Giter Club home page Giter Club logo

esmat's Introduction

Endpoint Security Message Analysis Tool - esmat

esmat is a command line tool for macOS that allows you to explore the behavior of Apple's Endpoint Security framework. By default esmat works like a stop watch: pressing ctrl + t prints statistics for the current interval in which you perform your experiments and starts a new interval (can be set to cumulative behavior).

Possible use cases:

  • perform (stress) tests or experiments and use esmat to see whether the recorded events match your expectation or message drops occured
  • investigate process behavior:
    • what child processes are created and how (fork,exec)?
    • which ES messages are created during your experiments?

Usage

Use ./esmat.app/Contents/MacOS/esmat -h to get all available options and flags with examples:

➜ ./esmat.app/Contents/MacOS/esmat -h
Endpoint Security Message Analysis Tool - esmat by ∞ vast limits GmbH

Prints statistics for Endpoint Security messages between two SIGINFO signals (ctrl + t).
Must be run as root to be able to subscribe to Endpoint Security events.

Examples:
sudo ./esmat.app/Contents/MacOS/esmat -a ls git

sudo ./esmat.app/Contents/MacOS/esmat -e NOTIFY_PTY_GRANT NOTIFY_PTY_CLOSE -a sshd

sudo ./esmat.app/Contents/MacOS/esmat -a xpcproxy -pc


Usage: ./esmat.app/Contents/MacOS/esmat [OPTIONS]

Options:
  -h,--help                   Print this help message and exit
  -a,--apps TEXT ...          Add executable names to watch events for.
                              If one or more executable names are specified as arguments,
                              the event types NOTIFY_EXEC, NOTIFY_FORK and NOTIFY_EXIT are automatically enabled.

  -e,--events TEXT ...        Define which ES event types you want to see statistics for.
                              NOTIFY_EXEC, NOTIFY_FORK and NOTIFY_EXIT are automatically enabled
                              if arguments are provided via the -a option.
                              Note: AUTH events are currently not supported.

  -E,--events-available       Prints a list of available Endpoint Security event types.
                              Note: Not all listed events are available on every version of macOS.
                              Only the newest macOS version typically supports all events.

  -p,--parent                 Shows which parent processes have exec'ed into the processes specified via -a.

  -c,--child                  Include child processes which the via -a specified processes exec into.

  -C,--cumulative             If set statistics are never reset between intervals.

Columns of Process Lifecycle Events

column description
#exec_source_events number of messages in which the executable was found as the source of an exec
#exec_target_events number of messages in which the executable was found as the target of an exec
#fork_events number of messages for fork events for that executable
#exit_events number of messages for exit events for that executable
delta 0 if the number of "creation events" matches the expected number of exit events. Calculated as #exec_target + #fork - #exec_source - #exit

Prerequisites

There is no need to install anything. However, before you can run the app you need to grant the bundle Full Disk Access by dragging it into the list of allowed apps under Security & Privacy -> Privacy -> Full Disk Access. This is a requirement from Apple for every Endpoint Security client. The app won't be able to run without this permission.

Examples

  • Investigate process lifecycle events or perform stress tests and evaluate message drops
sudo ./esmat.app/Contents/MacOS/esmat -a ls git exa

🚀 ES client statistics #3:
+------------+---------------------+---------------------+--------------+--------------+---------+
| executable | #exec_source_events | #exec_target_events | #fork_events | #exit_events |  delta  |
+------------+---------------------+---------------------+--------------+--------------+---------+
| git        |                  18 |                  36 |            0 |           18 |       0 | ✅
+------------+---------------------+---------------------+--------------+--------------+---------+
| exa        |                   0 |                   1 |            0 |            1 |       0 | ✅
+------------+---------------------+---------------------+--------------+--------------+---------+
| ls         |                   0 |                   3 |            0 |            3 |       0 | ✅
+------------+---------------------+---------------------+--------------+--------------+---------+

+---------------+--------------------+-------------------+
| ES_event_type | #messages_received | #messages_missing |
+---------------+--------------------+-------------------+
| NOTIFY_EXIT   |                248 |                 0 | ✅
+---------------+--------------------+-------------------+
| NOTIFY_FORK   |                255 |                 0 | ✅
+---------------+--------------------+-------------------+
| NOTIFY_EXEC   |                135 |                 0 | ✅
+---------------+--------------------+-------------------+
|        total: |                638 |                 0 | ✅
+---------------+--------------------+-------------------+
⏱ interval duration: 16 seconds
  • Investigate ES messages and processes for events such as ssh logins
sudo ./esmat.app/Contents/MacOS/esmat  -a  sshd -e NOTIFY_PTY_GRANT NOTIFY_PTY_CLOSE -pc

🚀 ES client statistics #2:
+-----------------------+---------------------+---------------------+--------------+--------------+---------+
| executable            | #exec_source_events | #exec_target_events | #fork_events | #exit_events |  delta  |
+-----------------------+---------------------+---------------------+--------------+--------------+---------+
| sshd                  |                   1 |                   1 |            3 |            3 |       0 | ✅
+-----------------------+---------------------+---------------------+--------------+--------------+---------+
| --zsh                 |                   - |                   1 |            - |            - |       - | 🐣
+-----------------------+---------------------+---------------------+--------------+--------------+---------+
| --sshd-keygen-wrapper |                   1 |                   - |            - |            - |       - | 👨‍👩‍👦
+-----------------------+---------------------+---------------------+--------------+--------------+---------+

+------------------+--------------------+-------------------+
| ES_event_type    | #messages_received | #messages_missing |
+------------------+--------------------+-------------------+
| NOTIFY_PTY_CLOSE |                  1 |                 0 | ✅
+------------------+--------------------+-------------------+
| NOTIFY_EXIT      |                115 |                 0 | ✅
+------------------+--------------------+-------------------+
| NOTIFY_PTY_GRANT |                  1 |                 0 | ✅
+------------------+--------------------+-------------------+
| NOTIFY_FORK      |                116 |                 0 | ✅
+------------------+--------------------+-------------------+
| NOTIFY_EXEC      |                 63 |                 0 | ✅
+------------------+--------------------+-------------------+
|           total: |                296 |                 0 | ✅
+------------------+--------------------+-------------------+
⏱ interval duration: 9 seconds

Build

Building requires Xcode 13 or later (C++20) and an Apple developer account. You also need to request the Endpoint Security entitlement from Apple. Once you received the ES entitlement you can create your provisioning profiles for development and distribution.

To avoid issues with signing and provisioning some configuration options have been offloaded into configuration files. Once you've cloned the repo you need to create a Shared.xcconfig, a Debug.xcconfig and optionally a Release.xcconfig based on the included template files and fill in the specified values. This prevents leaking personal information into the repository.

Note: Please do not change these values in the project editor if you want to contribute.

Dependencies

Uses CLI11 to build the command line interface.

esmat's People

Contributors

wauner avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.