debugging os x
Aug 08, 2023
In order to use dtrace or dtruss like you'd use strace on linux, you need to disable SIP, which is a pain. There are some tools you can use though, that work with Apple's endpoint security framework:
- here's a video from WWDC about the endpoint security framework
- command line
eslogger, at/usr/bin/eslogger- list event types with
eslogger --list-events - monitor the events you're interested in with
sudo eslogger [event types...] - For example,
eslogger stat write unlink createwill show you file events in a jsonl format - the
jsonlformat also means you can usejqto process the events. Here's a command that will list just the executables that getexeced on your system:sudo eslogger exec | jq -r '.event.exec.target.executable.path'
- list event types with
- File Monitor and ProcessMonitor
- available via homebrew:
brew install filemonitor processmonitor - example of usage:
$ sudo /Applications/FileMonitor.app/Contents/MacOS/FileMonitor -filter python {"event":"ES_EVENT_TYPE_NOTIFY_OPEN","timestamp":"2023-08-04 18:23:29 +0000","file":{"destination":"/Users/llimllib/.local/share/asdf/shims/python","process":{"pid":57014,"name":"bash","path":"/opt/homebrew/Cellar/bash/5.2.15/bin/bash","uid":501,"architecture":"Apple Silicon","arguments":[],"ppid":55569,"rpid":55327,"ancestors":[55327,1],"signing info (reported)":{"csFlags":570556931,"platformBinary":0,"signingID":"bash","teamID":"","cdHash":"A93C88D2F2D788FA7490533631214F21D6ED7BD1"},"signing info (computed)":{"signatureStatus":0,"signatureSigner":"AdHoc","signatureID":"bash"}}}} {"event":"ES_EVENT_TYPE_NOTIFY_CLOSE","timestamp":"2023-08-04 18:23:29 +0000","file":{"destination":"/Users/llimllib/.local/share/asdf/shims/python","process":{"pid":57014,"name":"bash","path":"/opt/homebrew/Cellar/bash/5.2.15/bin/bash","uid":501,"architecture":"Apple Silicon","arguments":[],"ppid":55569,"rpid":55327,"ancestors":[55327,1],"signing info (reported)":{"csFlags":570556931,"platformBinary":0,"signingID":"bash","teamID":"","cdHash":"A93C88D2F2D788FA7490533631214F21D6ED7BD1"},"signing info (computed)":{"signatureStatus":0,"signatureSigner":"AdHoc","signatureID":"bash"}}}} - available via homebrew:
- Application UIs
- Crescendo is OSS
brew install crescendo
- Red Canary Mac Monitor
brew install red-canary-mac-monitor
- Crescendo is OSS
All of them use the same framework, so they all seem to give the same results
Backlinks: