xnumon icon indicating copy to clipboard operation
xnumon copied to clipboard
verified publisher icon droe

New event: browser extension install

Open losandros opened this issue 7 years ago • 5 comments

Hi, Is usually use tools from Patrick Wardle (KnockKnock, BlockBlock, ...) to create events within macos and later on forward them to Splunk. The xnumon looks very promising to replace that workaround for me.

I'm currently missing a couple of thing that could be easily implemented by just extending some parts of your code:

  1. Browser Extensions: Basically browser extensions are just files written to ~/Library/Safari/Extensions and ~/Library/Application Support/Mozilla/Extensions ~/Library/Application Support/Google/Chrome/External Extensions I think with your filesystem monitoring this is an easy add-on.

  2. Kernel Extensions As far as I know these are also located here: /System/Library/Extensions or /Library/ This should also be extandable by your FS monitoring.

I also looked at your code and I also read a lot about how BlockBlock is implemented. It looks like BlockBlock uses /dev/fsevents. (see https://objective-see.com/products/blockblock.html). Maybe this is an additional way to capture FS events.

losandros avatar Jul 04 '18 08:07 losandros

There main reason why I decided to use audit events instead of /dev/fsevents for filesystem monitoring so far was that audit events are synchronous in relation to process events. Synchronizing events from multiple sources is tricky to implement well. However, it's something that I wanted to eventually look into.

Note that kernel extensions don't need to be located in one of the directories you name, they can be loaded into the kernel from anywhere.

droe avatar Jul 04 '18 18:07 droe

Makes sence! I really thought the kernel extensions need to be located there, good to know that this is not the case. But at least for the browser extensions the filesystem events could be used.

losandros avatar Jul 05 '18 07:07 losandros

Renaming this issue to reduce the scope to browser extensions. There is issue #16 for kext load events.

droe avatar Jul 05 '18 20:07 droe

Depends on #26 in order to deliver high quality events

droe avatar Jul 15 '18 13:07 droe

In addition to the improvements to the filemon core, this needs a thorough analysis of how and where browser extensions, plugins and other add-ons are actually installed for each browser. The above mentioned locations are not the only ways how code is installed in browsers.

droe avatar Jul 24 '18 16:07 droe