Enumeration

es_event_type_t

A type used to identify a message’s event type and subscribe to events of that type.

Declaration

typedef enum : unsigned int {
    ...
} es_event_type_t;

Overview

Call the es_subscribe function with the constants defined by this type to subscribe to specific Endpoint Security events.

You also use this type when inspecting a received message. The es_message_t member event_type, which is of this type, indicates what kind of event the event field contains.

Topics

Authorization Event Types

ES_EVENT_TYPE_AUTH_CHDIR

A type that represents events for authorizing a process to change its working directory.

ES_EVENT_TYPE_AUTH_CHROOT

A type that represents events for authorizing a process to change its root directory.

ES_EVENT_TYPE_AUTH_CLONE

A type that represents events for authorizing the cloning of a file.

ES_EVENT_TYPE_AUTH_CREATE

A type that represents events for authorizing the creation of a file.

ES_EVENT_TYPE_AUTH_DELETEEXTATTR

A type that represents events for authorizing the deletion of an extended attribute from a file.

ES_EVENT_TYPE_AUTH_EXCHANGEDATA

A type that represents events for authorizing the exchange of data between two files.

ES_EVENT_TYPE_AUTH_EXEC

A type that represents events for authorizing the execution of a process.

ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZE

A type that represents events for authorizing the materialization of a file provider.

ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATE

A type that represnts events for authorizing the updating of a file provider.

ES_EVENT_TYPE_AUTH_FSGETPATH

A type that represents events for authorizing the retrieval of a file-system path.

ES_EVENT_TYPE_AUTH_GETATTRLIST

A type that represents events for authorizing the retrieval of attributes from a file.

ES_EVENT_TYPE_AUTH_GETEXTATTR

A type that represents events for authorizing the retrieval of an extended attribute from a file.

ES_EVENT_TYPE_AUTH_KEXTLOAD

A type that represents events for authorizing the loading of a Kernel Extension (KEXT).

ES_EVENT_TYPE_AUTH_LINK

A type that represents events for authorizing the creation of a symbolic link.

ES_EVENT_TYPE_AUTH_LISTEXTATTR

A type that represents events for authorizing the retrieval of multiple extended attributes from a file.

ES_EVENT_TYPE_AUTH_MMAP

A type that represents events for authorizing the mapping of memory to a file.

ES_EVENT_TYPE_AUTH_MOUNT

A type that represents events for authorizing the mounting of a file system.

ES_EVENT_TYPE_AUTH_MPROTECT

A type that represents events for authorizing the changing of protection of memory-mapped pages.

ES_EVENT_TYPE_AUTH_OPEN

A type that represents events for authorizing the opening of a file.

ES_EVENT_TYPE_AUTH_READDIR

A type that represents events for authorizing the reading of a file-system directory.

ES_EVENT_TYPE_AUTH_READLINK

A type that represents events for authorizing the reading of a symbolic link.

ES_EVENT_TYPE_AUTH_RENAME

A type that represents events for authorizing the renaming of a file.

ES_EVENT_TYPE_AUTH_SETACL

A type that represents events for authorizing the setting of a file’s access control list.

ES_EVENT_TYPE_AUTH_SETATTRLIST

A type that represents events for authorizing the setting of an attribute of a file.

ES_EVENT_TYPE_AUTH_SETEXTATTR

A type that represents events for authorizing the setting of an extended attribute of a file.

ES_EVENT_TYPE_AUTH_SETFLAGS

A type that represents events for authorizing the setting of a file’s flags.

ES_EVENT_TYPE_AUTH_SETMODE

A type that represents events for authorizing the setting of a file’s mode.

ES_EVENT_TYPE_AUTH_SETOWNER

A type that represents events for authorizing the setting of a file’s owner.

ES_EVENT_TYPE_AUTH_SETTIME

A type that represents events for authorizing the modification of the system time.

ES_EVENT_TYPE_AUTH_SIGNAL

A type that represents events for authorizing the sending of a signal to a process.

ES_EVENT_TYPE_AUTH_TRUNCATE

A type that represents events for authorizing the truncation of a file.

ES_EVENT_TYPE_AUTH_UIPC_BIND

A type that represents events for authorizing the binding of a socket to a path.

ES_EVENT_TYPE_AUTH_UIPC_CONNECT

A type that represents events for authorizing the connection of a socket.

ES_EVENT_TYPE_AUTH_UNLINK

A type that represents events for authorizing the unlinking of a symbolic link.

ES_EVENT_TYPE_AUTH_UTIMES

A type that represents events for authorizing the changing of a file’s access or modification time.

Notification Event Types

ES_EVENT_TYPE_NOTIFY_ACCESS

A type that represents events for notification of the checking of a file’s access permission.

ES_EVENT_TYPE_NOTIFY_CHDIR

A type that represents events for notification that a process changed its working directory.

ES_EVENT_TYPE_NOTIFY_CHROOT

A type that represents events for notification that a process changed its root directory.

ES_EVENT_TYPE_NOTIFY_CLONE

A type that represents events for notification of the cloning of a file.

ES_EVENT_TYPE_NOTIFY_CLOSE

A type that represents events for notification of the closing of a file.

ES_EVENT_TYPE_NOTIFY_CREATE

A type that represents events for notification of the creation of a file.

ES_EVENT_TYPE_NOTIFY_DELETEEXTATTR

A type that represents events for notification of the deletion of an extended attribute from a file.

