AFP548 Site News May 8, 2017 at 5:21 pm

Hipster Software Management

Socially, Slack and Twitter are the two poles I gravitate between: Slack for when I’m hoping to be a burden on or distracted by our always-up-to-something community, and Twitter when I’m more in the mood to consume the echo chamber than reverberate sound out in to it. And then there’s the worst type of echo chamber, YouTube Comments Reddit Hacker News. It’s a mixture of potent elements like money, ego, and tech tinkering that has captured some small amount of mindshare. Here’s an example of thread hijacking, in response to a post about Handbrake’s release hosting having been compromised to serve a version altered with malware.

Which brought to mind a vaguely-related tweet by a sometimes-visitor to the #security channel in MacAdmins Slack

If I may pervert its purpose a bit and editorialize to do a send-up of that HN post…

I’m going to take this opportunity to plug my favourite open source project – the AutoPkg framework that gets stuff done with software, safely.

It can work as a homebrew replacement (and is custom-built to work on the Mac), comes with a humble collection of recipes that the community has expanded exponentially, and while the code is spare and written in python, it uses ‘trust info’ to fingerprint every moving part. Better than homebrew, many recipes check code signatures of signed downloaded artifacts, but also doesn’t require manual interaction to verify what the sha256 on an unsigned binary is. Unlike something like homebrew-cask, it doesn’t have homebrew in its name.

It can also work as a great way of bootstrapping an admin machine or just patching it out-of-band while testing a new release because it has install functionality! All the advantages of a package manager, without actually using *nix. Due to its functional nature, it comes with a wealth of advantages over homebrew and other hipster package managers. Once you get past the relatively trivial learning curve due to its huge adoption among Mac Admins, creating your own recipes or modifying existing ones is a breeze. It can create metadata artifacts that allow you to automatically ingest the software into whatever management system you work with, and one of the extensions even adds VirusTotal integration! Check out the AutoPkg wiki for more information.

It’s so flexible that people have built support for really out-there workflows: fetching Windows software, patching Macs with SCCM, uploading artifacts to random destinations via rsync or scp… and then another couple of doozies that help prove the extensibility of the framework, which we haven’t discussed here before.

Really, we’re going off the rails – you can put up a wall at the kernel level and delegate security to a product like BlockBlock, or take a hands-off, watch-and-know approach by just alerting wherever a new launchd job or executable shows up via osquery. But we’re already well down the autopkg path, so…

Since late 2014, AutoPkg has had a feature called CodeSignatureVerification that will look at a signed pkg or app and check it against a ‘known-good’ value. The certificate chain that ships with macOS means your computer trusts that artifact was signed by someone with access to the developers public/private key pair. Santa from the MacOps team at Google can monitor or lock down what apps or binaries can run, based on a certificate. But say you don’t have their fancy internal voting webapp with which to log and crowd-source the approval of unsigned/new binaries for your organization. Or you want to be able to tell the moment the cert on an app you provide via your org’s software mgmt system differs from the one you expect. Santa logs almost all script or binary executions, and you should really be aggregating those logs to build your whitelist, you should really ship down those whitelists from something like Zentral or Moroz in the absence of that server Google has yet to release. But if you haven’t yet, and use Munki, you can integrate this processor in your recipes to whitelist the new binary being installed to a system that has Santa during the preflight. This comes in handy when certain vendors can’t quite figure out how to track down all their moving parts and sign them. And if you’ve got a vendor with a less than helpful build process changing the cert in use, or there IS an actual hijack of the vendor’s release site where a new certificate is in use, you can get a head start by seeing the mismatch in your AutoPkg results report with this processor.

So to finish (wait, AFP548 still publishes posts?), you can either listen to reason

or rants like mine. newPuppetLogo /me resumes sitting on hands

Allister Banks

Allister lives in Japan, has not read the Slack scroll back, and therefore has no idea what is going on.

More Posts - Website

Follow Me:


Leave a reply

You must be logged in to post a comment.