How to track user logins with Endpoint Security?

Privacy & Security General
wriker OP
Created Aug ’21
Replies 1
Boosts 0
Views 960
Participants 2

I couldn't find an event type to subscribe to for identifying user logins (SSH, GUI). As an alternative approach I investigated the possibility of monitoring process events e.g. for loginwindow. However, I noticed that this doesn't seem to work either, because the user id and audit session id changes from root 0/system session 100001 right after exec to the respective user's id (e.g. 501) and his gui session id (e.g.100005) after successful authentication. Since I couldn't find any evidence for a fork or exec event, I assume that something like setuid is used internally.

  1. Is there any way one could get notified for events which change the process' context (like setuid or a session id change)?
  2. Are there events for user logins/sessions I've overlooked?
Replies  1
Boosts  0
Views  960
Participants  2
DTS Engineer OP
Apple
Aug ’21
Accepted Answer

Are there events for user logins/sessions I've overlooked?

No. This is one place where you must continue to use the (otherwise deprecated) audit subsystem (BSM).

Use an audit pipe to get interactive updates; see the auditpipe man page for the details.

Oh, and I’m pretty sure we have an enhancement request on file for ES support for user session events, but it wouldn’t hurt to file your own, discussing your specific requirements.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
How to track user logins with Endpoint Security?
First post date Last post date
 
 
Q