Apple

Agents & Daemons

Apple

Agents & Daemons #

  • Daemon : System wide services that always run in background (runs at root)
  • Agents : Basically the same thing as a daemon, but runs on behalf of the logged-in user, not the root user

Each agents and Daemons have a corresponding .plist which is used by launchd to run them.

Configuration files location #

LocationType
/Library/LaunchAgentsAdministrator controlled Agents for a specific user
/Library/LaunchDaemonsSystem-wide daemons provided by the administrator.
/System/Library/LaunchDaemonsDefault daemons provided by iOS.

Introduction

Apple

Sysdiagnose #

Introduction #

Sysdiagnose is a utility on most Apple devices that can be used to gather system-wide diagnostic information. It includes logging from different services and reports on the state of systems. What is contained in a sysdiagnose will vary depending on what type of device and which version of the macOS, iOS, iPadOS, tvOS and watchOS.

What do you get? #

Among the tools which have been run, and whose output has been collected for you may consist of the following:

...

Launchd

Apple

Launchd #

 full_path = "/sbin/launchd"
 runs_as = "root"
 pid = "1"

launchd is the first process loaded by the kernel also known as an init system. It is responsible to launch and manage processes running on the device.

It does more than an original UNIX init system would do.

Amongst other things it:

  • Loads processes configuration and launches them on boot or when needed
  • Relaunches specific processes if these have crashed
  • Has XPC, sockets capabilities
  • cron like periodic tasks

The configuration of the numerous agents and daemons are stored in proprietary .plist files, one of these configurations is the user the child process will run as.

...

ACCHWComponentAuthService

Apple

ACCHWComponentAuthService #

 full_path = "/System/Library/PrivateFrameworks/CoreAccessories.framework/XPCServices/ACCHWComponentAuthService.xpc/ACCHWComponentAuthService"
 runs_as = "mobile"

accountsd

Apple

accountsd #

 full_path = "/System/Library/Frameworks/Accounts.framework/accountsd"
 runs_as = "mobile"

AccountSubscriber

Apple

AccountSubscriber #

 full_path = "/System/Library/PrivateFrameworks/RemoteManagement.framework/XPCServices/AccountSubscriber.xpc/AccountSubscriber"
 runs_as = "mobile"

activityawardsd

Apple

activityawardsd #

 full_path = "/System/Library/PrivateFrameworks/ActivityAwardsServices.framework/activityawardsd"
 runs_as = "mobile"

aggregated

Apple

aggregated #

 full_path = "/System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated"
 runs_as = "mobile"

amfid

Apple

amfid #

 full_path = "/usr/libexec/amfid"
 runs_as = "root"

AppleMobileFileIntegrity daemon, checks for the integrity of files in the filesystem including code signature check to verify applications integrity

amsaccountsd

Apple

amsaccountsd #

 full_path = "/System/Library/PrivateFrameworks/AppleMediaServices.framework/amsaccountsd"
 runs_as = "mobile"