Endpoint Security updates * Rich security event stream * Replaces: - KAuth (Kernel Authorization) - MACF (Mandatory Access Control Framework) - OpenBSM auditing (https://en.wikipedia.org/wiki/OpenBSM) First introduced in macOS Catalina as a replacement for KAuth API, the unsupported MAC Kernel Framework and the OpenBSM audit trail. It removed the need to develop kernel extensions for endpoint security functions. For more information on Endpoint Security, see the following past WWDC sessions: Build an Endpoint Security App: https://developer.apple.com/wwdc20/10159 System Extensions and DriverKit: https://developer.apple.com/wwdc19/702 New functionality for macOS Ventura: New events: Adding visibility into security-relevant events which are happening in user space: * Authentication * Login and logout * XProtect and Gatekeeper Authentication event: Covers when the user is authenticating to the system. This includes: Logging into local user accounts Authorizing operations as an administrator This will allow visibility to security products which observe and report on suspicious access patterns. Login and Logout: Covers when someone logs on to the system, either locally at the console or remotely using one of the supported methods: Console method: * Login window * /usr/bin/login Remote: * Screen sharing * SSH XProtect and Gatekeeper: Covers when malicious software is detected, then stopped and removed. This information was previously unavailable in a structured way, but is now available via the Endpoint Security API in Ventura. These changes make it unnecessary for the OpenBSM audit software to be used by endpoint security products. OpenBSM auditing has been deprecated since macOS Big Sur and will be removed in a future version of macOS. Muting: The Endpoint Security API supports muting processes by audit token or executable image path. This helps prevent processes from deadlocking and helps manage performance impact. Beginning in macOS Monterey, frequent causes of system instability were addressed by muting some event types for a small set of executables by default. While these events can be un-muted, Apple recommends they stay muted in the interest of system stability. In macOS Ventura, muting has added more capabilities by adding the ability to mute file events based on target path, in addition to target process executable image path. Muting logic can now also be inverted to select events, in place of muting them. This allow events to be received which match the specified criteria: * Process * Path * Target path eslogger tool: Apple-provided command-line utility for Endpoint Security eslogger taps into the Endpoint Security event stream for specified events - Outputs JSON-formatted event data - Output goes to standard output of the unified logging system * Ships with the OS beginning with macOS Ventura * Requires root privileges to run * Requires TCC Full Disk Access authorization for the responsible process (like your endpoint management tool's agent, SSH or Terminal.) eslogger is not intended to be used by applications and its output is subject to change as the result of future software updates. Applications should interface natively with the Endpoint Security API. Demo of eslogger use runs from 7:55 through 9:45 of the session video.