2022-09-30 16:10:18 +00:00
-- macOS application layer firewall (ALF) service exceptions.
--
2022-10-14 18:19:13 +00:00
-- false positives:
-- * locally built software
--
-- tags: persistent state filesystem
2022-10-14 19:14:24 +00:00
-- platform: darwin
2022-10-12 01:53:36 +00:00
SELECT
ae . path ,
2022-09-30 16:10:18 +00:00
ae . state ,
file . mtime ,
file . ctime ,
file . uid ,
2022-09-30 17:47:10 +00:00
file . directory ,
2022-09-30 16:10:18 +00:00
file . size ,
file . type ,
hash . sha256 ,
signature . identifier ,
signature . authority ,
2022-10-12 01:53:36 +00:00
CONCAT (
2022-09-30 16:10:18 +00:00
signature . authority ,
2022-10-13 18:59:32 +00:00
' , ' ,
2022-09-30 16:10:18 +00:00
signature . identifier ,
2022-10-13 18:59:32 +00:00
' , ' ,
2022-09-30 16:10:18 +00:00
ae . path ,
2022-10-13 18:59:32 +00:00
' , ' ,
2022-09-30 16:10:18 +00:00
MIN ( file . uid , 501 )
) AS exception_key
2022-10-12 01:53:36 +00:00
FROM
alf_exceptions ae
2022-09-30 16:10:18 +00:00
LEFT JOIN file ON ae . path = file . path
LEFT JOIN hash ON ae . path = hash . path
LEFT JOIN signature ON ae . path = signature . path
2023-02-01 20:06:58 +00:00
WHERE
-- Filter out stock exceptions to decrease overhead
ae . path NOT IN (
' /System/Library/CoreServices/UniversalControl.app/ ' ,
' /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig ' ,
' /System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/XPCServices/EmbeddedOSInstallService.xpc/ ' ,
' /usr/bin/nmblookup ' ,
' /usr/libexec/bootpd ' ,
' /usr/libexec/configd ' ,
' /usr/libexec/discoveryd ' ,
' /usr/libexec/xartstorageremoted ' ,
' /usr/sbin/mDNSResponder ' ,
' /usr/sbin/racoon '
)
2023-02-09 01:06:26 +00:00
-- Ignore files that ahve already been removed
AND file . filename NOT NULL
2023-02-01 20:06:58 +00:00
AND exception_key NOT IN (
2023-02-09 01:53:03 +00:00
' ,a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501 ' ,
2022-11-22 14:21:03 +00:00
' Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0 ' ,
' Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0 ' ,
' Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0 ' ,
2022-10-13 18:59:32 +00:00
' ,,/Applications/Google%20Chrome.app/, ' ,
' ,,/Applications/IntelliJ%20IDEA.app/, ' ,
' ,,/Applications/ProtonMail%20Bridge.app/, ' ,
' ,,/Applications/Visual%20Studio%20Code.app/, ' ,
' ,,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/, ' ,
' Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501 ' ,
' Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501 ' ,
' Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0 ' ,
2022-12-15 21:51:58 +00:00
' Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0 ' ,
2022-10-13 18:59:32 +00:00
' Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501 ' ,
' Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501 ' ,
' Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501 ' ,
' Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0 ' ,
' Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501 ' ,
' Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501 ' ,
' Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501 ' ,
2023-02-08 19:37:09 +00:00
' ,dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0 ' ,
' ,iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501 ' ,
2022-11-22 14:21:03 +00:00
' ,java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501 ' ,
2023-01-16 17:56:39 +00:00
' ,org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501 ' ,
2023-01-09 15:46:30 +00:00
' Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0 ' ,
2022-10-13 18:59:32 +00:00
' Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0 ' ,
' Software Signing,com.apple.Music,/System/Applications/Music.app/,0 ' ,
' Software Signing,com.apple.nc,/usr/bin/nc,0 ' ,
' Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0 ' ,
2022-11-22 14:21:03 +00:00
' Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0 ' ,
' Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0 ' ,
2023-02-08 19:37:09 +00:00
' /System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/ ' ,
' ,,/usr/local/sbin/iodined,501 '
)
2023-02-02 22:58:19 +00:00
AND NOT exception_key LIKE ' ,a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501 '
2023-02-09 01:06:26 +00:00
AND NOT exception_key LIKE ' ,a.out,/private/var/folders/%/T/GoLand/%,501 '
AND NOT exception_key LIKE ' ,a.out,/Users/%/GolandProjects/documentation-code-examples/debuggingTutorial/myApp,501 '
AND NOT exception_key LIKE ' ,node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501 '
2022-09-30 16:10:18 +00:00
AND NOT (
2022-10-13 18:59:32 +00:00
signature . identifier LIKE ' cargo-% '
AND ae . path LIKE ' /Users/%/.rustup/% '
2022-09-30 16:10:18 +00:00
)
AND NOT (
2022-10-13 18:59:32 +00:00
signature . identifier LIKE ' fake-% '
AND ae . path LIKE ' %/exe/fake '
2022-09-30 16:10:18 +00:00
)
AND NOT (
2022-10-13 18:59:32 +00:00
signature . identifier LIKE ' mariadbd-% '
AND ae . path LIKE ' /opt/homebrew/%/mariadbd '
2022-09-30 16:10:18 +00:00
)
AND NOT (
2022-10-13 18:59:32 +00:00
signature . identifier = ' netcat '
AND ae . path LIKE ' /Users/%/homebrew/Cellar/netcat/%/bin/netcat '
2022-09-30 16:10:18 +00:00
)
AND NOT (
2022-10-13 18:59:32 +00:00
signature . identifier = ' syncthing '
AND ae . path LIKE ' /nix/store/%-syncthing-%/bin/syncthing '
2022-09-30 16:10:18 +00:00
)
AND NOT (
2022-10-13 18:59:32 +00:00
ae . path LIKE ' /Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/ '
2022-09-30 16:10:18 +00:00
)
2023-01-23 13:13:04 +00:00
AND NOT (
signature . authority = ' '
AND signature . identifier = ' org.chromium.Chromium '
AND ae . path LIKE ' /Users/%/Library/pnpm/global/%/.pnpm/carlo@%/node_modules/carlo/lib/.local-data/mac-%/chrome-mac/Chromium.app/ '
)
2022-09-30 16:10:18 +00:00
AND NOT (
2022-09-30 17:47:10 +00:00
(
2022-10-13 18:59:32 +00:00
signature . identifier = ' a.out '
OR signature . identifier LIKE ' %-% '
2022-09-30 17:47:10 +00:00
)
2022-09-30 16:10:18 +00:00
AND file . uid > 500
AND (
2022-10-13 18:59:32 +00:00
file . directory LIKE ' /opt/homebrew/Cellar/%/bin '
OR file . directory LIKE ' /Users/%/bin '
OR file . directory LIKE ' /Users/%/code/% '
OR file . directory LIKE ' /Users/%/src/% '
2022-11-22 14:21:03 +00:00
OR file . directory LIKE ' /Users/%/sigstore/% '
2022-10-13 18:59:32 +00:00
OR file . directory LIKE ' /Users/%/node_modules/.bin/% '
OR file . directory LIKE ' /Users/%/git/% '
OR file . directory LIKE ' /Users/%/%-cli '
OR file . directory LIKE ' /private/var/folders/%/T/go-build%/exe '
2022-09-30 16:10:18 +00:00
)
)
2022-10-12 01:53:36 +00:00
GROUP BY
exception_key