search

objective-see / ProcessMonitor

Process Monitor Library (based on Apple's new Endpoint Security Framework)
GNU General Public License v3.0
422 stars 65 forks source link

add environment variable collection behind -parseEnv flag #2

Closed ronwai closed 2 years ago

ronwai commented 3 years ago

Hey there! This PR adds environment variable information to Process Monitor for process execution events. It uses es_exec_env() on es_event_exec_t events to extract the environment variable string and parse it into separate key & value strings, finally building an object out of them. Also, I put the feature behind the -parseEnv flag for backwards compatibility, just in case. Please let me know if there are any additional changes you would like, cheers!

Sample output:

{
   "event":"ES_EVENT_TYPE_NOTIFY_EXEC",
   "timestamp":"2021-06-16 05:57:13 +0000",
   "process":{
      "pid":3841,
      "name":"sleep",
      "path":"/bin/sleep",
      "uid":501,
      "architecture":"Apple Silicon",
      "arguments":[
         "sleep",
         "5"
      ],
      "environment":{
         "TERM_SESSION_ID":"568A9417-78DB-460B-B0FA-B4222C12C917",
         "SSH_AUTH_SOCK":"/private/tmp/com.apple.launchd.1Shd6INeXx/Listeners",
         "OLDPWD":"/Users/rwx",
         "XPC_FLAGS":"0x0",
         "LANG":"en_CA.UTF-8",
         "PWD":"/Users/rwx",
         "SHELL":"/bin/zsh"
      },
      "ppid":700,
      "rpid":619,
      "ancestors":[
         619,
         1
      ],
      "signing info (reported)":{
         "csFlags":570492929,
         "platformBinary":1,
         "signingID":"com.apple.sleep",
         "teamID":"",
         "cdHash":"184D976B4D71ADFDE64B76999FC3C55B27D2BAD3"
      },
      "signing info (computed)":{
         "signatureID":"com.apple.sleep",
         "signatureStatus":0,
         "signatureSigner":"Apple",
         "signatureAuthorities":[
            "Software Signing",
            "Apple Code Signing Certification Authority",
            "Apple Root CA"
         ]
      }
   }
}