<@U1EUNPP63> <@U6EFFT5FG>
> 1. Whether the Endp...
# cores
sharvil
05/26/2020, 6:59 PM@groob @alessandrogario
1. Whether the EndpointSecurity Client must be a system extension?
My understanding is that EndpointSecurity require that clients run as root and have the entitlement, meaning there’s no specific requirement that the client be a system extension. This is in contrast to other subsystems, like system-wide NetworkExtensions, which must be packaged as system extensions.
❤️ 1
🆒 1
a
alessandrogario
05/26/2020, 7:22 PM
I'm running it the same way in another project, here's the code: https://github.com/zeek/zeek-agent/blob/master/components/zeekendpointsecurity/src/endpointsecurityconsumer.cpp
alessandrogario
05/26/2020, 7:23 PM
Never experienced the issue mentioned in the tweet, mostly because I always stick to RAII 🙂
alessandrogario
05/26/2020, 7:24 PM
I have to update the is_platform_binary handling there too 😐 really misleading from the framework to put such an unreliable field in there
s
sharvil
05/26/2020, 7:31 PMre: platform_binary, you can just report on
es_message->process->platform_binaryevent_exec->target->platform_binarya
alessandrogario
05/26/2020, 7:32 PM
i would have to be called parent_is_platform_binary then
alessandrogario
05/26/2020, 7:32 PM
I'm not sure how useful it is though
alessandrogario
05/26/2020, 7:33 PM
the hash field is also annoying
alessandrogario
05/26/2020, 7:33 PM
I know that all these issues are just coming from kauth, but I wish they would have put more care into it
alessandrogario
05/26/2020, 7:34 PM
so you can get either a sha1 or a sha256 value
alessandrogario
05/26/2020, 7:34 PM
but either way it's always truncated at the length of the sha1
alessandrogario
05/26/2020, 7:34 PM
only way around that is to check on the file manually, but that's of course a race condition 😐
s
sharvil
05/26/2020, 7:40 PMyeah…
sharvil
05/26/2020, 7:40 PMdid you read the comments on
ESMessage.hsharvil
05/26/2020, 7:41 PM Copy code
If page content has been
* tampered with in the executable, we won't know until that page is paged in. At that time, the
* process will have its CS_VALID bit removed and, if CS_KILL is set, the process will be killed,
* preventing any tampered code to be executed. CS_KILL is generally set for platform binaries and
* for binaries having opted into the hardened runtime. An ES client wishing to detect tampered
* code before it is paged in, for example already at exec time, can use the Security framework to
* do so, but should be cautious of the potentially significant performance cost of doing so. The
* EndpointSecurity subsystem itself has no role in verifying the validity of code signatures.a
alessandrogario
05/26/2020, 7:47 PM
Yes I did, it's pretty sad 😂
3 Views