Title
#kolide
m

Martin Langhoff

12/17/2020, 5:54 PM
How are rules like “*Plain-text Github 2FA Recovery Codes Detected”* implemented? • it’s misfiring for my laptop, I have encrypted the file, but it still complains • we might want to add custom rules of our own, is there a workflow for that?
terracatta

terracatta

12/17/2020, 5:57 PM
Hi Martin, can you tell me how you encrypted the file?
m

Martin Langhoff

12/17/2020, 6:01 PM
I used sshenc, which uses ssh keys to do something similar to what gpg would do.
6:03 PM
the result is an ASCII file with contents like:
-- encrypted with <https://sshenc.sh/>
-- keys
-- key
Base64 encoded data
terracatta

terracatta

12/17/2020, 6:13 PM
We detect the github codes based on extended file attributes that are likely not impacted by your encryption process.
m

Martin Langhoff

12/17/2020, 6:15 PM
I def made a new file… the process is a bit like
openssl --flags flags < file > file.encrypted
terracatta

terracatta

12/17/2020, 6:15 PM
it's likely it copied the file and its extended attributes
6:16 PM
let me see if I can find the command line for showing that
6:16 PM
and show you how to remove those attributes
6:16 PM
so that the file no longer alerts
6:18 PM
xattr -l <filename>
6:19 PM
in your case you want to remove any extended attributes named
com.apple.metadata:kMDItemWhereFroms
6:20 PM
which can be done with
xattr -d metadata:kMDItemWhereFroms <file>
m

Martin Langhoff

12/17/2020, 6:33 PM
the file has no xattrs
terracatta

terracatta

12/17/2020, 6:37 PM
hmmm
6:38 PM
ok well I would rename it slightly, the recheck will pass, and then it shouldn't be redetected
6:38 PM
or you can just ignore the failure as well
m

Martin Langhoff

12/17/2020, 7:12 PM
yeah, I can ignore it. but I’m also learning about the system 🙂
7:13 PM
are the actual rules visible by admin? editable by admin?
terracatta

terracatta

12/17/2020, 8:03 PM
Hi Martin, the rules are not all visible but you can kind of infer them from look at a device's osquery config by clicking into a device, choosing actions, and then choosing "View Osquery Config..." you can sometimes reference a check ID
m

Martin Langhoff

12/17/2020, 8:06 PM
thank you