Comments (5)
I didn't put enough thought into this, nor did I see #25 - and it occurs to me, if we trust SIP, we could use the config.plist-based regex path whitelisting + Apple's cert(again, if we trust that) to do the lion's share of the work. I see there's even db export commands in the other issue, so I'm sure import can be made generic enough. Hopefully the other thoughts on this topic make it worth your while to consider/pluck useful things from.
from santa.
When santad starts it whitelists the certs used to sign itself and that of pid 1 (launchd) and refuses to remove those particular certs for any reason. That means if an OS update happens and a new cert is used it is automatically whitelisted.
That covers the entire base OS and all of the components of Santa. The logic here is that if launchd is compromised you're pretty much done for anyway so we might as well prevent accidentally blocking OS components as that will drive users to try tampering with it.
Does that achieve the effect you're after?
from santa.
Yeah, I was just unaware - I'll follow up with more amorphous points on santa-dev. Just one other thing, though - besides a TLS endpoint shoving a bunch of sha256's for whitelisting to machines, would running an import (or doing the rule table inserts) of raw sql be more or less preferable than swapping out the /var/db/santa dir's contents for an updated version, since both require killing santad? Or just wrapping lots of santad calls?
from santa.
Yeah, I was just unaware
We really need to get around to writing some documentation.
Just one other thing, though - besides a TLS endpoint shoving a bunch of sha256's for whitelisting to machines
That would be a sync server. We're hoping to get ours open-sourced in the not-too-distant future, once it's more finished. There's also Zentral, which I have no experience of but is apparently good.
would running an import (or doing the rule table inserts) of raw sql be more or less preferable than swapping out the /var/db/santa dir's contents for an updated version, since both require killing santad? Or just wrapping lots of santad calls?
If you're not syncing with a server you could just use the santactl rule
command (see santactl help rule
for a tiny bit of help).
from santa.
Cool, thanks! (I'm eval'ing Zentral, it doing osquery as well is a big plus)
from santa.
Related Issues (20)
- Make santactl status report on the status of enableTransitiveRules even when not using a sync server HOT 1
- Big Sur Style Icon for Santa HOT 1
- Issue with agent reading Santa config HOT 6
- Enhancement: Allow rules to be filtered by user HOT 1
- deadline exceeded in monitor mode still ends up denying execution HOT 3
- Symbolic Link Scope HOT 2
- Santa should evaluate and potentially kill running processes HOT 2
- `santactl rule` should allow clearing ruleset HOT 1
- How to Allow debugserver Output HOT 5
- Extend the Sync Protocol's PostFlight step to indicate if policies blocking system critical binaries were pushed
- Rewrite Santactl Command Line Parsing to use Abseil HOT 1
- So Many Copies of santactl Process. Is this Normal? HOT 6
- Add OIDs to Certificates in EventUpload HOT 1
- Apple Signed Binary Blocked: RemotePairingDataVaultHelper HOT 3
- CDHash serialization issue in fileinfo HOT 3
- Migrate to bazel modules HOT 1
- Document formatting conventions
- Document differences between events for sync servers and telemetry
- compiler rule with golang HOT 5
- Document transitive allowlisting limitations HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from santa.