I mounted a 3rd file system on macOS, I want to monitor the copy event by Finder on this 3rd file system, so I use an Endpoint Security client.
I know that ES_EVENT_TYPE_NOTIFY_CLONE will only be triggered by Apple File System clone operation. ES_EVENT_TYPE_NOTIFY_COPYFILE is triggered by the SYS_copyfile system call.
If I want to monitor the copy/paste operation by Finder(The copy can happens in the 3rd file system or between 3rd and Apple File System), which ES event should I register?
This is a classic example of this issue I discuss in Inferring High-Level Semantics from Low-Level Operations.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Thanks Quinn, as the document said, it's not a good idea to infer the high-level 'Copy' action from low-level operations. But I believe there should have requirements to monitor the user copy action by Endpoint Security, such as there is a security policy not allowed a special file be copied. Just like the user log in/out event, is there a plan to support 'copy' in ES framework?
This is a classic example of this issue I discuss in Inferring High-Level Semantics from Low-Level Operations.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Thanks Quinn, as the document said, it's not a good idea to infer the high-level 'Copy' action from low-level operations. But I believe there should have requirements to monitor the user copy action by Endpoint Security, such as there is a security policy not allowed a special file be copied. Just like the user log in/out event, is there a plan to support 'copy' in ES framework?
