Is DeepGuard able to watch "/dev/dtracehelper" file?

66f2e490

Hi dev team,

Good day. I want to audit the command $launchctl 's execution. After using FileMonitor.app (by Objective-See), I found that during its execution, this command tries to open "/dev/dtracehelper".

However, when I set up the following rule under the strict mode, DeepGuard did NOT generate any dialog. Is DeepGuard doesn't support watching this file yet? Thanks in advance & best regards.

RULE: watch "/dev/dtracehelper" "any" rwx

66f2e490

Why I wanna watch the "/dev/dtracehelper" instead of "/bin/launchctl", because the following rule can be easily bypassed, just put $launchctl outside of "/bin/". Any good ideas?

RULE: watch "/bin/launchtl" "any" rx

pajp

Hi,

I'll do some experimenting to see if I can figure out how to satisfy your use case of watching for launchctl launches - but I just wanted to mention that watching /dev/dtracehelper is probably not a good idea as nearly every process that is launched on macOS will access that file. You can observe this by running e.g. "sudo fs_usage | grep dtracehelper" and for example opening a few Terminal windows or restarting a few apps.

66f2e490

Hi @pajp

thanks for your answer! Indeed you're right, looks like every app will access /dev/dtracehelper.

I always worry unnecessarily about some processes w/ root access would $launchctl unload -w /L/LaunchDaemons/com.f-secure... DG can stop unauthorized root processes to access my file, but can't stop them to use launchctl to unload itself, that's why I would like to watch for launchctl's launch.

Thanks again and best regards.

66f2e490

Hi,

Or can we use the "signatureID/signingID" as a condition to audit launchctl's launch? No matter where the command is located, its "signatureID/signingID" should be the same.

Best regards.

66f2e490

Good day. I think ES_EVENT_TYPE_AUTH_SIGNAL could be used for preventing being unloaded by launchd.

ref: developer.apple.com/forums/thread/681063

Best regards.