GITBOOK-4107: change request with no subject merged in GitBook

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md

@@ -20,15 +20,6 @@ The key mechanism of Gatekeeper lies in its **verification** process. It checks
 
 Additionally, Gatekeeper reinforces user control and security by **prompting users to approve the opening** of downloaded software for the first time. This safeguard helps prevent users from inadvertently running potentially harmful executable code that they may have mistaken for a harmless data file.
 
-```bash
-# Check the status
-spctl --status
-# Enable Gatekeeper
-sudo spctl --master-enable
-# Disable Gatekeeper
-sudo spctl --master-disable
-```
-
 ### Application Signatures
 
 Application signatures, also known as code signatures, are a critical component of Apple's security infrastructure. They're used to **verify the identity of the software author** (the developer) and to ensure that the code hasn't been tampered with since it was last signed.
@@ -72,7 +63,97 @@ If the software **passes** this inspection without raising any concerns, the Not
 
 Upon the user's first installation or execution of the software, the existence of the notarization ticket - whether stapled to the executable or found online - **informs Gatekeeper that the software has been notarized by Apple**. As a result, Gatekeeper displays a descriptive message in the initial launch dialog, indicating that the software has undergone checks for malicious content by Apple. This process thereby enhances user confidence in the security of the software they install or run on their systems.
 
-### Quarentine Files
+### Enumerating GateKeeper
+
+GateKeeper is both, **several security components** that prevent untrusted apps from being executed and also **one of the components**.
+
+It's possible to see the **status** of GateKeeper with:
+
+```bash
+# Check the status
+spctl --status
+```
+
+{% hint style="danger" %}
+Note that GateKeeper signature checks are performed only to **files with the Quarantine attribute**, not to every file.
+{% endhint %}
+
+GateKeeper will check if according to the **preferences & the signature** a binary can be executed:
+
+<figure><img src="../../../.gitbook/assets/image (678).png" alt=""><figcaption></figcaption></figure>
+
+The database that keeps this configuration ins located in **`/var/db/SystemPolicy`**. You can check this database as root with:
+
+```bash
+# Open database
+sqlite3 /var/db/SystemPolicy
+
+# Get allowed rules
+SELECT requirement,allow,disabled,label from authority where label != 'GKE' and disabled=0;
+requirement|allow|disabled|label
+anchor apple generic and certificate 1[subject.CN] = "Apple Software Update Certification Authority"|1|0|Apple Installer
+anchor apple|1|0|Apple System
+anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists|1|0|Mac App Store
+anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13]) and notarized|1|0|Notarized Developer ID
+[...]
+```
+
+Note how the first rule ended in "**App Store**" and the second one in "**Developer ID**" and that in the previous imaged it was **enabled to execute apps from the App Store and identified developers**.\
+If you **modify** that setting to App Store, the "**Notarized Developer ID" rules will disappear**.
+
+There are also thousands of rules of **type GKE**:
+
+```bash
+SELECT requirement,allow,disabled,label from authority where label = 'GKE' limit 5;
+cdhash H"b40281d347dc574ae0850682f0fd1173aa2d0a39"|1|0|GKE
+cdhash H"5fd63f5342ac0c7c0774ebcbecaf8787367c480f"|1|0|GKE
+cdhash H"4317047eefac8125ce4d44cab0eb7b1dff29d19a"|1|0|GKE
+cdhash H"0a71962e7a32f0c2b41ddb1fb8403f3420e1d861"|1|0|GKE
+cdhash H"8d0d90ff23c3071211646c4c9c607cdb601cb18f"|1|0|GKE
+```
+
+These are hashes that come from **`/var/db/SystemPolicyConfiguration/gke.bundle/Contents/Resources/gke.auth`, `/var/db/gke.bundle/Contents/Resources/gk.db`** and **`/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db`**
+
+The options **`--master-disable`** and **`--global-disable`** of **`spctl`** will completely **disable** these signature checks:
+
+```bash
+# Disable GateKeeper
+spctl --global-disable
+spctl --master-disable
+
+# Enable it
+spctl --global-enable
+spctl --master-enable
+```
+
+When completely enabled, a new option will appead:
+
+<figure><img src="../../../.gitbook/assets/image (679).png" alt=""><figcaption></figcaption></figure>
+
+It's possible to **check if an App will be allowed by GateKeeper** with:
+
+```bash
+spctl --assess -v /Applications/App.app
+```
+
+It's possible to add new rules in GateKeeper to allow the execution of certain apps with:
+
+```bash
+# Check if allowed - nop
+spctl --assess -v /Applications/App.app          
+/Applications/App.app: rejected
+source=no usable signature
+
+# Add a label and allow this label in GateKeeper
+sudo spctl --add --label "whitelist" /Applications/App.app
+sudo spctl --enable --label "whitelist"                      
+
+# Check again - yep
+spctl --assess -v /Applications/App.app            
+/Applications/App.app: accepted
+```
+
+### Quarantine Files
 
 Upon **downloading** an application or file, specific macOS **applications** such as web browsers or email clients **attach an extended file attribute**, commonly known as the "**quarantine flag**," to the downloaded file. This attribute acts as a security measure to **mark the file** as coming from an untrusted source (the internet), and potentially carrying risks. However, not all applications attach this attribute, for instance, common BitTorrent client software usually bypasses this process.
 
