Script blocking by SHA256 not working

[master-vodawagner]

Hello,

Just exploring the capabilities here and looking into blocking brew and I've created the static rule along with the TCC, System Extension and notification profiles pushed through Jamf MDM.

<dict>
	<!-- Always block files signed by Homebrew -->
	<key>identifier</key>
	<string>4373b5ede9b19e6829f1cf92826c66e872c4a13bfc8338382177b0bfe6106df6</string>
	<key>policy</key>
	<string>BLOCKLIST</string>
	<key>rule_type</key>
	<string>BINARY</string>
</dict>

However when executing brew it doesn't get blocked, the logs show the following error

Failed to get code#fo for file /Users/test/bin/brew: The operation couldn't be completed (OSStatus error -67062.)

If I run santactl rule --check --sha256 $(santactl fileinfo --key SHA-256 /Users/test/bin/brew) that comes back with Blocked (Binary)

[pmarkowsky]

First off thanks for filing an issue.

The difficulty here with blocking brew is that it's not actually a binary but a bash script. So /bin/bash is what's being executed.

On my test machine you'll see I have the same hash as you.

$  santactl fileinfo /opt/homebrew/bin/brew 
Path                    : /opt/homebrew/bin/brew
SHA-256            : 4373b5ede9b19e6829f1cf92826c66e872c4a13bfc8338382177b0bfe6106df6
SHA-1                 : 62d10567abf9bed0e618ba776c651cfec4ae89fa
CDHash              : 
Type                    : Script 
Code-signed      : No
Rule                     : Allowed (Scope)

[ user@Mac ( 9:23AM) /opt/homebrew  ]                                                                                                                                                                                   
$  head -8 /opt/homebrew/bin/brew
#!/bin/bash -pu
set -u

# Fail fast with concise message when not using bash
# Single brackets is needed here for POSIX compatibility
# shellcheck disable=SC2292
if [ -z "${BASH_VERSION:-}" ]
then

We're going to be looking into improving script handling in the future but given the complexity it'll be a while.

[master-vodawagner]

Is there anything I can do for now to try and block it for now with Santa

[pmarkowsky]

@master-vodawagner you could potentially use the BlockedPathRegex* key to create a regexp to block this. However note that this is generally discouraged as it's fragile since you're blocking / allowing by path.

Before you do this I'd make sure you read https://northpole.dev/deployment/configuration.html and https://northpole.dev/concepts/scopes.html.

[pmarkowsky]

@master-vodawagner Actually scratch that, I'm wrong the issue here is with the interpreter. So my suggestion won't work.

[mlw]

As @pmarkowsky mentioned, there isn't much recourse right now for blocking a script. There are a couple things we'd like to do to improve this, but I wanted to make sure some things were clear about what script blocking means.

On macOS, there isn't a great way to do this. Sure we can block by hash under certain scenarios (namely, someone executing the script directly, e.g. ./foo.sh). But outside of this, things become difficult, fast. When a script is passed as an argument to some interpreter (e.g. /bin/sh foo.sh), we then have to start parsing all exec args for things that look like paths, not to mention understanding what various program switches exist that can change how a path may be presented. We could also potentially monitor for interpreters making OPEN calls, but this gets unwieldy fast as well given the number of non-script opens that occur, and needing to know beforehand which binaries are interpreters. There's also then needing to handle people actively trying to bypass the control, such as using switches to execute commands without some path (e.g. /bin/bash -c), adding a newline to the end of a file to change the hash, or even just copy/pasting a script's contents into a terminal to execute it.

So while we plan on adding some basic controls, it's worth making clear that script blocking is advisory at best.