FSEvents - get PID of the process that performed the operation

Question

On OS X, using the FSEvents API, I can easily get file and directory notifications (created, removed, etc), for paths of interest. However, I was wondering if there is any way to get the PID or name of the process that performed the operation (e.g. created the file). I know that you can get this information if you are monitoring the file system in real-time (see: fs_logger), but I'd prefer to use FSEvents since it allows you to specific exactly what paths to monitor and works in a callback manner (so likely less CPU intensive?).

Answer 1

Apple has a relatively new (macOS 10.15+) C framework called Endpoint Security which comes close to meeting all of the filesystem event monitoring requirements you're looking for:

• Efficient / Event-driven model (es_new_client())
• Granular event type subscription model (es_subscribe())
• rich event context including pid, uid, and much more (e.g. An event message for file creation (es_event_create_t) includes an es_process_t field with process details)
• No support (yet?) for subscribing to filesystem events based on 'path(s) of interest' but events can be 'muted' (masked) based on source process (e.g. es_mute_process()). That might offer an improvement over parsing all events for the paths you're interested in. You can always file a feature request with Apple for that.

Apple has been pushing developers to adopt this new framework for a while now in favor of previous monitoring APIs (like 'legacy' kernel extensions that leverage KAUTH or MAC; the OpenBSM API) so it's the only solution I can recommend investing in going forward (beyond FSEvents).

There are some WWDC sessions and example projects available on the subject: https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security