Shulou(Shulou.com)06/02 Report--

This article mainly introduces "what is the Sinter tool". In the daily operation, I believe that many people have doubts about what is the Sinter tool. The editor consulted all kinds of materials and sorted out a simple and easy-to-use method of operation. I hope it will be helpful to answer the doubts of "what is the Sinter tool?" Next, please follow the editor to study!

Sinter

Sinter is a 100% user-mode terminal security agent for macOS v10.15 and above. The tool is based on the Swift language and uses user-mode EndpointSecurity API to subscribe to and receive authorization callbacks from the macOS kernel, mainly for security-related event types. The current version of Sinter supports allow / deny process execution, and in future releases, we intend to support other types of events, such as file operations, sockets, kernel events, and so on.

Function introduction

Allow or deny process execution through a code directory hash

Monitor mode supports tracking and logging all process execution events (rejecting all unknown programs, rejecting all unsigned programs, rejecting all invalid signing programs)

Accept allow / deny rules from Santa synchronization server

Support for JSON format configuration rejection rules from local or synchronous servers

Log in structured JSON format on the local file system

Other characteristics

Kernel extension is not used

Legacy macOS systems (14 and earlier) are not supported

Did not use any memory unsafe code

Limited third-party library dependencies

Not an anti-malware or anti-virus product, does not contain a feature database

Use only rules to reject processes or programs that you do not want to execute

Tool download & installation

Researchers can download and install the latest version of Sinter using the pkg installation tool provided on the Releases page of the project.

After installing Sinter, you also need to provide full disk access to Sinter.app. Here, you can open system Settings-> Security-> Privacy-> full disk access, and check Sinter.app. If you use DMD, you can also automatically enable this permission on the terminal, and the whole process does not involve user interaction.

Tool configuration

Sinter needs to generate a configuration file in / etc/sinter/config.json. The following sample configuration file source code is given:

{"Sinter": {"decision_manager": "local", "logger": "filesystem", "allow_unsigned_programs": "true", "allow_invalid_programs": "true", "allow_unknown_programs": "true", "allow_expired_auth_requests": "true", "allow_misplaced_applications": "true", "config_update_interval": 600 "allowed_application_directories": ["/ bin", "/ usr/bin", "/ usr/local/bin", "/ Applications", "/ System", "/ usr/sbin", "/ usr/libexec",], "FilesystemLogger": {"log_file_path": "/ var/log/sinter.log",} "RemoteDecisionManager": {"server_url": "https://server_address:port"," machine_identifier ":" identifier ",}," LocalDecisionManager ": {" rule_database_path ":" / etc/sinter/rules.json ",}} enable UI notification

1. Install the notification server, and the PKG installer will automatically complete the installation of these components:

Sudo / Applications/Sinter.app/Contents/MacOS/Sinter-- install-notification-server

2. Use the following command to start the agent:

/ Applications/Sinter.app/Contents/MacOS/Sinter-- start-notification-server rule format

The rule database is written in JSON format, and the sample database given below allows the CMake application Bundle from cmake.okg to run:

{"rules": [{"rule_type": "BINARY", "policy": "ALLOWLIST", "sha256": "BDD0AF132D89EA4810566B3E1E0D1E48BAC6CF18D0C787054BB62A4938683039", "custom_msg": "CMake"}]}

Sinter currently supports only BINARY rules, where ALLOWLIST or DENYLIST policies can be used. The code directory hash value can be obtained from the output of the codesign tool, such as codesign-dvvv / Applications/CMake.app. It is important to note that even if the command-line tool can get the full SHA256 hash, Kernel/EndpointSecurity API can still only get the first 20 bytes of hash.

At this point, the study on "what is the Sinter tool" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.