ES_EVENT_TYPE_NOTIFY_DUP

A type that represents events for notification of the duplication of a file descriptor.

ES_EVENT_TYPE_NOTIFY_EXCHANGEDATA

A type that represents events for notification of the exchange of data between two files.

ES_EVENT_TYPE_NOTIFY_EXEC

A type that represents events for notification of the execution of a process.

ES_EVENT_TYPE_NOTIFY_EXIT

A type that represents events for notification of a process exiting.

ES_EVENT_TYPE_NOTIFY_FCNTL

A type that represents events for notification of the manipulation of a file descriptor.

ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_MATERIALIZE

A type that represents events for notification of the materialization of a file provider.

ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_UPDATE

A type that represents events for notification of an update to a file provider.

ES_EVENT_TYPE_NOTIFY_FORK

A type that represents events for notification of the forking of a process.

ES_EVENT_TYPE_NOTIFY_FSGETPATH

A type that represents events for notification of the retrieval of a file-system path.

ES_EVENT_TYPE_NOTIFY_GETATTRLIST

A type that represents events for notification of the retrieval of attributes from a file.

ES_EVENT_TYPE_NOTIFY_GETEXTATTR

A type that represents events for notification of the retrieval of an extended attribute from a file.

ES_EVENT_TYPE_NOTIFY_GET_TASK

A type that represents events for notification of the retrieval of a task’s port.

ES_EVENT_TYPE_NOTIFY_IOKIT_OPEN

A type that represents events for notification of the opening of an IOKit device.

ES_EVENT_TYPE_NOTIFY_KEXTLOAD

A type that represents events for notification of the loading of a Kernel Extension (KEXT).

ES_EVENT_TYPE_NOTIFY_KEXTUNLOAD

A type that represents events for notification of the unloading of a Kernel Extension (KEXT).

ES_EVENT_TYPE_NOTIFY_LINK

A type that represents events for notification of the creation of a symbolic link.

ES_EVENT_TYPE_NOTIFY_LISTEXTATTR

A type that represents events for notification of the retrieval of multiple extended attributes from a file.

ES_EVENT_TYPE_NOTIFY_LOOKUP

A type that represents events for notification of the lookup of a file’s path.

ES_EVENT_TYPE_NOTIFY_MMAP

A type that represents events for notification of the mapping of memory to a file.

ES_EVENT_TYPE_NOTIFY_MOUNT

A type that represents events for notification of the mounting of a file system.

ES_EVENT_TYPE_NOTIFY_MPROTECT

A type that represents events for notification of a change to protection of memory-mapped pages.

ES_EVENT_TYPE_NOTIFY_OPEN

A type that represents events for notification of the opening of a file.

ES_EVENT_TYPE_NOTIFY_READDIR

A type that represents events for notification of the reading of a file-system directory.

ES_EVENT_TYPE_NOTIFY_READLINK

A type that represents events for notification of the reading of a symbolic link.

ES_EVENT_TYPE_NOTIFY_RENAME

A type that represents events for notification of the renaming of a file.

ES_EVENT_TYPE_NOTIFY_SETACL

A type that represents events for notification of the setting of a file’s access control list.

ES_EVENT_TYPE_NOTIFY_SETATTRLIST

A type that represents events for notification of the setting of an attribute of a file.

ES_EVENT_TYPE_NOTIFY_SETEXTATTR

A type that represents events for notification of the setting of an extended attribute of a file.

ES_EVENT_TYPE_NOTIFY_SETFLAGS

A type that represents events for notification of the setting of a file’s flags.

ES_EVENT_TYPE_NOTIFY_SETMODE

A type that represents events for notification of the setting of a file’s mode.

ES_EVENT_TYPE_NOTIFY_SETOWNER

A type that represents events for notification of the setting of a file’s owner.

ES_EVENT_TYPE_NOTIFY_SETTIME

A type that represents events for notification of the modification of the system time.

ES_EVENT_TYPE_NOTIFY_SIGNAL

A type that represents events for notification of the sending of a signal to a process.

ES_EVENT_TYPE_NOTIFY_STAT

A type that represents events for notification of the retrieval of a file’s status.

ES_EVENT_TYPE_NOTIFY_TRUNCATE

A type that represents events for notification of the truncation of a file.

ES_EVENT_TYPE_NOTIFY_UIPC_BIND

A type that represents events for notification of the binding of a socket to a path.

ES_EVENT_TYPE_NOTIFY_UIPC_CONNECT

A type that represents events for notification of the connection of a socket.

ES_EVENT_TYPE_NOTIFY_UNLINK

A type that represents events for notification of the unlinking of a symbolic link.

ES_EVENT_TYPE_NOTIFY_UNMOUNT

A type that represents events for notification of the unmounting of a file system.

ES_EVENT_TYPE_NOTIFY_UTIMES

A type that represents events for notification of a change to a file’s access time or modification time.

ES_EVENT_TYPE_NOTIFY_WRITE

A type that represents events for notification of the writing of data to a file.

Enumeration Marker

ES_EVENT_TYPE_LAST

A value that indicates the last member of the enumeration.

See Also

Subscribing to Events

es_subscribe

Subscribes a client to some set of events.

es_subscriptions

Returns a list of the client’s subscriptions.

es_unsubscribe

Unsubscribes a client from some set of events.

es_unsubscribe_all

Unsubscribes a client from all events.