Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

santa daemon should have a mechanism to prevent being killed by users with root privileges. #1235

Open
izzh opened this issue Nov 15, 2023 · 1 comment
Open

santa daemon should have a mechanism to prevent being killed by users with root privileges. #1235

izzh opened this issue Nov 15, 2023 · 1 comment
Labels
enhancement

Comments

@izzh
Copy link

izzh commented Nov 15, 2023
edited

If I have root privileges, I can bypass the allowlist mechanism by repeatedly killing santa daemon in a loop.

#!bin/bash

while true; do
    ps aux | grep com.google.santa.daemon | grep -v grep | awk '{print $2}' | xargs kill -9
    if [ $? -eq 0 ]; then
        echo "kill santa daemon"
    fi
    sleep 0.5
done

santa@macos-13 Desktop % ./process_not_in_allowlist
### Before run the kill script
Santa

This application has been blocked from executing.

Path:       /Users/santa/Desktop/process_not_in_allowlist
Identifier: 0b742eae49b08af3858f17e95aa80afa82a18a178a671fc23256f12d58286894
Parent:     zsh (2021)

More info:
https://santa/blockables/E6C3C62D-8A40-5B56-99CA-191EACBCE8FD/0b742eae49b08af3858f17e95aa80afa82a18a178a671fc23256f12d58286894

### After run the kill script
santa@macos-13 Desktop % ./process_not_in_allowlist
malicious
^C
santa@macos-13 Desktop % ./process_not_in_allowlist
malicious
^C
santa@macos-13 Desktop % ./process_not_in_allowlist
malicious
^C
santa@macos-13 Desktop %

I have observed other security software that cannot be killed even if I have root privileges.

santa@macos-13 Desktop % ps aux |grep falcon
root               375   5.5  0.7 36057876 228704   ??  Rs   Mon04PM 124:01.29 /Library/SystemExtensions/EA9DEA93-1AAA-4A86-9DC4-9CA95609D798/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent
santa@macos-13 Desktop % sudo kill -9 375
Password:
kill: 375: Operation not permitted
santa@macos-13 Desktop ~ %

Is it possible to implement a feature to control whether santa daemon can be killed through a configuration field? thanks~
@mlw
Copy link
Member

mlw commented Nov 15, 2023

Santa currently has some basic tamper resistance features, but we should expand upon these, including better signal handling. It is something we'd like to get to eventually.

While handling signals is definitely doable, it does have some tricky edge cases that need to be cleanly handled. The kill command mentioned is one way but there are other, more complicated scenarios. launchctl kill/launchctl kickstart are other ways to send signals and these get sent via launchd. Properly discerning this from valid things like system shutdown or system extension (e.g. Santa) upgrade takes some effort.

It's worth noting the more something is locked down, the more difficult it is for field support and unblocking users in weird states. As suggested, gating the level of headache an admin wants to enjoy behind config options could be one way to better stomach stronger tamper resistance mechanisms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mlw @izzh