@@ -87,9 +168,9 @@ Therefore, these checks are **only run when executing apps with the quarantined
 {% endhint %}
 
 {% hint style="warning" %}
-**Note that Safari and other web browsers and applications are the ones that need to mark the downloaded files**
+This attribute must be **set by the application creating/downloading** the file.
 
-Moreover, **files created by sandboxed processes** are also appended this attribute to prevent sandbox escaped.
+However, files that are sandboxed will have this attribute set to every file they create. And non sandboxed apps can set it theirselves, or specify the [**LSFileQuarantineEnabled**](https://developer.apple.com/documentation/bundleresources/information\_property\_list/lsfilequarantineenabled?language=objc) key in the **Info.plist** which will make the system set the `com.apple.quarantine` extended attribute on the files created,
 {% endhint %}
 
 It's possible to **check it's status and enable/disable** (root required) with:
@@ -111,7 +192,7 @@ com.apple.macl
 com.apple.quarantine
 ```
 
-Check the **value** of the **extended** **attributes** with:
+Check the **value** of the **extended** **attributes** and find out the app that wrote the quarantine attr with:
 
 ```bash
 xattr -l portada.png
@@ -122,7 +203,11 @@ com.apple.macl:
 00000030  D0 DB 89 53 C3 FC 00 00 00 00 00 00 00 00 00 00  |...S............|
 00000040  00 00 00 00 00 00 00 00                          |........|
 00000048
-com.apple.quarantine: 0081;607842eb;Brave;F643CD5F-6071-46AB-83AB-390BA944DEC5
+com.apple.quarantine: 00C1;607842eb;Brave;F643CD5F-6071-46AB-83AB-390BA944DEC5
+# 00c1 -- It has been allowed to eexcute this file
+# 607842eb -- Timestamp
+# Brave -- App
+# F643CD5F-6071-46AB-83AB-390BA944DEC5 -- UID assigned to the file downloaded
 ```
 
 And **remove** that attribute with:
@@ -141,15 +226,15 @@ find / -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; pri
 ```
 {% endcode %}
 
-## XProtect
+Quarantine information is also stored in a central database managed by LaunchServices in **`~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`**.
 
-XProtect is a built-in **anti-malware** feature in macOS. It is part of Apple's security system that works silently in the background to keep your Mac safe from known malware and malicious plug-ins.
+### XProtect
 
-XProtect functions by **checking any downloaded files against its database** of known malware and unsafe file types. When you download a file through certain apps, such as Safari, Mail, or Messages, XProtect automatically scans the file. If it matches any known malware in its database, XProtect will **prevent the file from running** and alert you to the threat.
+XProtect is a built-in **anti-malware** feature in macOS. XProtect **checks any application when it's first launched or modified against its database** of known malware and unsafe file types. When you download a file through certain apps, such as Safari, Mail, or Messages, XProtect automatically scans the file. If it matches any known malware in its database, XProtect will **prevent the file from running** and alert you to the threat.
 
 The XProtect database is **updated regularly** by Apple with new malware definitions, and these updates are automatically downloaded and installed on your Mac. This ensures that XProtect is always up-to-date with the latest known threats.
 
-However, it's worth noting that **XProtect isn't a full-featured antivirus solution**. It only checks for a specific list of known threats and doesn't perform on-access scanning like most antivirus software. Therefore, while XProtect provides a layer of protection against known malware, it's still recommended to exercise caution when downloading files from the internet or opening email attachments.
+However, it's worth noting that **XProtect isn't a full-featured antivirus solution**. It only checks for a specific list of known threats and doesn't perform on-access scanning like most antivirus software.
 
 You can get information about the latest XProtect update running:
 
@@ -159,6 +244,15 @@ system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistC
 ```
 {% endcode %}
 
+XProtect is located on. SIP protected location at **/Library/Apple/System/Library/CoreServices/XProtect.bundle** and inside the bundle you can find information XProtect uses:
+
+* **`XProtect.bundle/Contents/Resources/LegacyEntitlementAllowlist.plist`**: Allows code with those cdhashes to use legacy entitlements.
+* **`XProtect.bundle/Contents/Resources/XProtect.meta.plist`**: List of plugins and extensions that are disallowed to load via BundleID and TeamID or indicating a minimum version.
+* **`XProtect.bundle/Contents/Resources/XProtect.yara`**: Yara rules to detect malware.
+* **`XProtect.bundle/Contents/Resources/gk.db`**: SQLite3 database with hashes of blocked applications and TeamIDs.
+
+Note that there is another App in **`/Library/Apple/System/Library/CoreServices/XProtect.app`** related to XProtect that isn't involved when an app is run.
+
 ## MRT - Malware Removal Tool
 
 The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**.
@@ -170,6 +264,8 @@ While both XProtect and MRT are part of macOS's security measures, they perform
 * **XProtect** is a preventative tool. It **checks files as they're downloaded** (via certain applications), and if it detects any known types of malware, it **prevents the file from opening**, thereby preventing the malware from infecting your system in the first place.
 * **MRT**, on the other hand, is a **reactive tool**. It operates after malware has been detected on a system, with the goal of removing the offending software to clean up the system.
 
+The MRT application is located in **`/Library/Apple/System/Library/CoreServices/MRT.app`**
+
 ## Processes Limitants
 
 ### SIP - System Integrity Protection