xnumon icon indicating copy to clipboard operation
xnumon copied to clipboard
verified publisher icon droe

New event: kext load

Open droe opened this issue 7 years ago • 2 comments

Add new event for kext loads. Not covered by audit(4), need to identify a good method to acquire this event. Analysis of kextd source might reveal some insights.

droe avatar Jun 16 '18 21:06 droe

A file-based solution can detect properly installed kexts, but uid 0 can load kexts from anywhere if the bundle is owned by root on disk, those are not captured. Watching kextstat would give us loaded kexts, but not which process loaded it. Ideal would be an audit(4) event reporting kext loads (filed as radar 42712435).

droe avatar Jul 29 '18 20:07 droe

File-based partial solution depends on #26.

droe avatar Aug 01 '18 17:08 droe