Enumeration

es_event_type_t

A type used to identify a message’s event type and subscribe to events of that type.

Declaration

typedef enum : unsigned int {
    ...
} es_event_type_t;

Overview

Call the es_subscribe function with the constants defined by this type to subscribe to specific Endpoint Security events.

You also use this type when inspecting a received message. The es_message_t member event_type, which is of this type, indicates what kind of event the event field contains.

Topics

Authorization Event Types

ES_EVENT_TYPE_AUTH_CHDIR

A type that represents events for authorizing a process to change its working directory.

ES_EVENT_TYPE_AUTH_CHROOT

A type that represents events for authorizing a process to change its root directory.

ES_EVENT_TYPE_AUTH_CLONE

A type that represents events for authorizing the cloning of a file.

ES_EVENT_TYPE_AUTH_CREATE

A type that represents events for authorizing the creation of a file.

ES_EVENT_TYPE_AUTH_DELETEEXTATTR

A type that represents events for authorizing the deletion of an extended attribute from a file.

ES_EVENT_TYPE_AUTH_EXCHANGEDATA

A type that represents events for authorizing the exchange of data between two files.

ES_EVENT_TYPE_AUTH_EXEC

A type that represents events for authorizing the execution of a process.

ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZE

A type that represents events for authorizing the materialization of a file provider.

ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATE

A type that represnts events for authorizing the updating of a file provider.

ES_EVENT_TYPE_AUTH_FSGETPATH

A type that represents events for authorizing the retrieval of a file-system path.

ES_EVENT_TYPE_AUTH_GETATTRLIST

A type that represents events for authorizing the retrieval of attributes from a file.

ES_EVENT_TYPE_AUTH_GETEXTATTR

A type that represents events for authorizing the retrieval of an extended attribute from a file.

ES_EVENT_TYPE_AUTH_KEXTLOAD

A type that represents events for authorizing the loading of a Kernel Extension (KEXT).

ES_EVENT_TYPE_AUTH_LINK

A type that represents events for authorizing the creation of a symbolic link.

ES_EVENT_TYPE_AUTH_LISTEXTATTR

A type that represents events for authorizing the retrieval of multiple extended attributes from a file.

ES_EVENT_TYPE_AUTH_MMAP

A type that represents events for authorizing the mapping of memory to a file.

ES_EVENT_TYPE_AUTH_MOUNT

A type that represents events for authorizing the mounting of a file system.

ES_EVENT_TYPE_AUTH_MPROTECT

A type that represents events for authorizing the changing of protection of memory-mapped pages.

ES_EVENT_TYPE_AUTH_OPEN

A type that represents events for authorizing the opening of a file.

ES_EVENT_TYPE_AUTH_READDIR

A type that represents events for authorizing the reading of a file-system directory.

ES_EVENT_TYPE_AUTH_READLINK

A type that represents events for authorizing the reading of a symbolic link.

ES_EVENT_TYPE_AUTH_RENAME

A type that represents events for authorizing the renaming of a file.

ES_EVENT_TYPE_AUTH_SETACL

A type that represents events for authorizing the setting of a file’s access control list.

ES_EVENT_TYPE_AUTH_SETATTRLIST

A type that represents events for authorizing the setting of an attribute of a file.

ES_EVENT_TYPE_AUTH_SETEXTATTR

A type that represents events for authorizing the setting of an extended attribute of a file.

ES_EVENT_TYPE_AUTH_SETFLAGS

A type that represents events for authorizing the setting of a file’s flags.

ES_EVENT_TYPE_AUTH_SETMODE

A type that represents events for authorizing the setting of a file’s mode.

ES_EVENT_TYPE_AUTH_SETOWNER

A type that represents events for authorizing the setting of a file’s owner.

ES_EVENT_TYPE_AUTH_SETTIME

A type that represents events for authorizing the modification of the system time.

ES_EVENT_TYPE_AUTH_SIGNAL

A type that represents events for authorizing the sending of a signal to a process.

ES_EVENT_TYPE_AUTH_TRUNCATE

A type that represents events for authorizing the truncation of a file.

ES_EVENT_TYPE_AUTH_UIPC_BIND

A type that represents events for authorizing the binding of a socket to a path.

ES_EVENT_TYPE_AUTH_UIPC_CONNECT

A type that represents events for authorizing the connection of a socket.

ES_EVENT_TYPE_AUTH_UNLINK

A type that represents events for authorizing the unlinking of a symbolic link.

ES_EVENT_TYPE_AUTH_UTIMES

A type that represents events for authorizing the changing of a file’s access or modification time.

Notification Event Types

ES_EVENT_TYPE_NOTIFY_ACCESS

A type that represents events for notification of the checking of a file’s access permission.

ES_EVENT_TYPE_NOTIFY_CHDIR

A type that represents events for notification that a process changed its working directory.

ES_EVENT_TYPE_NOTIFY_CHROOT

A type that represents events for notification that a process changed its root directory.

ES_EVENT_TYPE_NOTIFY_CLONE

A type that represents events for notification of the cloning of a file.

ES_EVENT_TYPE_NOTIFY_CLOSE

A type that represents events for notification of the closing of a file.

ES_EVENT_TYPE_NOTIFY_CREATE

A type that represents events for notification of the creation of a file.

ES_EVENT_TYPE_NOTIFY_DELETEEXTATTR

A type that represents events for notification of the deletion of an extended attribute from a file.

ES_EVENT_TYPE_NOTIFY_DUP

A type that represents events for notification of the duplication of a file descriptor.

