Is DeepGuard able to watch "/dev/dtracehelper" file?
Hi dev team,
Good day. I want to audit the command $launchctl 's execution. After using FileMonitor.app (by Objective-See), I found that during its execution, this command tries to open "/dev/dtracehelper".
However, when I set up the following rule under the strict mode, DeepGuard did NOT generate any dialog. Is DeepGuard doesn't support watching this file yet? Thanks in advance & best regards.
RULE: watch "/dev/dtracehelper" "any" rwx
Answers
-
Hi,
I'll do some experimenting to see if I can figure out how to satisfy your use case of watching for launchctl launches - but I just wanted to mention that watching /dev/dtracehelper is probably not a good idea as nearly every process that is launched on macOS will access that file. You can observe this by running e.g. "sudo fs_usage | grep dtracehelper" and for example opening a few Terminal windows or restarting a few apps.
Rasmus Sten
F-Secure Technology, Mac Team
-
Hi @pajp
thanks for your answer! Indeed you're right, looks like every app will access /dev/dtracehelper.
I always worry unnecessarily about some processes w/ root access would $launchctl unload -w /L/LaunchDaemons/com.f-secure... DG can stop unauthorized root processes to access my file, but can't stop them to use launchctl to unload itself, that's why I would like to watch for launchctl's launch.
Thanks again and best regards.