Comments (6)
I'm in the middle of adding file-modification logging right now (see master...russellhancox:master).
What sort of filtering are you interested in doing?
from santa.
As someone found out that the dynamic library injection could bypass the Santa detection as they are not considered within KAUTH_SCOPE_VNODE
, they could still be catched if we use the FILEOP
scope with KAUTH_FILEOP_OPEN
. (Which will cause deadlock according to Apple TN2127.)
I tried to feed the message from the fileop_scope_callback()
into GetResponse()
like the VNODE callback does. The system will freeze if I do this, tho KAUTH_FILEOP_CLOSE
with KAUTH_FILEOP_CLOSE_MODIFIED
would not cause this issue, but wouldn't get the result I wanted. (Catch the dylib as dyld still need to read the file before it can be load into the main binary.)
Hope my English is understandable. :p
from santa.
Gotcha. The problem with that is the result of the Fileop callback is always ignored, so you can't block a file that way and blocking fileop while waiting for a result in userspace is almost guaranteed to deadlock anyway, as TN2127 says.
On top of that, for the specific issue of whitelisting dylib's, there isn't a way of differentiating between an open by dyld and an open by say "cp" or "mv" or "installer". If you just wanted to log (rather than block) dylib opens it might be possible to put something in fileop_open that reads the first page of the file in kernel space and checks its file type and logs the name and pid of the opening process.
from santa.
Thanks for the reply. I did understand that we can't block the dylib, but we can "fix" (either patch it back or damage) it so it can't be load by dyld. (At least that's what Apple told us.) As we tapped on the vnode scope, we will know if there's a script running to do the injection or via sh
etc. We can also get the script file path so if it's a known malicious script/dylib sha256, even that we can't stop it from running, we can still guess what files has been modified after it started, better than nothing.
I'm able to log the path of the dylib via KAUTH_FILEOP_OPEN
, but seems sending everything to the daemon is way too much work for it to handle. I haven't try to do the file type directly in the kernel space tho, might be a better way as it's a bit better than let the daemon to do all the work. Will try that later.
Is Santa going to implement the "on access" scanning feature in the future? Or it's for executable only?
from santa.
It's for executables only.
from santa.
OK, thanks again. :)
I'll close this issue now.
from santa.
Related Issues (20)
- UI configuration options HOT 3
- An error occurred communicating with the daemon, is it running? HOT 6
- Use SecTaskGetCodeSignStatus for Platform Binaries HOT 4
- Can't install the sample profile- The profile must originate from a user approved MDM server. HOT 2
- Any way to avoid chunked encoding? HOT 8
- Certificate SHA256 hashes are case-sensitive HOT 5
- Present information in the Santa blocked pop-up so it is more readily copy/pasted to a new rule HOT 2
- Incorrect event decision code being synced to server (ALLOW_UNKNOWN instead of ALLOW_TEAMID) HOT 5
- Allow events not being sent to sync server in Lockdown mode HOT 5
- Blocked Execution system notification is not processed unless receiver is focussed HOT 5
- Config: Add ability to include custom headers in sync requests
- Simple developer bootstrap - still possible? HOT 2
- v2023.6 Does not Apply Path Scope Rules HOT 1
- How to build santa universal binary HOT 8
- Unable to enable lockdown mode HOT 5
- Enhancement idea: Wildcards in SigningID rules HOT 4
- Compiler rules not allowing specified compiler binary to run? HOT 7
- Unable to get transitive rules working with XCode HOT 13
- Intellij IDE Debugging Blocked in Lockdown Mode HOT 6
- Feature Request: System Notifications in Monitor Mode HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from santa.