Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
sharvil
05/26/2020, 6:59 PM@groob @alessandrogario
1. Whether the EndpointSecurity Client must be a system extension?
My understanding is that EndpointSecurity require that clients run as root and have the entitlement, meaning there’s no specific requirement that the client be a system extension. This is in contrast to other subsystems, like system-wide NetworkExtensions, which must be packaged as system extensions.
❤️ 1
🆒 1
a
alessandrogario
05/26/2020, 7:22 PMI'm running it the same way in another project, here's the code: https://github.com/zeek/zeek-agent/blob/master/components/zeekendpointsecurity/src/endpointsecurityconsumer.cpp
Never experienced the issue mentioned in the tweet, mostly because I always stick to RAII 🙂
I have to update the is_platform_binary handling there too 😐 really misleading from the framework to put such an unreliable field in there
s
sharvil
05/26/2020, 7:31 PMre: platform_binary, you can just report on
es_message->process->platform_binaryevent_exec->target->platform_binarya
alessandrogario
05/26/2020, 7:32 PMi would have to be called parent_is_platform_binary then
I'm not sure how useful it is though
the hash field is also annoying
I know that all these issues are just coming from kauth, but I wish they would have put more care into it
so you can get either a sha1 or a sha256 value
but either way it's always truncated at the length of the sha1
only way around that is to check on the file manually, but that's of course a race condition 😐
s
sharvil
05/26/2020, 7:40 PMyeah…
did you read the comments on
ESMessage.hIf page content has been
* tampered with in the executable, we won't know until that page is paged in. At that time, the
* process will have its CS_VALID bit removed and, if CS_KILL is set, the process will be killed,
* preventing any tampered code to be executed. CS_KILL is generally set for platform binaries and
* for binaries having opted into the hardened runtime. An ES client wishing to detect tampered
* code before it is paged in, for example already at exec time, can use the Security framework to
* do so, but should be cautious of the potentially significant performance cost of doing so. The
* EndpointSecurity subsystem itself has no role in verifying the validity of code signatures.a
alessandrogario
05/26/2020, 7:47 PMYes I did, it's pretty sad 😂