8.20.2020

Sinter - A User-Mode Application Authorization System For MacOS Written In Swift


Sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift.
Sinter uses the user-mode EndpointSecurity API to subscribe to and receive authorization callbacks from the macOS kernel, for a set of security-relevant event types. The current version of Sinter supports allowing/denying process executions; in future versions we intend to support other types of events such as file, socket, and kernel events.
Sinter is a work-in-progress. Feedback is welcome. If you are interested in contributing or sponsoring us to help achieve its potential, let's get in touch.

Features
  • Allow or deny process execution by code directory hash (aka "CD hash")
    • option to deny all unknown programs (any program that is not explicitly allowed)
    • option to deny all unsigned programs
    • option to deny all programs with invalid signatures
  • "monitor" mode to track and log (but allow) all process execution events
  • Accepts allow/deny rules from a Santa sync-server
  • Configure deny rules in JSON, provided locally or by a sync-server
  • Log to the local filesystem in a structured JSON format
Planned upcoming features:

Anti-Features
  • Does not use kernel extensions (which will be officially deprecated in macOS 11 Big Sur)
  • Does not support legacy macOS (10.14 or older)
  • Does not use any memory unsafe code
  • Limits third-party library dependencies
  • Not an anti-malware or anti-virus. No signature database. Denies only what you tell it to deny, using rules.

Background
The first open-source macOS solution for allowing/denying processes was Google Santa. We're fans of Santa, and have contributed to its codebase in the past. For a long time, however, many in the macOS community have asked for an open-source solution to track and manage more than just process events.
We saw the ideal platform to build such a capability with the EndpointSecurity API in macOS 10.15. Starting from the ground-up around a strictly user-mode API meant that we could attempt a simpler design, and use a modern programming language with safer memory handling and better performance. Thus, we set out to develop Sinter, short for "Sinter Klausen," another name for Santa Claus.

Getting Started
Download and install the latest version of Sinter using the pkg installer link from the Releases page.
After installing Sinter, you must enable the "Full Disk Access" permission for Sinter.app. Do this by opening System Preferences, Security, Privacy tab, Full Disk Access. Check the item for Sinter.app. If using MDM, you can automatically enable this permission on your endpoints, and no user interaction will be required.

Configuration
Sinter requires a configuration file to be present at /etc/sinter/config.json. An example is provided in the source tree at ./config/config.json:
{
  "Sinter": {
    "decision_manager": "local",
    "logger": "filesystem",

    "allow_unsigned_programs": "true",
    "allow_invalid_programs": "true",
    "allow_unknown_programs": "true",
    "allow_expired_auth_requests": "true",
    "allow_misplaced_applications": "true",

    "config_update_interval": 600,

    "allowed_application_directories": [
      "/bin",
      "/usr/bin",
      "/usr/local/bin",
      "/Applications",
      "/System",
      "/usr/sbin",
      "/usr/libexec",
    ],
  },
  
  "FilesystemLogger": {
    "log_file_path": "/var/log/sinter.log",
  },

  "RemoteDecisionManager": {
    "server_url": "https://server_address:port",
    "machine_identifier": "identifier",
  },

  "LocalDecisionManager": {
    "rule_database_path": "/etc/sinter/rules.json",
  }
}
The decision manager plugin can be selected by changing the decision_manager value. The local plugin will enable the LocalDecisionManager configuration section, pointing Sinter to use the local rule database present at the given path. It is possible to use a Santa-compatible sync-server, by using the sync-server plugin instead. This enables the RemoteDecisionManager configuration section, where the server URL and machine identifier can be set.
There are two logger plugins currently implemented:
  1. filesystem: Messages are written to file, using the path specified at FilesystemLogger.log_file_path
  2. unifiedlogging: Logs are emitted using the Unified Logging, using com.trailofbits.sinter as subsystem.

Allowed application directories
It is possible to configure Sinter to log and optionally deny applications that have not been started from an allowed folder.
  • allow_misplaced_applications: If set to true, misplaced applications will only generate a warning. If set to false, any execution that does not starts from a valid path is denied.
  • allowed_application_directories: If non-empty, it will be used to determine if applications are placed in the wrong folder.

Enabling UI notifications
  1. Install the notification server (the PKG installer will do this automatically): sudo /Applications/Sinter.app/Contents/MacOS/Sinter --install-notification-server
  2. Start the agent: /Applications/Sinter.app/Contents/MacOS/Sinter --start-notification-server

Configuring Sinter in MONITOR mode
Modes are not implemented in Sinter, as everything is rule-based. It is possible to implement the monitoring functionality by tweaking the following settings:
  • allow_unsigned_programs: allow applications that are not signed
  • allow_invalid_programs: allow applications that fail the signature check
  • allow_unknown_programs: automatically allow applications that are not covered by the active rule database
  • allow_expired_auth_requests: the EndpointSecurity API requires Sinter to answer to an authorization requests within an unspecified time frame (typically, less than a minute). Large applications, such as Xcode, will take a considerable amount of time to verify. Those executions are denied by default, and the user is expected to try again once the application has been verified. Setting this configuration to true changes this behavior so that those requests are always allowed.

Rule format
Rule databases are written in JSON format. Here's an example database that allows the CMake application bundle from cmake.org:
{
  "rules": [
    {
      "rule_type": "BINARY",
      "policy": "ALLOWLIST",
      "sha256": "BDD0AF132D89EA4810566B3E1E0D1E48BAC6CF18D0C787054BB62A4938683039",
      "custom_msg": "CMake"
    }
  ]
}
Sinter only supports BINARY rules for now, using either ALLOWLIST or DENYLIST policies. The code directory hash value can be taken from the codesign tool output (example: codesign -dvvv /Applications/CMake.app). Note that even though the CLI tools can acquire the full SHA256 hash, the Kernel/EndpointSecurity API is limited to the first 20 bytes.