ES_EVENT_TYPE_NOTIFY_EXCHANGEDATA

A type that represents events for notification of the exchange of data between two files.

ES_EVENT_TYPE_NOTIFY_EXEC

A type that represents events for notification of the execution of a process.

ES_EVENT_TYPE_NOTIFY_EXIT

A type that represents events for notification of a process exiting.

ES_EVENT_TYPE_NOTIFY_FCNTL

A type that represents events for notification of the manipulation of a file descriptor.

ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_MATERIALIZE

A type that represents events for notification of the materialization of a file provider.

ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_UPDATE

A type that represents events for notification of an update to a file provider.

ES_EVENT_TYPE_NOTIFY_FORK

A type that represents events for notification of the forking of a process.

ES_EVENT_TYPE_NOTIFY_FSGETPATH

A type that represents events for notification of the retrieval of a file-system path.

ES_EVENT_TYPE_NOTIFY_GETATTRLIST

A type that represents events for notification of the retrieval of attributes from a file.

ES_EVENT_TYPE_NOTIFY_GETEXTATTR

A type that represents events for notification of the retrieval of an extended attribute from a file.

ES_EVENT_TYPE_NOTIFY_GET_TASK

A type that represents events for notification of the retrieval of a task’s port.

ES_EVENT_TYPE_NOTIFY_IOKIT_OPEN

A type that represents events for notification of the opening of an IOKit device.

ES_EVENT_TYPE_NOTIFY_KEXTLOAD

A type that represents events for notification of the loading of a Kernel Extension (KEXT).

ES_EVENT_TYPE_NOTIFY_KEXTUNLOAD

A type that represents events for notification of the unloading of a Kernel Extension (KEXT).

ES_EVENT_TYPE_NOTIFY_LINK

A type that represents events for notification of the creation of a symbolic link.

ES_EVENT_TYPE_NOTIFY_LISTEXTATTR

A type that represents events for notification of the retrieval of multiple extended attributes from a file.

ES_EVENT_TYPE_NOTIFY_LOOKUP

A type that represents events for notification of the lookup of a file’s path.

ES_EVENT_TYPE_NOTIFY_MMAP

A type that represents events for notification of the mapping of memory to a file.

ES_EVENT_TYPE_NOTIFY_MOUNT

A type that represents events for notification of the mounting of a file system.

ES_EVENT_TYPE_NOTIFY_MPROTECT

A type that represents events for notification of a change to protection of memory-mapped pages.

ES_EVENT_TYPE_NOTIFY_OPEN

A type that represents events for notification of the opening of a file.

ES_EVENT_TYPE_NOTIFY_READDIR

A type that represents events for notification of the reading of a file-system directory.

ES_EVENT_TYPE_NOTIFY_READLINK

A type that represents events for notification of the reading of a symbolic link.

ES_EVENT_TYPE_NOTIFY_RENAME

A type that represents events for notification of the renaming of a file.

ES_EVENT_TYPE_NOTIFY_SETACL

A type that represents events for notification of the setting of a file’s access control list.

ES_EVENT_TYPE_NOTIFY_SETATTRLIST

A type that represents events for notification of the setting of an attribute of a file.

ES_EVENT_TYPE_NOTIFY_SETEXTATTR

A type that represents events for notification of the setting of an extended attribute of a file.

ES_EVENT_TYPE_NOTIFY_SETFLAGS

A type that represents events for notification of the setting of a file’s flags.

ES_EVENT_TYPE_NOTIFY_SETMODE

A type that represents events for notification of the setting of a file’s mode.

ES_EVENT_TYPE_NOTIFY_SETOWNER

A type that represents events for notification of the setting of a file’s owner.

ES_EVENT_TYPE_NOTIFY_SETTIME

A type that represents events for notification of the modification of the system time.

ES_EVENT_TYPE_NOTIFY_SIGNAL

A type that represents events for notification of the sending of a signal to a process.

ES_EVENT_TYPE_NOTIFY_STAT

A type that represents events for notification of the retrieval of a file’s status.

ES_EVENT_TYPE_NOTIFY_TRUNCATE

A type that represents events for notification of the truncation of a file.

ES_EVENT_TYPE_NOTIFY_UIPC_BIND

A type that represents events for notification of the binding of a socket to a path.

ES_EVENT_TYPE_NOTIFY_UIPC_CONNECT

A type that represents events for notification of the connection of a socket.

ES_EVENT_TYPE_NOTIFY_UNLINK

A type that represents events for notification of the unlinking of a symbolic link.

ES_EVENT_TYPE_NOTIFY_UNMOUNT

A type that represents events for notification of the unmounting of a file system.

ES_EVENT_TYPE_NOTIFY_UTIMES

A type that represents events for notification of a change to a file’s access time or modification time.

ES_EVENT_TYPE_NOTIFY_WRITE

A type that represents events for notification of the writing of data to a file.

Enumeration Marker

ES_EVENT_TYPE_LAST

A value that indicates the last member of the enumeration.

See Also

Subscribing to Events

es_subscribe

Subscribes a client to some set of events.

es_subscriptions

Returns a list of the client’s subscriptions.

es_unsubscribe

Unsubscribes a client from some set of events.

es_unsubscribe_all

Unsubscribes a client from all events.

Beta Software

This documentation contains preliminary information about an API or technology in development. This information is subject to change, and software implemented according to this documentation should be tested with final operating system software.

Learn more about using Apple's beta software