Skip to content
This repository was archived by the owner on Dec 21, 2025. It is now read-only.
/ ESDirProtect Public archive

macOS Endpoint Security (ES) client that controls access to specific directories based on a set of rules

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

FKLC/ESDirProtect

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
config.c
config.c
 
 
config.h
config.h
 
 
es.entitlements
es.entitlements
 
 
generate_config.py
generate_config.py
 
 
main.c
main.c
 
 

Repository files navigation

ESDirProtect

This project demonstrates a simple macOS Endpoint Security (ES) client that monitors and controls access to specific directories based on a set of rules. This isn't for production. I just wanted to learn about Endpoint Security API. I also realized I forgot about copy events.

It turns out that there's already an app very similar to this one, so even though I thought about developing this program further, Santa is already what I envisioned this program to be, and it is a great software, so I'm archiving this project.

Overview

The application subscribes to AUTH_OPEN, AUTH_RENAME, and AUTH_LINK events. It checks if the target file path matches a protected directory prefix defined in the configuration. If it does, it verifies if the process initiating the action matches a specific rule (e.g., Team ID, CDHash, or Executable Path Prefix). If the rule matches, access is allowed; otherwise, it is denied.

Project Structure

  • main.c: The main entry point. Initializes the ES client, subscribes to events, and handles authorization logic.
  • config.c / config.h: Handles loading and parsing the binary configuration file.
  • generate_config.py: A Python helper script to generate the binary configuration file (config.bin) used by the C application.
  • Makefile: Build script to compile and sign the application.
  • es.entitlements: Required entitlements for the Endpoint Security client.

Prerequisites

  • macOS with Endpoint Security support. (Tested on 26.1 (25B78))
  • Xcode Command Line Tools installed.
  • SIP (System Integrity Protection): For development and testing without a valid Apple Developer ID with Endpoint Security entitlements, you need to disable SIP (please do it in a VM, and don't disable on your actual machine)

Building

To build the project, simply run:

make

This will compile the code and sign the binary with the entitlements specified in es.entitlements.

Configuration

The application uses a binary configuration file to define rules. You can generate this file using the provided Python script.

  1. Edit generate_config.py to define your rules.
    • RULE_TEAMID: Allow processes signed by a specific Team ID.
    • RULE_CDHASH: Allow processes with a specific CDHash.
    • RULE_PATH_PREFIX: Allow processes running from a specific path.
  2. Run the script to generate config.bin:
python3 generate_config.py [output_filename]

By default, it creates config.bin.

Running

The Endpoint Security client requires root privileges.

sudo ./main config.bin

About

macOS Endpoint Security (ES) client that controls access to specific directories based on a set of rules

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages