Skip to content

v1.0.5

Latest
Latest
Compare
Choose a tag to compare
@Brandon7CC Brandon7CC released this 30 Jun 00:59
· 4 commits to main since this release
v1.0.5
dace9f6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

What's new in v1.0.5?

Keep the suggestions coming!

📝 Summary

In this release we’ve focused on starting to enable some fancy new features in macOS 14 Sonoma. First up: SwiftUI — finally we can customize our table columns (in a non-hacky way) and can provide a native alert with a suppression button!

Beyond all the excitement with SwiftUI — we’ve been introduced to a host of new Endpoint Security events which generally speaking this year focus on Open Directory / authorization eventing — macOS is making headway in enterprise! These events should make it easier for vendors to pull in eventing around Active Directory / LDAP nodes.

As of v1.0.5 macOS Sonoma users will have 41 events available to test with! To start supporting these new events (all of which have been subscribed to by default) we’ve covered a few higher impact Open Directory, authorization, MDM, and XPC events.

When working with Open Directory (OD) it’s helpful to keep an eye on the subsystem com.apple.opendirectoryd in the console. However, to help our users more easily understand the context of OD operations we’ve also decoded the error codes into a human readable form.

One small note for authorization judgment events we’ve organized the rights judged into a table within their event facts.

🏎️ Lastly, we’ve generally improved the performance of the Security Extension and the app with the help of the Core Data team over WWDC!

More to come — stay tuned for updates!

🥳 Fun stuff

🙌 Endpoint Security events added (see the telemetry reports section for more info)

These events are only available on machines running macOS 14 or later.
Additional muting has been applied by default to reduce noise. Check out the ../Mute sets/ directory.

  • ES_EVENT_TYPE_NOTIFY_PROFILE_ADD
    • When a profile is installed
  • ES_EVENT_TYPE_NOTIFY_OD_CREATE_USER
    • When a user has been created in an Open Directory node
  • ES_EVENT_TYPE_NOTIFY_OD_CREATE_GROUP
    • When a group has been created in an Open Directory node
  • ES_EVENT_TYPE_NOTIFY_OD_GROUP_ADD
    • When a member has been added to an Open Directory group
  • ES_EVENT_TYPE_NOTIFY_OD_MODIFY_PASSWORD
    • When a user’s password has been modified
  • ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_ADD
    • When a value has been added to a record
  • ES_EVENT_TYPE_NOTIFY_XPC_CONNECT
    • A connection has been established to an XPC service
  • ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_PETITION
    • A process has asked / “petitioned” for a set of authorization rights.
  • ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_JUDGEMENT
    • The decision by the security framework of the petitioned rights for the process
Screenshot 2023-06-29 at 5 50 23 PM

😌 User experience

macOS 14 and newer

  • 📖 Human readable Open Directory error codes to assist with debugging
  • 🎨 Customizable table columns
    • System Security Unified table view
    • Process Execution events table view
    • Unified event correlation table view
    • Process Group table view
  • 🚨 Native alert for displaying a warning before clearing events
Screenshot 2023-06-29 at 5 45 03 PM

Cross compatible updates

  • ⚡️ General performance improvements across: Security Extension with data retrieval and the Core Data stack with the Event tracer app.
  • ❤️ Huge shoutout to the Core Data team for digging in with me over WWDC this year!

👨‍💻 Boring stuff

Sonoma bug fixes

  • Table row selection
  • Ask before quit
  • Disabling the event mask
  • Activity indicator
Assets 3