Crate endpoint_sec
source ·Expand description
Safe bindings for the Endpoint Security Framework for Apple targets (macOS).
The sys
module contains the raw bindings since several types are publicly exported from there.
At runtime, users should call version::set_runtime_version()
before anything else, to indicate
on which macOS version the app is running on.
The entry point is the Client
type, which is a wrapper around es_client_t
,
with the Client::new()
method.
After a Client
has been created, events can be subscribed to
using Client::subscribe()
. Each time Endpoint Security gets an event that is part of the
subscribptions for your client, it will call the handler that was given to Client::new()
with
the message associated to the event. Note that AUTH
events have an associated
deadline before which your handler must give a response else your client may be killed by macOS
to avoid stalling for the user.
Re-exports§
pub use endpoint_sec_sys as sys;
Modules§
- Helper module to avoid implementing version detection in this crate and make testing easier by telling the crate its on a lower version than the real one.
Structs§
- Acl
macos_10_15_1
ACL from Endpoint Security. - Attribute
Values macos_14_0_0
Iterator over the attribute values of anEventOdAttributeSet
- A wrapper around an
audit_token_t
. - Authorization
Judgement Results macos_14_0_0
Iterator over the rights of anEventAuthorizationJudgement
- Authorization
Petition Rights macos_14_0_0
Iterator over the rights of anEventAuthorizationPetition
- Authorization
Result macos_14_0_0
Describes, for a single right, the class of that right and if it was granted - BtmLaunch
Item macos_13_0_0
A BTM launch item - Wrapper around the opaque type that stores the ES client state.
- Event
Access macos_10_15_1
View stat information of a file event. - Event
Authentication macos_13_0_0
An authentication was performed. - Event
Authentication Auto Unlock macos_13_0_0
Auto unlock authentication data - Event
Authentication Od macos_13_0_0
OpenDirectory authentication data - Event
Authentication Token macos_13_0_0
Token authentication data - Event
Authentication Touch Id macos_13_0_0
TouchID authentication data - Event
Authorization Judgement macos_14_0_0
Notification that a process had it’s right petition judged - Event
Authorization Petition macos_14_0_0
Notification that a process petitioned for certain authorization rights - Event
BtmLaunch Item Add macos_13_0_0
A launch item being made known to background task management. - Event
BtmLaunch Item Remove macos_13_0_0
A launch item being removed from background task management. - EventCS
Invalidated macos_11_0_0
Code signing status for process was invalidated event. - Event
Chdir macos_10_15_1
Change directories event. - Event
Chroot macos_10_15_1
Change the root directory for a process event. - Event
Clone macos_10_15_1
Clone a file event. - Close a file descriptor event.
- Event
Copy File macos_12_0_0
Copy a file using thecopyfile()
system call. - Create a file system object event.
- Event
Delete ExtAttr macos_10_15_1
Delete an extended attribute event. - Event
Dup macos_10_15_1
Duplicate a file descriptor event. - Exchange data atomically between two files event.
- A process execution event.
- Terminate a process event.
- Event
Fcntl macos_10_15_1
File control event. - Materialize a file via the FileProvider framework event.
- Update file contents via the FileProvider framework event.
- Fork a new process event.
- Event
FsGet Path macos_10_15_1
Retrieve file system path based on FSID event. - Event
GetAttrlist macos_10_15_1
Retrieve file system attributes event. - Event
GetExt Attr macos_10_15_1
Retrieve an extended attribute event. - Get a process’s task control port event.
- Event
GetTask Inspect macos_11_3_0
Get a process’s task inspect port. - Event
GetTask Name macos_11_0_0
Get a process’s task name port - Event
GetTask Read macos_11_3_0
Get a process’s task read port. - Open a connection to an I/O Kit IOService event.
- Load a kernel extension event.
- Unload a kernel extension event.
- Link to a file event.
- Event
List ExtAttr macos_10_15_1
List extended attributes of a file event. - Event
Login Login macos_13_0_0
Authenticated login event from/usr/bin/login
. - Event
Login Logout macos_13_0_0
Authenticated logout event from/usr/bin/login
. - Lookup a file system object event.
- Event
LwSession Lock macos_13_0_0
LoginWindow locked the screen of a session. - Event
LwSession Login macos_13_0_0
LoginWindow has logged in a user. - Event
LwSession Logout macos_13_0_0
LoginWindow has logged out a user. - Event
LwSession Unlock macos_13_0_0
LoginWindow unlocked the screen of a session. - Memory map a file event.
- Mount a file system event.
- Control protection of pages event.
- Event
OdAttribute Set macos_14_0_0
Notification that an attribute is being set. - Event
OdAttribute Value Add macos_14_0_0
Notification that an attribute value was added to a record. - Event
OdAttribute Value Remove macos_14_0_0
Notification that an attribute value was removed to a record. - Event
OdCreate Group macos_14_0_0
Notification that a group was created. - Event
OdCreate User macos_14_0_0
Notification that a user account was created. - Event
OdDelete Group macos_14_0_0
Notification that a group was deleted. - Event
OdDelete User macos_14_0_0
Notification that a user account was deleted. - Event
OdDisable User macos_14_0_0
Notification that a user account was disabled. - Event
OdEnable User macos_14_0_0
Notification that a user account was enabled. - Event
OdGroup Add macos_14_0_0
Notification that a member was added to a group. - Event
OdGroup Remove macos_14_0_0
Notification that a member was removed to a group. - Event
OdGroup Set macos_14_0_0
Notification that a group had it’s members initialised or replaced. - Event
OdModify Password macos_14_0_0
Notification that an account had its password modified. - File system object open event.
