</Input>
With this configuration, NXLog Agent will collect write
events generated by /usr/bin/tail
, /usr/bin/less
and all executables under /usr/local/bin/
.
When more than MAX_TAIL_EVENTS
, MAX_LESS_EVENTS
or MAX_LOCAL_EVENTS
events have been generated for each process respectively, the corresponding executable path(s) are muted, meaning that no further events will be generated for any processes located under these paths.
define MAX_TAIL_EVENTS 50
define MAX_LESS_EVENTS 100
define MAX_LOCAL_EVENTS 1000
<Input in>
Module im_maces
NotifyEvents write
<Exec>
create_stat("ntail", "COUNT");
create_stat("nless", "COUNT");
create_stat("nlocal", "COUNT");
if ( $Executable == "/usr/bin/tail" )
{
add_stat("ntail", 1);
}
if ( $Executable == "/usr/bin/less" )
{
add_stat("nless", 1);
}
if ( $Executable =~ /^(\/usr\/local\/bin\/)(.*)$/ )
{
add_stat("nlocal", 1);
}
if ( get_stat("ntail") == %MAX_TAIL_EVENTS% )
{
mute_path_literal("/usr/bin/tail");
}
if ( get_stat("nless") == %MAX_LESS_EVENTS% )
{
mute_path_literal("/usr/bin/less");
}
if ( get_stat("nlocal") == %MAX_LOCAL_EVENTS% )
{
# Mute all processes from /usr/local/bin
mute_path_prefix("/usr/local/bin");
}
</Exec>
</Input>