2022-09-30 16:10:18 +00:00
|
|
|
-- Gatekeeper exceptions are exceptions for downloaded binaries
|
2022-10-14 18:19:13 +00:00
|
|
|
--
|
|
|
|
-- references:
|
|
|
|
-- * https://posts.specterops.io/hunting-for-bad-apples-part-2-6f2d01b1f7d3
|
|
|
|
--
|
|
|
|
-- false positives:
|
|
|
|
-- * developers downloading binaries from Github
|
|
|
|
--
|
2022-10-21 21:39:35 +00:00
|
|
|
-- platform: darwin
|
2022-10-14 18:19:13 +00:00
|
|
|
-- tags: persistent filesystem state gatekeeper
|
2022-09-24 15:12:23 +00:00
|
|
|
SELECT
|
|
|
|
gap.ctime,
|
|
|
|
gap.mtime,
|
|
|
|
gap.path,
|
|
|
|
file.mtime,
|
|
|
|
file.uid,
|
|
|
|
file.ctime,
|
|
|
|
file.gid,
|
|
|
|
hash.sha256,
|
|
|
|
signature.identifier,
|
|
|
|
signature.authority
|
|
|
|
FROM
|
|
|
|
gatekeeper_approved_apps AS gap
|
|
|
|
LEFT JOIN file ON gap.path = file.path
|
|
|
|
LEFT JOIN hash ON gap.path = hash.path
|
|
|
|
LEFT JOIN signature ON gap.path = signature.path
|
|
|
|
WHERE
|
2022-10-13 18:59:32 +00:00
|
|
|
gap.path NOT LIKE '/Users/%/bin/%'
|
2023-09-20 13:30:46 +00:00
|
|
|
AND gap.path NOT LIKE '/Users/%/%-darwin-a%64'
|
|
|
|
AND gap.path NOT LIKE '/Users/%/%_darwin_a%64%'
|
2023-02-09 01:06:26 +00:00
|
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/cosign'
|
2023-09-20 13:30:46 +00:00
|
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/missp'
|
2023-01-16 17:56:39 +00:00
|
|
|
AND gap.path NOT LIKE '/Users/%/bom'
|
2023-09-20 13:30:46 +00:00
|
|
|
AND gap.path NOT LIKE '/Users/%/configure'
|
|
|
|
AND gap.path NOT LIKE '/Users/%/cosign-%'
|
|
|
|
AND gap.path NOT LIKE '/Users/%/crane'
|
|
|
|
AND gap.path NOT LIKE '/Users/%/rekor-cli'
|
|
|
|
AND gap.path NOT LIKE '/Users/%/trivy'
|
|
|
|
AND gap.path NOT LIKE '/usr/local/bin/%'
|
2024-06-28 14:08:04 +00:00
|
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/openresty%/bundle/install'
|
2024-07-02 01:56:28 +00:00
|
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/U_STIGViewer%/STIGViewer'
|
2024-09-23 15:07:53 +00:00
|
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/grpcurl_%'
|
|
|
|
AND gap.path NOT LIKE '/Users/%/Downloads/%_arm64%/%'
|
2023-09-20 13:30:46 +00:00
|
|
|
AND signature.authority != 'Developer ID Application: Jamie Zawinski (4627ATJELP)'
|
2022-09-24 15:12:23 +00:00
|
|
|
GROUP BY
|
|
|
|
gap.requirement
|