- Event
Openssh Login macos_13_0_0
OpenSSH login event. - Event
Openssh Logout macos_13_0_0
OpenSSH logout event. - Event
Proc Check macos_10_15_4
Access control check for retrieving process information. - Event
Proc Suspend Resume macos_11_0_0
One ofpid_suspend()
,pid_resume()
orpid_shutdown_sockets()
is being called on a process. - Event
Profile Add macos_14_0_0
Notification for Profiles installed on the system. - Event
Profile Remove macos_14_0_0
Notification for Profiles removed on the system. - Event
PtyClose macos_10_15_4
A pseudoterminal control device is being closed. - Event
PtyGrant macos_10_15_4
A pseudoterminal control device is being granted. - Event
Read Dir macos_10_15_1
Read directory entries event. - Resolve a symbolic link event.
- Event
Remote Thread Create macos_11_0_0
A process has attempted to create a thread in another process - Event
Remount macos_11_0_0
Remount a file system event. - Rename a file system object event.
- Event
Screensharing Attach macos_13_0_0
Screen Sharing has attached from a graphical session.. - Event
Screensharing Detach macos_13_0_0
Screen Sharing has detached from a graphical session.. - Event
Search Fs macos_11_0_0
Access control check for searching a volume or a mounted file system event. - Event
SetAcl macos_10_15_1
Set a file ACL. - Set file system attributes event.
- Set an extended attribute event.
- Modify file flags information event.
- Modify file mode event.
- Modify file owner information.
- Event
SetTime macos_10_15_1
Modify the system time event. - Event
Setegid macos_12_0_0
A process has calledsetegid()
. - Event
Seteuid macos_12_0_0
A process has calledseteuid()
. - Event
Setgid macos_12_0_0
A process has calledsetgid()
. - Event
Setregid macos_12_0_0
A process has calledsetregid()
. - Event
Setreuid macos_12_0_0
A process has calledsetreuid()
. - Event
Setuid macos_12_0_0
A process has calledsetuid()
. - Send a signal to a process event.
- Event
Stat macos_10_15_1
View stat information of a file event. - EventSu
macos_14_0_0
Asu
policy decision event. - Event
Sudo macos_14_0_0
A sudo event. - Event
Trace macos_11_0_0
Fired when one process attempts to attach to another process event. - Truncate a file event.
- EventU
Times macos_10_15_1
Change file access and modification times (e.g. via utimes(2)) - Event
Uipc Bind macos_10_15_1
A UNIX-domain socket is about to be bound to a path. - Event
Uipc Connect macos_10_15_1
A UNIX-domain socket is about to be connected. - Unlink a file system object event.
- Unmount a file system event.
- Write to a file event.
- Event
XpMalware Detected macos_13_0_0
XProtect detected malware. - Event
XpMalware Remediated macos_13_0_0
XProtect remediated malware. - Event
XpcConnect macos_14_0_0
Notification for an XPC connection being established to a named service. - Iterator over the arguments of an
EventExec
- Iterator over the environment of an
EventExec
- Iterator over the file descriptors of an
EventExec
- Fd
macos_11_0_0
Describe an open file descriptor. - Provides the stat information and path to a file that relates to a security event.
- A message from Endpoint Security.
- OdMember
Id macos_14_0_0
The identity of a group member - OdMember
IdArray macos_14_0_0
An array of group member identities. - OdMember
IdArray Names macos_14_0_0
Iterator over the names in anOdMemberIdArray
- OdMember
IdArray Uuids macos_14_0_0
Iterator over the uuids in anOdMemberIdArray
- Information related to a process.
- Profile
macos_14_0_0
Structure describing a Profile event - Reject
Info macos_14_0_0
Provides context about failures inEventSudo
- SuArgs
macos_14_0_0
Iterator over the arguments of anEventSu
- SuEnvs
macos_14_0_0
Iterator over the environment of anEventSu
- Thread
macos_11_0_0
Information related to a thread. - Thread
State macos_11_0_0
Describes machine-specific thread state as used bythread_create_running()
and other Mach API functions.
Enums§
- When a
Message
is received, it is associated with anAction
- Result of the ES subsystem authorization process.
- Authentication
Data macos_13_0_0
- Information related to an event.
- Represent a destination file for
EventCreate
. - Represent a destination file for
EventRename
. - Type of response function to use for this event.
- OdMember
IdArray Iters macos_14_0_0
One of the possible iterator forOdMemberIdArray
- OdMember
IdValue macos_14_0_0
A member identity. - Error produced when trying to access
Message::deadline()
or equivalent functions because computing the[
Instant`] overflowed.