Collect additional process IDs and process ID versions in macOS Endpoint Security tables

[ambrusps]

copied over from osquery issue #8380

What new feature do you want?

Collect additional process ID fields and process ID versions for the es_process_events table in macOS:

• session_id
• responsible_pid
• responsible_pidversion
• parent_pidversion
• pidversion

Also update es_process_file_events with PID version fields where available for correlation.

How is this new feature useful?

Responsible PID is helpful for understanding inheritance of TCC permissions. Session ID is useful to correlate commands and process groups across a session. See https://themittenmac.com/threat-hunting-pids-within-apples-es-api/ for more discussion of these.

The PID version fields are useful to disambiguate PIDs from each other when they are reused, so that we can form an accurate process tree based on the es_process_events data. The PID version is contained in the audit token (more details here)

How can this be implemented?

Add logic to these files to extract the new fields where applicable:

• osquery/events/darwin/endpointsecurity.cpp
• osquery/events/darwin/endpointsecurity.h
• osquery/events/darwin/es_utils.cpp
• osquery/tables/events/darwin/es_process_events.cpp
• osquery/tables/events/darwin/es_process_file_events.cpp
• specs/darwin/es_process_events.table
• specs/darwin/es_process_file_events.table

PID versions are available from the audit tokens in es_process_t structure using audit_token_to_pidversion function

[noahtalerman]

Thanks for tracking this @ambrusps!