Hello,
As I understand it, the ES framework provides notifications for specific event types. For my question, auth events do not matter, as I'm not interested in allowing/denying events, just reporting.
Is there a way to retrieve the information if an event was successful/failed from an ES message? So far, I have found nothing in this regard in the documentation.
For example, under certain circumstances, I get two notifications if I try to delete a file via the Finder, for which administrator privileges are required. The first is when the authorization dialog appears (this notification is for the failed unlink event), and the second is when I enter the correct credentials and the file is deleted.
Example for reproduction:
- Open a terminal and create a file in "/etc" with the command "sudo touch test.txt".
- Run the command 'sudo eslogger unlink | grep -E "test.txt"' to start monitoring UNLINK events for files named "test.txt".
- Open the folder "/etc" in Finder.
- Select the file "test.txt", click on "File" in the menu, and hold the option key pressed. Then select "Delete Immediately...".
- In the appearing dialog, click on "Delete".
- Before entering the administrator password, and while the credentials dialog is still open, observe that eslogger already reports an UNLINK event for this file. It reports the user information: "ruid":501,"euid":501,"rgid":20,"auid":501,"egid":20.
- Enter the administrator password to confirm the deletion of the file.
- Observe that eslogger reports a second UNLINK event for this file. This time with the user information: "ruid":0,"euid":0,"rgid":0,"auid":501,"egid":0.
So, is there a way to check the first event for failure? Otherwise, I would need to check manually if the file is still there after receiving the first notification, if I only want to report events that "really" happened (excluding attempts).
