Comments (7)
pmarkowsky
commented on May 11, 2024
1
I wonder if the Santa client should reject rules where the Policy is "ALLOWLIST_COMPILER" and the Type is anything other than "BINARY"? Or better yet maybe it could allow use of other types to permit a compiler, for those of us willing to accept the additional risk?
Admittedly the feature was originally designed before signing ID rules existed. It may be a good time to revisit if we want to keep compiler rules to a BINARY rules. I know other folks in the community would probably be interested in marking the go toolchain as a compiler via signing ID rules so they don't have to update their rules for every release.
from santa.
mlw
commented on May 11, 2024
1
It may be a good time to revisit if we want to keep compiler rules to a BINARY rules. I know other folks in the community would probably be interested in marking the go toolchain as a compiler via signing ID rules
Agreed. FWIW I don't see a good reason to not handle compiler signing ID rules. It wasn't done initially just keep the overall effort a little smaller and more focused. But expanding it shouldn't be too much of a hassle.
Not that it was asked for, but I don't think certificate or team ID rules would be good candidates for compiler rule types as they're too broad.
from santa.
pmarkowsky
commented on May 11, 2024
1
We've now made Signing ID rules work with transitive allowlisting. I'm going to close this issue. Please feel free to reopen if there's more to address.
from santa.
pmarkowsky
commented on May 11, 2024
Compiler rules currently only with with hashes.
The idea here is that you're approving a specific version of a compiler.
from santa.
p-harrison
commented on May 11, 2024
OK great thanks, I had an inkling you might say that! I'll update the documentation later.
I wonder if the Santa client should reject rules where the Policy is "ALLOWLIST_COMPILER" and the Type is anything other than "BINARY"? Or better yet maybe it could allow use of other types to permit a compiler, for those of us willing to accept the additional risk?
from santa.
pmarkowsky
commented on May 11, 2024
Documentation is fixed in #1172
from santa.
pmarkowsky
commented on May 11, 2024
Not that it was asked for, but I don't think certificate or team ID rules would be good candidates for compiler rule types as they're too broad.
I agree. Team ID and Certificate rules are a bit too broad. Additionally if we implement #954. You'd sort of have a loose proxy for a given compiler version.
from santa.
Related Issues (20)
- Bypass via Recovery Mode HOT 3
- `contactsd` seem to be able to bypass santa's silent block on macOS Sonoma 14.1.1 HOT 6
- Add Entitlements to EventUpload in the Sync Protocol
- Unable to set the configuration element enable_transitive_rules using santactl HOT 11
- The configuration key `EnableForkAndExitLogging` is broken
- Clean syncs should only optionally remove transitive rules
- Make santactl status report on the status of enableTransitiveRules even when not using a sync server HOT 1
- Big Sur Style Icon for Santa HOT 1
- Issue with agent reading Santa config HOT 6
- Enhancement: Allow rules to be filtered by user HOT 1
- deadline exceeded in monitor mode still ends up denying execution HOT 3
- Symbolic Link Scope HOT 2
- Santa should evaluate and potentially kill running processes HOT 2
- `santactl rule` should allow clearing ruleset HOT 1
- How to Allow debugserver Output HOT 5
- Extend the Sync Protocol's PostFlight step to indicate if policies blocking system critical binaries were pushed
- Rewrite Santactl Command Line Parsing to use Abseil HOT 1
- So Many Copies of santactl Process. Is this Normal? HOT 6
- Add OIDs to Certificates in EventUpload HOT 1
- Apple Signed Binary Blocked: RemotePairingDataVaultHelper HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from santa.