New event: kext load #16

droe · 2018-06-16T21:53:46Z

Add new event for kext loads. Not covered by audit(4), need to identify a good method to acquire this event. Analysis of kextd source might reveal some insights.

droe · 2018-07-29T20:24:26Z

A file-based solution can detect properly installed kexts, but uid 0 can load kexts from anywhere if the bundle is owned by root on disk, those are not captured. Watching kextstat would give us loaded kexts, but not which process loaded it. Ideal would be an audit(4) event reporting kext loads (filed as radar 42712435).

droe · 2018-08-01T17:42:39Z

File-based partial solution depends on #26.

droe added status:analysis-needed solution unclear, needs analysis by a developer type:feature request for additional functionality labels Jun 16, 2018

droe mentioned this issue Jul 5, 2018

New event: browser extension install #23

Open

droe changed the title ~~New event for kext load~~ New event: kext load Jul 23, 2018

droe added  status:blocked depends on other unresolved issue, github or external labels Jul 29, 2018

droe removed the status:analysis-needed solution unclear, needs analysis by a developer label Aug 1, 2018

droe removed the  label Sep 21, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New event: kext load #16

New event: kext load #16

droe commented Jun 16, 2018 •

edited

droe commented Jul 29, 2018

droe commented Aug 1, 2018

New event: kext load #16

New event: kext load #16

Comments

droe commented Jun 16, 2018 • edited

droe commented Jul 29, 2018

droe commented Aug 1, 2018

droe commented Jun 16, 2018 •

edited