Sinter - A User-Mode Application Authorization System For MacOS Written In Swift

Sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift.
Sinter uses the user-mode EndpointSecurity API to subscribe to and receive authorization callbacks from the macOS kernel, for a set of security-relevant event types. The current version of Sinter supports allowing/denying process executions; in future versions we intend to support other types of events such as file, socket, and kernel events.
Sinter is a work-in-progress. Feedback is welcome. If you are interested in contributing or sponsoring us to help achieve its potential, let's get in touch.

Features

• Allow or deny process execution by code directory hash (aka "CD hash")
  • option to deny all unknown programs (any program that is not explicitly allowed)
  • option to deny all unsigned programs
  • option to deny all programs with invalid signatures
• "monitor" mode to track and log (but allow) all process execution events
• Accepts allow/deny rules from a Santa sync-server
• Configure deny rules in JSON, provided locally or by a sync-server
• Log to the local filesystem in a structured JSON format

Planned upcoming features:

• Deny process execution by executable file path
• Deny process execution by certificate Team ID

Anti-Features

• Does not use kernel extensions (which will be officially deprecated in macOS 11 Big Sur)
• Does not support legacy macOS (10.14 or older)
• Does not use any memory unsafe code
• Limits third-party library dependencies
• Not an anti-malware or anti-virus. No signature database. Denies only what you tell it to deny, using rules.

Background
The first open-source macOS solution for allowing/denying processes was Google Santa. We're fans of Santa, and have contributed to its codebase in the past. For a long time, however, many in the macOS community have asked for an open-source solution to track and manage more than just process events.
We saw the ideal platform to build such a capability with the EndpointSecurity API in macOS 10.15. Starting from the ground-up around a strictly user-mode API meant that we could attempt a simpler design, and use a modern programming language with safer memory handling and better performance. Thus, we set out to develop Sinter, short for "Sinter Klausen," another name for Santa Claus.

Getting Started
Download and install the latest version of Sinter using the pkg installer link from the Releases page.
After installing Sinter, you must enable the "Full Disk Access" permission for Sinter.app. Do this by opening System Preferences, Security, Privacy tab, Full Disk Access. Check the item for Sinter.app. If using MDM, you can automatically enable this permission on your endpoints, and no user interaction will be required.

Configuration
Sinter requires a configuration file to be present at /etc/sinter/config.json. An example is provided in the source tree at ./config/config.json:

{
  "Sinter": {
    "decision_manager": "local",
    "logger": "filesystem",

    "allow_unsigned_programs": "true",
    "allow_invalid_programs": "true",
    "allow_unknown_programs": "true",
    "allow_expired_auth_requests": "true",
    "allow_misplaced_applications": "true",

    "config_update_interval": 600,

    "allowed_application_directories": [
      "/bin",
      "/usr/bin",
      "/usr/local/bin",
      "/Applications",
      "/System",
      "/usr/sbin",
      "/usr/libexec",
    ],
  },
  
  "FilesystemLogger": {
    "log_file_path": "/var/log/sinter.log",
  },

  "RemoteDecisionManager": {
    "server_url": "https://server_address:port",
    "machine_identifier": "identifier",
  },

  "LocalDecisionManager": {
    "rule_database_path": "/etc/sinter/rules.json",
  }
}

The decision manager plugin can be selected by changing the decision_manager value. The local plugin will enable the LocalDecisionManager configuration section, pointing Sinter to use the local rule database present at the given path. It is possible to use a Santa-compatible sync-server, by using the sync-server plugin instead. This enables the RemoteDecisionManager configuration section, where the server URL and machine identifier can be set.
There are two logger plugins currently implemented:

1. filesystem: Messages are written to file, using the path specified at FilesystemLogger.log_file_path
2. unifiedlogging: Logs are emitted using the Unified Logging, using com.trailofbits.sinter as subsystem.

Allowed application directories
It is possible to configure Sinter to log and optionally deny applications that have not been started from an allowed folder.

• allow_misplaced_applications: If set to true, misplaced applications will only generate a warning. If set to false, any execution that does not starts from a valid path is denied.
• allowed_application_directories: If non-empty, it will be used to determine if applications are placed in the wrong folder.

Enabling UI notifications

1. Install the notification server (the PKG installer will do this automatically): sudo /Applications/Sinter.app/Contents/MacOS/Sinter --install-notification-server
2. Start the agent: /Applications/Sinter.app/Contents/MacOS/Sinter --start-notification-server

Configuring Sinter in MONITOR mode
Modes are not implemented in Sinter, as everything is rule-based. It is possible to implement the monitoring functionality by tweaking the following settings:

• allow_unsigned_programs: allow applications that are not signed
• allow_invalid_programs: allow applications that fail the signature check
• allow_unknown_programs: automatically allow applications that are not covered by the active rule database
• allow_expired_auth_requests: the EndpointSecurity API requires Sinter to answer to an authorization requests within an unspecified time frame (typically, less than a minute). Large applications, such as Xcode, will take a considerable amount of time to verify. Those executions are denied by default, and the user is expected to try again once the application has been verified. Setting this configuration to true changes this behavior so that those requests are always allowed.

Rule format
Rule databases are written in JSON format. Here's an example database that allows the CMake application bundle from cmake.org:

{
  "rules": [
    {
      "rule_type": "BINARY",
      "policy": "ALLOWLIST",
      "sha256": "BDD0AF132D89EA4810566B3E1E0D1E48BAC6CF18D0C787054BB62A4938683039",
      "custom_msg": "CMake"
    }
  ]
}

Sinter only supports BINARY rules for now, using either ALLOWLIST or DENYLIST policies. The code directory hash value can be taken from the codesign tool output (example: codesign -dvvv /Applications/CMake.app). Note that even though the CLI tools can acquire the full SHA256 hash, the Kernel/EndpointSecurity API is limited to the first 20 bytes.

Building from Source
Building Sinter requires certain code-signing certificates and entitlements that Apple must grant your organization. However, Sinter can still be built from source and run locally on a test system with SIP disabled. For instructions, see the Sinter wiki.

Download Sinter

via KitPloit

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

Continue reading

1. Hacking Apps
2. How To Install Pentest Tools In Ubuntu
3. Pentest Tools Bluekeep
4. Hack Tools Mac
5. Game Hacking
6. Hacking Tools Online
7. Black Hat Hacker Tools
8. Hacker Techniques Tools And Incident Handling
9. Hacker Tools Mac
10. Hacking Tools Windows 10
11. Android Hack Tools Github
12. Hack Tools Online
13. Hacker Tools Online
14. Pentest Tools Website
15. Hacking Tools Windows
16. Blackhat Hacker Tools
17. Pentest Tools Free
18. World No 1 Hacker Software
19. Pentest Tools List
20. Hacking Tools Software
21. Pentest Tools For Android
22. Hacking Tools Usb
23. Pentest Tools Tcp Port Scanner
24. How To Hack
25. Hacker Tools Hardware
26. Hacking Tools 2020
27. Hack Tools For Mac
28. Hacker Tools For Windows
29. Pentest Tools Alternative
30. Hacker Search Tools
31. Hacker Tools Hardware
32. Hacking Tools For Pc
33. Pentest Reporting Tools
34. Pentest Tools For Windows
35. Hacker Tools Online
36. Hacker Tools Hardware
37. Hacking Tools Name
38. Hacker Tools For Mac
39. Blackhat Hacker Tools
40. Pentest Reporting Tools
41. Hacker Tools Apk Download
42. Hacking Tools For Kali Linux
43. Ethical Hacker Tools
44. Hacking Tools Kit
45. Hacking Tools 2020
46. Hacking Tools Pc
47. Blackhat Hacker Tools
48. Best Hacking Tools 2020
49. Hack Tools Online
50. Hacking Tools
51. Install Pentest Tools Ubuntu
52. Computer Hacker
53. Pentest Tools Android
54. Hack Tools Online
55. Pentest Tools Subdomain
56. Install Pentest Tools Ubuntu
57. Nsa Hack Tools Download
58. Pentest Tools Website Vulnerability
59. Hacker Tools Free Download
60. Hack Tool Apk No Root
61. Pentest Tools For Windows
62. Pentest Box Tools Download
63. Hacker Tools Free
64. Hacking Tools For Pc
65. Pentest Tools Website Vulnerability
66. Hack Tools Mac
67. Pentest Tools Github
68. Pentest Automation Tools
69. Best Pentesting Tools 2018
70. Pentest Tools For Android
71. Hacker Tools 2020
72. Hacking Tools For Mac
73. Github Hacking Tools
74. Pentest Tools Website Vulnerability
75. Pentest Tools Find Subdomains
76. Hack Tools For Ubuntu
77. Hacking Tools 2019
78. How To Hack
79. Pentest Tools Find Subdomains
80. Pentest Tools Free
81. Hacker Tools Hardware
82. Hacking Tools Github
83. Pentest Tools Download
84. Pentest Tools Alternative
85. Pentest Tools Tcp Port Scanner
86. Best Hacking Tools 2020
87. How To Make Hacking Tools
88. Physical Pentest Tools
89. Hacking Tools For Beginners
90. How To Make Hacking Tools
91. Hacker Tools 2019
92. Pentest Tools List
93. Hacking Tools Kit
94. Hack Tools For Ubuntu
95. Hacker Tools List
96. Hacker Tools For Ios
97. Pentest Tools Kali Linux
98. Best Pentesting Tools 2018
99. Hak5 Tools
100. Hackers Toolbox
101. Best Pentesting Tools 2018
102. Hacking Tools Windows 10
103. Pentest Tools For Android
104. Hacks And Tools
105. Tools 4 Hack
106. How To Install Pentest Tools In Ubuntu
107. Best Hacking Tools 2019
108. Pentest Tools Alternative
109. Growth Hacker Tools
110. Hacker Tool Kit
111. Pentest Tools Nmap
112. Hacks And Tools
113. Blackhat Hacker Tools
114. Pentest Tools Website Vulnerability
115. Computer Hacker
116. Easy Hack Tools
117. Hack And Tools
118. Hack Tools For Windows
119. New Hack Tools
120. Hacker Tools
121. Tools For Hacker
122. Hack Website Online Tool
123. Hack And Tools
124. Pentest Tools For Mac
125. Hacking Tools
126. Growth Hacker Tools
127. Pentest Tools Nmap
128. Hacker Tools For Windows
129. World No 1 Hacker Software
130. Hack Tools For Windows
131. Github Hacking Tools
132. Hack Tools For Pc
133. Hacking Tools And Software
134. Black Hat Hacker Tools
135. Computer Hacker
136. Hack Tools 2019
137. Hack Apps
138. Termux Hacking Tools 2019
139. Hacker Tools For Pc
140. Hacking Tools Windows
141. Hacking Tools And Software
142. Pentest Tools Windows
143. Hacking Tools And Software
144. Hacking Tools 2019
145. Top Pentest Tools
146. Hack Tools For Pc
147. Nsa Hack Tools
148. World No 1 Hacker Software
149. Pentest Tools Nmap
150. Hack Tools For Mac
151. Game Hacking