As I mentioned in a previous post, dtrace was broken in El Capitan and later, but all is not yet lost. As a post on medium has described, there are other ways around this including using approved methods from Apple. In normal cases, non system binaries cannot be examined with dtrace.
Chris demonstrates a way to run dtrace in a chroot-ed environment after turning off code signing to allow and common to be run with dtrace as well as any children forked off.
The officially sanctioned methods of getting security framework events ( not the same as sys call level output) is used be the following programs and can be used to trace some of what dtrace can do, but without the faff:
- Filemonitor (from Objective See)
Print JSON file on system events pertaining to files.
- Processmonitor (from Objective See)
Same as above, but for processes
- Crescendo ( project on GitHub)
Crescendo is a swift based, GUI real time event viewer for macOS. It utilizes Apple's Endpoint Security Framework.
So there is a. bit more hope now...
