Hello,
My app needs to report whether a file, which is located on usb volume, is modified by specific application. I use Endpoint Security framework and I know about "Inferring High-Level Semantics from Low-Level Operations" problem.
However, in spite of this limitation, I need to implement app which reports as much info as possible.
I faced with some unclear behaviour of TestEdit. The scenario is:
- Open a file, which is located on usb volume, by TextEdit
/dev/disk4s2 on /Volumes/USBVol (msdos, local, nodev, nosuid, noowners, noatime, fskit)
- Modify and save it
Endpoint Security reports open and close events only (modified flag is false)
ES_EVENT_TYPE_AUTH_COPYFILE, ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_NOTIFY_UTIMES and ES_EVENT_TYPE_NOTIFY_WRITE are not reported by Endpoint Security (monitored all processes in system). (Looks like the same behaviour for Xcode)
I am stuck in this moment. Are there any way to monitor file modification if user do it by TextEdit?
Thank you in advance!
My general advice in situations like this is to run fsusage against the app modifying the doc. That’ll tell you what system calls it’s using, and from there you can generally figure out what ES events to watch.
In my experience TextEdit using a ‘safe save’ model, so it writes to a temporary file and then renames the temporary onto the original file so that the file appears to update atomically.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"