Is DeepGuard able to watch "/dev/dtracehelper" file?

Hi dev team,

Good day. I want to audit the command $launchctl 's execution. After using FileMonitor.app (by Objective-See), I found that during its execution, this command tries to open "/dev/dtracehelper".

However, when I set up the following rule under the strict mode, DeepGuard did NOT generate any dialog. Is DeepGuard doesn't support watching this file yet? Thanks in advance & best regards.

RULE: watch "/dev/dtracehelper" "any" rwx


Answers

  • 66f2e490
    66f2e490 Posts: 56 Contributor

    Why I wanna watch the "/dev/dtracehelper" instead of "/bin/launchctl", because the following rule can be easily bypassed, just put $launchctl outside of "/bin/". Any good ideas?

    RULE: watch "/bin/launchtl" "any" rx

  • pajp
    pajp Posts: 110 F-Secure Employee

    Hi,

    I'll do some experimenting to see if I can figure out how to satisfy your use case of watching for launchctl launches - but I just wanted to mention that watching /dev/dtracehelper is probably not a good idea as nearly every process that is launched on macOS will access that file. You can observe this by running e.g. "sudo fs_usage | grep dtracehelper" and for example opening a few Terminal windows or restarting a few apps.

    Rasmus Sten

    F-Secure Technology, Mac Team

  • 66f2e490
    66f2e490 Posts: 56 Contributor

    Hi @pajp

    thanks for your answer! Indeed you're right, looks like every app will access /dev/dtracehelper.

    I always worry unnecessarily about some processes w/ root access would $launchctl unload -w /L/LaunchDaemons/com.f-secure... DG can stop unauthorized root processes to access my file, but can't stop them to use launchctl to unload itself, that's why I would like to watch for launchctl's launch.

    Thanks again and best regards.

  • 66f2e490
    66f2e490 Posts: 56 Contributor

    Hi,

    Or can we use the "signatureID/signingID" as a condition to audit launchctl's launch? No matter where the command is located, its "signatureID/signingID" should be the same.

    Best regards.


  • 66f2e490
    66f2e490 Posts: 56 Contributor

    Good day. I think ES_EVENT_TYPE_AUTH_SIGNAL could be used for preventing being unloaded by launchd.

    ref: developer.apple.com/forums/thread/681063

    Best regards.

Feedback on New Design