1

I am trying to discover what application is creating a file in /private/tmp.

I've temporarily turned off sip on this Mac.

I created a shell script:

#!/bin/bash

sudo iosnoop -f /private/tmp/AlTest1.err > /private/tmp/iosnoop.txt

I created a crontab to run that shell script at reboot:

$crontab -e

#run at reboot
@reboot /Users/username/Desktop/run_iosnoop.sh

Upon restarting I only get the headers for the iosnoop command in my iosnoop.txt file

UID PID D BLOCK SIZE COMM PATHNAME

How can I keep iosnoop running during and after reboot to catch the application that is creating this file?

I tried using @login instead of @reboot but it's not a valid timestamp for cron on mac.

The issue is this command has to have high enough priority that it runs before other processes run.

John
  • 469
  • 1
  • 4
  • 17
  • Probably your best bet is to run an instance of macOS inside a VM with kernel debugging on. Alternatively look into auditd, hopefully it starts soon enough. – Kentzo Aug 08 '20 at 17:20
  • 1
    I'd echo the use of the audit subsystem. [This](https://krypted.com/mac-os-x/quick-dirty-openbsm-auditing-macos/) is a decent crash course on the basics. – pmdj Aug 10 '20 at 13:52
  • @Kentzo, your first solution would be time consuming - perhaps the file is being created by an application that is not a part of the OS? I will look into auditd. – John Aug 10 '20 at 19:01
  • Perhaps there is a way to open terminal at login and have it run a command immediately? – John Aug 10 '20 at 19:06
  • Firstly consider what is meant by "file is not part of the OS". At the end it's some systemcall and thus traceble with kernel debugging. As of running a command immediately, I'd say forget about it before you dedicate your time learning the way of launchd. It's a path of sorrow. – Kentzo Aug 11 '20 at 11:24
  • @Kentzo, you suggest creating a VM with a duplicate of my HD or just installing a fresh copy of macOS on the VM? The file is most likely created by a non system application. I did take your suggestion of looking at auditd files. Problem is there are quite a few and they are in binary - not searchable without first using `praudit -x` and exporting to a searchable file. – John Aug 11 '20 at 21:22
  • I suggest a VM with minimal setup to reproduce the case. For auditd look up the SUpraudit tool. – Kentzo Aug 11 '20 at 23:11

0 Answers0