notes.billmill.org / computer_usage / mac_os /

debugging os x

last updated: Oct 20, 2023

In order to use dtrace or dtruss like you'd use strace on linux, you need to disable SIP, which is a pain. There are some tools you can use though, that work with Apple's endpoint security framework:
- here's a video from WWDC about the endpoint security framework

command line

eslogger, at /usr/bin/eslogger
- list event types with eslogger --list-events
- monitor the events you're interested in with sudo eslogger [event types...]
- For example, eslogger stat write unlink create will show you file events in a jsonl format
- the jsonl format also means you can use jq to process the events. Here's a command that will list just the executables that get execed on your system:
  - sudo eslogger exec | jq -r '.event.exec.target.executable.path'

File Monitor and ProcessMonitor

available via homebrew: brew install filemonitor processmonitor
example of usage:

$ sudo /Applications/FileMonitor.app/Contents/MacOS/FileMonitor -filter python
{"event":"ES_EVENT_TYPE_NOTIFY_OPEN","timestamp":"2023-08-04 18:23:29 +0000","file":{"destination":"/Users/llimllib/.local/share/asdf/shims/python","process":{"pid":57014,"name":"bash","path":"/opt/homebrew/Cellar/bash/5.2.15/bin/bash","uid":501,"architecture":"Apple Silicon","arguments":[],"ppid":55569,"rpid":55327,"ancestors":[55327,1],"signing info (reported)":{"csFlags":570556931,"platformBinary":0,"signingID":"bash","teamID":"","cdHash":"A93C88D2F2D788FA7490533631214F21D6ED7BD1"},"signing info (computed)":{"signatureStatus":0,"signatureSigner":"AdHoc","signatureID":"bash"}}}}
{"event":"ES_EVENT_TYPE_NOTIFY_CLOSE","timestamp":"2023-08-04 18:23:29 +0000","file":{"destination":"/Users/llimllib/.local/share/asdf/shims/python","process":{"pid":57014,"name":"bash","path":"/opt/homebrew/Cellar/bash/5.2.15/bin/bash","uid":501,"architecture":"Apple Silicon","arguments":[],"ppid":55569,"rpid":55327,"ancestors":[55327,1],"signing info (reported)":{"csFlags":570556931,"platformBinary":0,"signingID":"bash","teamID":"","cdHash":"A93C88D2F2D788FA7490533631214F21D6ED7BD1"},"signing info (computed)":{"signatureStatus":0,"signatureSigner":"AdHoc","signatureID":"bash"}}}}

Application UIs
- Crescendo is OSS
  - brew install crescendo
- Red Canary Mac Monitor
  - brew install red-canary-mac-monitor

All of them use the same framework, so they all seem to give the same results

Backlinks:

↑ up