0

I want to know if there is any way to log events for every file upload, download, creation, modification (including create, edit, delete), and transfer/sharing on macOS — regardless of whether these events occur in browsers or other applications. My goal is to identify which file was uploaded or downloaded, and if possible, determine the destination or source URL for network transfers, despite encryption (HTTPS).

I understand that getting a full-proof solution might not be feasible using a single method, and I'm open to combining several approaches. I prefer not to use a proxy-based solution because:

  • A proxy can interfere with existing services if one is already running on the host.
  • Proxies can add inefficiency and performance overhead.
  • I do not need to block events; I only want to monitor and log them.

I have considered these options:

  1. Audit Logs / OpenBSM:
    Using the macOS audit framework to log file system events (file creations, modifications, deletions) is one possibility. This can capture low-level file operations, but it does not directly correlate file operations with network upload or download events.

  2. Endpoint Security Framework (ESF):
    ESF can observe system events such as file accesses and process activities. While it can efficiently log file events, an inherent challenge is to correlate these system-level events with network-level events (i.e. to determine which file has been uploaded, and where — the URL or hostname).

  3. Dynamic Instrumentation / Hooking:
    Hooking network system calls (or even HTTPS library functions such as SSL_write) using tools like Frida could capture plaintext data before encryption. However, this raises challenges:

    • Handling different network libraries (SecureTransport vs. OpenSSL).
    • Ensuring reliability in capturing HTTP/HTTPS uploads.
    • Accurately correlating intercepted network data with file system activity.

Primary Challenges:

  • Correlating Files with Network Uploads:
    I need to not only log when a file operation occurs locally but also determine the corresponding network event (for instance, an HTTP POST request to an upload URL) that transfers the file.
  • Handling Encrypted Traffic:
    Most modern browsers use HTTPS by default. Intercepting such traffic to extract payload details (like file names) involves overcoming challenges in TLS decryption, which is non-trivial without proxying or in-depth instrumentation.

My Question: Is there a unified or combined approach to monitor and correlate file system events (uploads/downloads, modifications) with the network requests that represent those file transfers on modern macOS (e.g., macOS Sequoia 15.4.1)? In essence, how do I:

  • Log detailed file events (creation, modification, deletion) using the built-in macOS tools like the Audit Framework or Endpoint Security Framework?
  • Correlate these file events with network activity (uploads/downloads) to determine which file was transferred to which website?
  • Handle HTTPS-encrypted traffic to reliably extract the transfer details (e.g., target URL/hostname), without resorting to a proxy solution?

I would appreciate any insights, sample code, or references on how to achieve this using macOS-native mechanisms, dynamic instrumentation, or a combination of both approaches. Thanks in advance for your help!

Improve this question

1 Answer 1

Reset to default
1

What you have here is more like quite a big security research topic than a programming question ofc.

Briefly, you can't do the thing 100% on mac in a usable way, because the whole idea behind Apple marketing thing is user privacy, which can be broken and sold only by Apple and to Apple, not some 3rd-party apps.

Why remark about usable way? You can for sure write a kext, hook into all sort of things and monitor all sorts of APIs, but you should keep your SIP disabled then, and it is reasonably hard to make your users to do that.

Some parts of what you desire could still be done with SIP on: macOS keeps some source info in xattr of downloaded files(via browsers), ESF could correlate them with processes, with NetworkExtension you could do MitM and parse traffic to find possible uploads/downloads, etc. You may create a list of supported well-known apps, inspect what specific sequence of file/other events leads for each app to your high-level operations of interest, and detect it.

This will work in a way, it will fail some times, probably a lot, nothing new for a macOS 3rd-party security projects world.

However, the whole thing makes a little sense, because some app can for example request some data, hen keep it in memory without writing it on disk, then add another part of data on its own to the requested, wait for a hour making changes still in memory, then save the result on disk. But wait, not just writing to a new file, but adding to some existing one, which was created without internet. Well, but then (after a while), removing the content, that was not requested from web. And adding another pre-generated brick of data in the end. Is it a downloaded file or what? :)

If I open the text file and copy all its content (or all symbols except last one-two-ten) to pasteboard, then paste it in input field on a website - am I doing a file upload or not?

So maybe what you need here is to reconsider the goal in business terms, and return to it in tech terms then.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for the detailed explanation! To clarify my use case: I'm trying to build a feature to block sensitive file uploads (documents, credentials, etc.) from browsers and apps on macOS devices. The goal is preventing data exfiltration, not general monitoring. Given your insights about Apple's privacy constraints and the complexity involved, would focusing on specific well-known apps (browsers, common file-sharing apps) with ESF + NetworkExtension be a more realistic approach? I understand it won't be 100% coverage, but even partial protection would be valuable for enterprise security.
You may achieve some success with ESF and NetworkExtensions, yes. Will require covering a lot of specific cases for each app though.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.