santa
santa copied to clipboard
santa daemon should have a mechanism to prevent being killed by users with root privileges.
If I have root privileges, I can bypass the allowlist mechanism by repeatedly killing santa daemon in a loop.
#!bin/bash
while true; do
ps aux | grep com.google.santa.daemon | grep -v grep | awk '{print $2}' | xargs kill -9
if [ $? -eq 0 ]; then
echo "kill santa daemon"
fi
sleep 0.5
done
santa@macos-13 Desktop % ./process_not_in_allowlist
### Before run the kill script
Santa
This application has been blocked from executing.
Path: /Users/santa/Desktop/process_not_in_allowlist
Identifier: 0b742eae49b08af3858f17e95aa80afa82a18a178a671fc23256f12d58286894
Parent: zsh (2021)
More info:
https://santa/blockables/E6C3C62D-8A40-5B56-99CA-191EACBCE8FD/0b742eae49b08af3858f17e95aa80afa82a18a178a671fc23256f12d58286894
### After run the kill script
santa@macos-13 Desktop % ./process_not_in_allowlist
malicious
^C
santa@macos-13 Desktop % ./process_not_in_allowlist
malicious
^C
santa@macos-13 Desktop % ./process_not_in_allowlist
malicious
^C
santa@macos-13 Desktop %
I have observed other security software that cannot be killed even if I have root privileges.
santa@macos-13 Desktop % ps aux |grep falcon
root 375 5.5 0.7 36057876 228704 ?? Rs Mon04PM 124:01.29 /Library/SystemExtensions/EA9DEA93-1AAA-4A86-9DC4-9CA95609D798/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent
santa@macos-13 Desktop % sudo kill -9 375
Password:
kill: 375: Operation not permitted
santa@macos-13 Desktop ~ %
Is it possible to implement a feature to control whether santa daemon can be killed through a configuration field? thanks~