fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.16k stars 432 forks source link

Collect additional process IDs and process ID versions in macOS Endpoint Security tables #20856

Open ambrusps opened 3 months ago

ambrusps commented 3 months ago

copied over from osquery issue #8380

What new feature do you want?

Collect additional process ID fields and process ID versions for the es_process_events table in macOS:

Also update es_process_file_events with PID version fields where available for correlation.

How is this new feature useful?

Responsible PID is helpful for understanding inheritance of TCC permissions. Session ID is useful to correlate commands and process groups across a session. See https://themittenmac.com/threat-hunting-pids-within-apples-es-api/ for more discussion of these.

The PID version fields are useful to disambiguate PIDs from each other when they are reused, so that we can form an accurate process tree based on the es_process_events data. The PID version is contained in the audit token (more details here)

How can this be implemented?

Add logic to these files to extract the new fields where applicable:

PID versions are available from the audit tokens in es_process_t structure using audit_token_to_pidversion function

noahtalerman commented 3 months ago

Thanks for tracking this @ambrusps!