es_process_t

Declaration

struct es_process_t

Overview

For process events, this type also indicates the newly-executing process.

You can extract values such as the process identifier (PID), user identifier (UID), and group identifier (GID) from the audit_token field by using functions defined in libbsm.h.

Working with Code Signing

Fields related to code signing, such as cdhash and signing_id, reflect the state of the process at the time Endpoint Security generated the message. In the specific case of process execution, this is after the exec completes in the kernel, but before any code in the process starts executing. At that point, XNU has validated the signature itself and has verified that the cdhash is correct. This second validation means that the hash of all individual page hashes in the Code Directory match the signed cdhash, essentially verifying the signature wasn’t tampered with. However, XNU doesn’t verify individual page hashes until the binary executes and pages in the corresponding pages. XNU doesn’t determine a binary shows signs of tampering until the individual pages page in, at which point XNU updates the code signing flags.

Endpoint Security provides clients the current state of the CS flags in the codesigning_flags member of the es_process_t structure. Keep the following points in mind when evaluating this field:

• The CS_VALID bit in codesigning_flags means that everything the kernel has validated up to that point in time was valid. However, this doesn’t mean there’s been a full validation of all the pages in the executable file. If a page’s content has been tampered with, XNU won’t know until that page pages in.

• When XNU detects a tampered page, it clears the CS_VALID bit. With the CS_KILL bit set, Endpoint Security terminates the process, preventing the tampered code from executing. Platform binaries and binaries that opted into the hardened runtime typically have the CS_KILL bit set.

• If you want your Endpoint Security client to detect tampered code before it pages in, such as at execution time, you can do so with the Security framework. However, this may impose a significant performance cost.

• Endpoint Security plays no role in verifying the validity of code signatures.

Topics

Inspecting the Source Process

• audit_token
• executable
• is_es_client
• is_platform_binary
• start_time

Inspecting Process IDs

• ppid
• original_ppid
• group_id
• session_id
• tty

Inspecting Code Signing Properties

• codesigning_flags
• cdhash
• signing_id
• team_id

Inspecting Audit Tokens

• responsible_audit_token
• parent_audit_token

Initializers

• init(audit_token:ppid:original_ppid:group_id:session_id:codesigning_flags:is_platform_binary:is_es_client:cdhash:signing_id:team_id:executable:tty:start_time:responsible_audit_token:parent_audit_token:cs_validation_category:)

Instance Properties

• cs_validation_category

Relationships

Conforms To

• BitwiseCopyable

See Also

Inspecting Event Properties

• target