New event: browser extension install

[losandros]

Hi,
Is usually use tools from Patrick Wardle (KnockKnock, BlockBlock, ...) to create events within macos and later on forward them to Splunk. The xnumon looks very promising to replace that workaround for me.

I'm currently missing a couple of thing that could be easily implemented by just extending some parts of your code:

1. Browser Extensions: Basically browser extensions are just files written to
   ~/Library/Safari/Extensions
   and
   ~/Library/Application Support/Mozilla/Extensions
   ~/Library/Application Support/Google/Chrome/External Extensions
   I think with your filesystem monitoring this is an easy add-on.

2. Kernel Extensions
   As far as I know these are also located here:
   /System/Library/Extensions or /Library/
   This should also be extandable by your FS monitoring.

I also looked at your code and I also read a lot about how BlockBlock is implemented. It looks like BlockBlock uses /dev/fsevents. (see https://objective-see.com/products/blockblock.html). Maybe this is an additional way to capture FS events.

[droe]

There main reason why I decided to use audit events instead of /dev/fsevents for filesystem monitoring so far was that audit events are synchronous in relation to process events. Synchronizing events from multiple sources is tricky to implement well. However, it's something that I wanted to eventually look into.

Note that kernel extensions don't need to be located in one of the directories you name, they can be loaded into the kernel from anywhere.

[losandros]

Makes sence! I really thought the kernel extensions need to be located there, good to know that this is not the case. But at least for the browser extensions the filesystem events could be used.

[droe]

Renaming this issue to reduce the scope to browser extensions. There is issue #16 for kext load events.

[droe]

Depends on #26 in order to deliver high quality events

[droe]

In addition to the improvements to the filemon core, this needs a thorough analysis of how and where browser extensions, plugins and other add-ons are actually installed for each browser. The above mentioned locations are not the only ways how code is installed in browsers.