Q: Security: audit/trace of osascript call?

There's nothing directly built-in that would do this, and I'm not sure quite what you'd gain since osascript isn't likely to be the primary attack vector... but it's your world.

One idea I can imagine is replacing the /usr/bin/osascript binary with a shell wrapper that simply logs the invocation (with whatever other details you like) and then passes the input to the real osascript for execution. It's a little bit of security via obscurity, but it's all I can think of off-hand.

Hello julien290,

I suggest using dtrace. I haven't used it for a couple of years. With SIP in El Capitan, it won't work on Apple processes, but it should work on 3rd party software. If not, you can always temporarily display SIP to play around.

I can tell you that my own app EtreCheck uses this osascript method to elevate privileges. I don't want to deal with privileged helpers or actual privilege escalation. I can honestly say that EtreCheck never accesses a user's password. It just asks the Finder and osascript to do it instead.

But, if you go to the EtreCheck github site (https://github.com/etresoft/EtreCheck) and clone it. The source code includes a little script that installs a fake piece of malware and then use EtreCheck to remove it. While doing this, you can play with various methods to detect EtreCheck's use of osascript. Good luck!

Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.

Hi julien290,

- Adding further, there is /usr/bin/opensnoop, which is written using dtrace, already in the OS.

- It is restricted by SIP as explained by etresoft to 3rd party software.

sudo /usr/bin/opensnoop 2>/dev/null   is a good example to start with.

There is also execsnoop, iosnoop and rwsnoop but will require SIP to be disabled.

Check their man pages.

hth, cheers, dwbrecovery