Comments (5)
arubdesu
commented on April 29, 2024
I didn't put enough thought into this, nor did I see #25 - and it occurs to me, if we trust SIP, we could use the config.plist-based regex path whitelisting + Apple's cert(again, if we trust that) to do the lion's share of the work. I see there's even db export commands in the other issue, so I'm sure import can be made generic enough. Hopefully the other thoughts on this topic make it worth your while to consider/pluck useful things from.
from santa.
russellhancox
commented on April 29, 2024
When santad starts it whitelists the certs used to sign itself and that of pid 1 (launchd) and refuses to remove those particular certs for any reason. That means if an OS update happens and a new cert is used it is automatically whitelisted.
That covers the entire base OS and all of the components of Santa. The logic here is that if launchd is compromised you're pretty much done for anyway so we might as well prevent accidentally blocking OS components as that will drive users to try tampering with it.
Does that achieve the effect you're after?
from santa.
arubdesu
commented on April 29, 2024
Yeah, I was just unaware - I'll follow up with more amorphous points on santa-dev. Just one other thing, though - besides a TLS endpoint shoving a bunch of sha256's for whitelisting to machines, would running an import (or doing the rule table inserts) of raw sql be more or less preferable than swapping out the /var/db/santa dir's contents for an updated version, since both require killing santad? Or just wrapping lots of santad calls?
from santa.
russellhancox
commented on April 29, 2024
Yeah, I was just unaware
We really need to get around to writing some documentation.
Just one other thing, though - besides a TLS endpoint shoving a bunch of sha256's for whitelisting to machines
That would be a sync server. We're hoping to get ours open-sourced in the not-too-distant future, once it's more finished. There's also Zentral, which I have no experience of but is apparently good.
would running an import (or doing the rule table inserts) of raw sql be more or less preferable than swapping out the /var/db/santa dir's contents for an updated version, since both require killing santad? Or just wrapping lots of santad calls?
If you're not syncing with a server you could just use the santactl rule command (see santactl help rule for a tiny bit of help).
from santa.
arubdesu
commented on April 29, 2024
Cool, thanks! (I'm eval'ing Zentral, it doing osquery as well is a big plus)
from santa.
Related Issues (20)
- System Extension or Kernel? HOT 1
- Santa is Blocking SantaCtl HOT 7
- Binary Blocked But FileInfo Says Allowed HOT 8
- Bundle Scanning Does Not Start When EnableSilentMode = YES HOT 5
- santactl status discrepancy when running as root/non-root HOT 1
- Parquet output HOT 9
- Switch to evaluating the live `SecCodeRef` when authorizing new execs
- Efficient mechanism for rule pruning HOT 4
- santa daemon should have a mechanism to prevent being killed by users with root privileges. HOT 1
- Why is Clean Sync Required Always YES Even When Sync Server Sends NO HOT 9
- Compiler Rule: How to Check? HOT 3
- How to remove santa without having access to terminal or applications folder?
- Preflight `clean_sync` has no effect when no rules are sent. HOT 4
- Document that last rule for a given identifier applies
- Support log upload when file system monitoring denies an operation
- `santactl rule --check` is broken HOT 2
- Bypass via Recovery Mode HOT 3
- `contactsd` seem to be able to bypass santa's silent block on macOS Sonoma 14.1.1 HOT 6
- Add Entitlements to EventUpload in the Sync Protocol
- Unable to set the configuration element enable_transitive_rules using santactl HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from santa.