https://github.com/osquery/osquery logo
#core
Title
# core
s

sharvil

05/26/2020, 6:59 PM
@groob @alessandrogario
1. Whether the EndpointSecurity Client must be a system extension?
My understanding is that EndpointSecurity require that clients run as root and have the entitlement, meaning there’s no specific requirement that the client be a system extension. This is in contrast to other subsystems, like system-wide NetworkExtensions, which must be packaged as system extensions.
❤️ 1
🆒 1
a

alessandrogario

05/26/2020, 7:22 PM
Never experienced the issue mentioned in the tweet, mostly because I always stick to RAII 🙂
I have to update the is_platform_binary handling there too 😐 really misleading from the framework to put such an unreliable field in there
s

sharvil

05/26/2020, 7:31 PM
re: platform_binary, you can just report on
es_message->process->platform_binary
instead of the
event_exec->target->platform_binary
, that would solve it, right?
a

alessandrogario

05/26/2020, 7:32 PM
i would have to be called parent_is_platform_binary then
I'm not sure how useful it is though
the hash field is also annoying
I know that all these issues are just coming from kauth, but I wish they would have put more care into it
so you can get either a sha1 or a sha256 value
but either way it's always truncated at the length of the sha1
only way around that is to check on the file manually, but that's of course a race condition 😐
s

sharvil

05/26/2020, 7:40 PM
yeah…
did you read the comments on
ESMessage.h
header, especially related to codesigning?
Copy code
If page content has been
 *   tampered with in the executable, we won't know until that page is paged in.  At that time, the
 *   process will have its CS_VALID bit removed and, if CS_KILL is set, the process will be killed,
 *   preventing any tampered code to be executed.  CS_KILL is generally set for platform binaries and
 *   for binaries having opted into the hardened runtime.  An ES client wishing to detect tampered
 *   code before it is paged in, for example already at exec time, can use the Security framework to
 *   do so, but should be cautious of the potentially significant performance cost of doing so.  The
 *   EndpointSecurity subsystem itself has no role in verifying the validity of code signatures.
a

alessandrogario

05/26/2020, 7:47 PM
Yes I did, it's pretty sad 😂
3 Views