128 lines
5.6 KiB
SQL
128 lines
5.6 KiB
SQL
-- macOS application layer firewall (ALF) service exceptions.
|
|
--
|
|
-- false positives:
|
|
-- * locally built software
|
|
--
|
|
-- tags: persistent state filesystem
|
|
-- platform: darwin
|
|
SELECT
|
|
ae.path,
|
|
ae.state,
|
|
file.mtime,
|
|
file.ctime,
|
|
file.uid,
|
|
file.directory,
|
|
file.size,
|
|
file.type,
|
|
hash.sha256,
|
|
signature.identifier,
|
|
signature.authority,
|
|
CONCAT (
|
|
signature.authority,
|
|
',',
|
|
signature.identifier,
|
|
',',
|
|
ae.path,
|
|
',',
|
|
MIN(file.uid, 501)
|
|
) AS exception_key
|
|
FROM
|
|
alf_exceptions ae
|
|
LEFT JOIN file ON ae.path = file.path
|
|
LEFT JOIN hash ON ae.path = hash.path
|
|
LEFT JOIN signature ON ae.path = signature.path
|
|
WHERE -- Filter out stock exceptions to decrease overhead
|
|
ae.path NOT IN (
|
|
'/System/Library/CoreServices/UniversalControl.app/',
|
|
'/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig',
|
|
'/System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/XPCServices/EmbeddedOSInstallService.xpc/',
|
|
'/usr/bin/nmblookup',
|
|
'/usr/libexec/bootpd',
|
|
'/usr/libexec/configd',
|
|
'/usr/libexec/discoveryd',
|
|
'/usr/libexec/xartstorageremoted',
|
|
'/usr/sbin/mDNSResponder',
|
|
'/usr/sbin/racoon'
|
|
) -- Ignore files that ahve already been removed
|
|
AND file.filename NOT NULL
|
|
AND exception_key NOT IN (
|
|
',a.out,/private/tmp/learning-labs-static/server,501',
|
|
',a.out,/Users/amouat/proj/learning-labs-static/server,501',
|
|
',a.out,/Users/dlorenc/.wash/downloads/nats-server,501',
|
|
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
|
|
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.localized/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
|
|
',deskflow-server,/Applications/Deskflow.app/Contents/MacOS/deskflow-server,501',
|
|
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension,/Library/SystemExtensions/AD3BCA34-237A-4135-B7A4-0F7477D9144C/com.adguard.mac.adguard.network-extension.systemextension/,0',
|
|
'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,0',
|
|
'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.12/Resources/Python.app/,0',
|
|
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
|
|
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
|
|
',,/Users/cpanato/code/src/github.com/sigstore/docs/node_modules/.bin/hugo/hugo,501'
|
|
)
|
|
-- Signed
|
|
AND NOT exception_key LIKE 'Developer ID Application:%,/Applications/%.app/,501'
|
|
-- Unsigned
|
|
AND NOT exception_key LIKE ',,/Applications/%.app/,'
|
|
-- Locally compiled
|
|
AND NOT exception_key LIKE ',a.out,/Users/%,501'
|
|
-- Homebrew
|
|
AND NOT exception_key LIKE ',%,/opt/homebrew/Cellar/%,501'
|
|
-- Nix
|
|
AND NOT exception_key LIKE ',%,/nix/store/%,0'
|
|
AND NOT exception_key LIKE ',%,/nix/store/%,501'
|
|
-- Apple (root)
|
|
AND NOT exception_key LIKE 'Software Signing,com.apple.%,0'
|
|
-- App Store
|
|
AND NOT exception_key LIKE 'Apple Mac OS Application Signing,%,/Applications/%.app/,0'
|
|
-- Other weirdo apps
|
|
AND NOT exception_key LIKE 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/%/Library/Caches/Cypress/%/Cypress.app/,501'
|
|
AND NOT exception_key LIKE 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/%'
|
|
AND NOT exception_key LIKE 'Developer ID Application: The Foundry (82R497YNSK),org.python.python,/Applications/Nuke%/Contents/Frameworks/Python.framework/Versions/%/Resources/Python.app/,501'
|
|
AND NOT signature.authority IN (
|
|
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
|
|
'Developer ID Application: The Foundry (82R497YNSK)',
|
|
'Developer ID Application: Docker Inc (9BNSXJN65R)',
|
|
'Developer ID Application: OpenAI, L.L.C. (2DC432GLL2)'
|
|
)
|
|
AND NOT (
|
|
signature.identifier LIKE 'fake-%'
|
|
AND ae.path LIKE '%/exe/fake'
|
|
)
|
|
AND NOT (
|
|
signature.identifier = 'nix'
|
|
AND ae.path LIKE '/nix/store/%-nix-%/bin/nix'
|
|
)
|
|
AND NOT (
|
|
ae.path LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/'
|
|
)
|
|
AND NOT (
|
|
signature.authority = ''
|
|
AND signature.identifier = 'org.chromium.Chromium'
|
|
AND ae.path LIKE '/Users/%/Library/pnpm/global/%/.pnpm/carlo@%/node_modules/carlo/lib/.local-data/mac-%/chrome-mac/Chromium.app/'
|
|
)
|
|
-- End user tools
|
|
AND NOT (
|
|
(
|
|
signature.identifier = 'a.out'
|
|
OR signature.identifier LIKE '%-%'
|
|
)
|
|
AND file.uid > 500
|
|
AND (
|
|
file.directory LIKE '/opt/homebrew/Cellar/%/bin'
|
|
OR file.directory LIKE '/Users/%/bin'
|
|
OR file.directory LIKE '/Users/%/code/%'
|
|
OR file.directory LIKE '/Users/%/src/%'
|
|
OR file.directory LIKE '/Users/%/gh/%'
|
|
OR file.directory LIKE '/Users/%/debug/%'
|
|
OR file.directory LIKE '/Users/%/target/%'
|
|
OR file.directory LIKE '/Users/%/tmp/%'
|
|
OR file.directory LIKE '/Users/%/sigstore/%'
|
|
OR file.directory LIKE '/Users/%/node_modules/.bin/%'
|
|
OR file.directory LIKE '/Users/%/git/%'
|
|
OR file.directory LIKE '/Users/%/%-cli'
|
|
OR file.directory LIKE '/private/var/folders/%/T/go-build%/exe'
|
|
)
|
|
)
|
|
GROUP BY
|
|
exception_key
|