Relation between audit sessions and security sessions

Question

Created May ’20

Replies 3

Boosts 0

Views 1.6k

Participants 2

Our goal is to match process events from the EndpointSecurity framework with user sessions. Process UID on its own seems unreliable as it can easily change within the same session, think root. We came up with the idea to match ASIDs with security session IDs. We searched the fringes of the known documentation, but all we came up with was:

> A user-login domain is created when the user logs in at the GUI and is identified by the audit session identifier associated with that login. If a user domain has an associated login domain, the print subcommand will display the ASID of that login domain.

launchctl man page

> Each time a user is authenticated with the system, the Security layer of the system creates a unique ID to identify the user’s login session. This ID is the security session ID, often referred to simply as the session ID. Applications can use the session ID to distinguish among resources allocated in different login sessions. https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPMultipleUsers/Concepts/SystemContexts.html

ASIDs can be retrieved programmatically from ES message audit tokens or via launchctl procinfo. They look identical to the security session IDs that are returned by SessionGetInfo(). Are they the same and are they guaranteed to stay the same? Is there any documentation about their relationship?

Answered by DTS Engineer in 419819022

or via

launchctl procinfo

.

I want to be clear that the output from

procinfo

is only intended for users to read. The

launchctl

man page is very clear about this:

This subcommand is intended for diagnostic purposes only, and itsoutput should not be relied upon in production scenarios.

With regards ASIDs, you wrote:

Is there any documentation about their relationship?

I don’t think so. Historically, the security session ID was the only option available and it was maintained by the security daemon. The ASID was added later as a kernel-level construct, and the security session ID was then ‘ported’ to live on top of it.

I’m curious why you care about this correlation, or indeed why you care about security session IDs at all? In what situation do you get a security session ID and then need to correlate it to an ASID? Indeed, in what situation do you need to use a security session ID at all? AFAIK they are basically redundant now that we have pervasive ASID support.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

May ’20

Accepted Answer

or via

launchctl procinfo

.

I want to be clear that the output from

procinfo

is only intended for users to read. The

launchctl

man page is very clear about this:

This subcommand is intended for diagnostic purposes only, and itsoutput should not be relied upon in production scenarios.

With regards ASIDs, you wrote:

Is there any documentation about their relationship?

I don’t think so. Historically, the security session ID was the only option available and it was maintained by the security daemon. The ASID was added later as a kernel-level construct, and the security session ID was then ‘ported’ to live on top of it.

I’m curious why you care about this correlation, or indeed why you care about security session IDs at all? In what situation do you get a security session ID and then need to correlate it to an ASID? Indeed, in what situation do you need to use a security session ID at all? AFAIK they are basically redundant now that we have pervasive ASID support.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

vlbenfed OP

May ’20

Thank you, Quinn!

We were under the impression that the "contemporary" way to to identify a user session (from user space) was its security session ID while ASID was a more obscure construct primarily used by libbsm and, in extension, ES. But, as you put it, the state of affairs seems to be more like the opposite. Please pardon the ignorance, but what API would let us directly retrieve the ASID from user space? Our intention is to pass it on to a daemon that tracks process events back to the user session where they originated. We are aware that the ASID can be obtained from XPC connections which, of course, can also point to agents living in user space. Unfortunately, that technology is not in the picture right now.

EDIT: Seems like getting the audit token for our task seems to do the job pretty well.

0

Answer 3

DTS Engineer OP

Apple

May ’20

Seems like getting the audit token for our task seems to do the job pretty well.

Right.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0