Building from Source
Building Sinter requires certain code-signing certificates and entitlements that Apple must grant your organization. However, Sinter can still be built from source and run locally on a test system with SIP disabled. For instructions, see the Sinter wiki.




via KitPloit
This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com
More articles

  1. Hack Tools For Games
  2. Hacker Techniques Tools And Incident Handling
  3. Nsa Hack Tools Download
  4. Hacker Tools For Ios
  5. Hacker Tools List
  6. Hacker Tools For Pc
  7. Hacker Tools 2019
  8. Hacking Tools For Games
  9. Hacking Tools 2020
  10. Hak5 Tools
  11. Black Hat Hacker Tools
  12. Tools For Hacker
  13. Growth Hacker Tools
  14. Hacking Tools Windows
  15. Best Hacking Tools 2020
  16. Hack Website Online Tool
  17. Hacking Tools Usb
  18. Nsa Hack Tools Download
  19. Hacker Tools List
  20. Tools For Hacker
  21. Hackers Toolbox
  22. Hacks And Tools
  23. Hacker Tools Apk Download
  24. Hacker Tools 2020
  25. Hack Website Online Tool
  26. Hack Tool Apk No Root
  27. Github Hacking Tools
  28. Pentest Box Tools Download
  29. Hacker Tools Online
  30. Hacker Techniques Tools And Incident Handling
  31. Usb Pentest Tools
  32. Hack Tool Apk No Root
  33. Hacking Tools For Windows Free Download
  34. How To Install Pentest Tools In Ubuntu
  35. Hacker Tools
  36. Pentest Tools Kali Linux
  37. Computer Hacker
  38. Beginner Hacker Tools
  39. Hacker Tools Online
  40. What Is Hacking Tools
  41. New Hack Tools
  42. Hack Tools Mac
  43. Hacking Tools For Kali Linux
  44. Hacking Tools 2019
  45. Hacker Tools For Pc
  46. Hack Apps
  47. Best Pentesting Tools 2018
  48. Pentest Tools Linux
  49. Hacking Tools Windows 10
  50. Nsa Hacker Tools
  51. Best Pentesting Tools 2018
  52. Ethical Hacker Tools
  53. Pentest Tools Find Subdomains
  54. Wifi Hacker Tools For Windows
  55. Hacking Tools Windows
  56. Hacker Tools
  57. Pentest Tools For Android
  58. Hacking Tools Pc
  59. Nsa Hacker Tools
  60. Hacker
  61. Hacking Tools Name
  62. Physical Pentest Tools
  63. Hacking Tools 2019
  64. Hack Tools For Pc
  65. Hacker Tool Kit
  66. Free Pentest Tools For Windows
  67. Hackrf Tools
  68. Nsa Hack Tools
  69. Pentest Tools Find Subdomains
  70. Hack Tools For Games
  71. Hacker Tools Software
  72. Hacker Security Tools
  73. Underground Hacker Sites
  74. Hacking Tools Kit
  75. Usb Pentest Tools
  76. How To Hack
  77. World No 1 Hacker Software
  78. Ethical Hacker Tools
  79. Hacking Tools For Mac
  80. Hack App
  81. Nsa Hack Tools Download
  82. Hacking Tools Github
  83. Hacking App
  84. Hak5 Tools
  85. Blackhat Hacker Tools
  86. Computer Hacker
  87. Hacking Tools Hardware
  88. Hacking Tools For Mac
  89. Hack Tools 2019
  90. Hacker Tools List
  91. Hacker Tools For Ios
  92. Usb Pentest Tools
  93. Hack Tools For Ubuntu
  94. Pentest Reporting Tools
  95. Best Pentesting Tools 2018
  96. How To Hack
  97. How To Make Hacking Tools
  98. Pentest Tools Port Scanner
  99. Easy Hack Tools
  100. Pentest Tools For Mac
  101. Pentest Tools Apk
  102. Pentest Automation Tools
  103. How To Make Hacking Tools
  104. Hacking Tools Free Download
  105. Hacker Tool Kit
  106. Top Pentest Tools
  107. Github Hacking Tools
  108. Hacking Tools Hardware
  109. Hacking Tools Windows 10
  110. Pentest Tools Alternative
  111. Best Pentesting Tools 2018
  112. Pentest Tools Online
  113. Game Hacking
  114. Hack Tools For Ubuntu
  115. Hacker Tools Free
  116. Hacker Hardware Tools
  117. Pentest Reporting Tools
  118. Pentest Tools Kali Linux
  119. Pentest Tools Framework
  120. Hacker Techniques Tools And Incident Handling
  121. Hacker Tools Hardware
  122. Hack App
  123. Hack Tools Github
  124. Pentest Reporting Tools
  125. Hacker Tools For Mac
  126. Hacker Tools Apk Download
  127. Hack App
  128. Nsa Hack Tools
  129. Hack Tools For Pc
  130. Hacker Tools Hardware
  131. Android Hack Tools Github
  132. Pentest Tools Tcp Port Scanner
  133. Hacking Tools For Windows 7
  134. Pentest Tools Download
  135. Hacking Tools Windows
  136. Hacker Hardware Tools
  137. Hacker Tools Free
  138. Hacker Tools Apk Download
  139. Hacking Apps
  140. Hack Tools Pc
  141. Pentest Tools Alternative
  142. Hacks And Tools
  143. Pentest Reporting Tools
  144. Hacker
  145. Bluetooth Hacking Tools Kali
  146. Hacker Tools Software
  147. Hacking Tools For Pc
  148. Usb Pentest Tools
  149. Pentest Tools Port Scanner
  150. Hack Tools Mac
  151. Hack Tools Download
  152. Hacking Tools Free Download