Skip to content

/ sinter

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only Allow Process Execution from Specific Directories #17

Open
mike-myers-tob opened this issue Feb 26, 2020 · 0 comments
Open

Only Allow Process Execution from Specific Directories #17

mike-myers-tob opened this issue Feb 26, 2020 · 0 comments
Labels
enhancement
Projects
Santa Replacement Sinter

Comments

@mike-myers-tob
Copy link
Collaborator

@mike-myers-tob mike-myers-tob commented Feb 26, 2020
edited by MatthewARinehart

Why

As a security engineer, I only want processes from specific directory paths to be approved and executed so that my team can prevent applications located in other directories on the device's hard drive from running.

Acceptance Criteria

  • Only allow processes from the /Applications/, /Downloads/, and /Desktop/ directories to be executed.
  • Allow security engineers to edit / manage the list of approved source directories

Dev Notes

E.g., "do not allow execution from Trash" (~/.Trash/)

Allow selective enforcement by executable path. Initially our enforcement will be scoped to the /Applications/ directory. (We know this comes with plenty of workarounds, but this is just the first phase).
We should be able to express something like:
{
“default_action”: “allow_all”,
“execution_rule”:
{ “type”: “path”, “path_prefix”: “/Applications/”, “action”: “enforce”}
}
Ability to specify configuration “types” based off of the relevant ESF metadata. In the example above “path” is a rule type which is associated with an action. Our immediate need is to be able to allow specific developer certificates.
@mike-myers-tob mike-myers-tob modified the milestones: Version 1.0, Version 1.1 Feb 26, 2020
@mike-myers-tob mike-myers-tob modified the milestones: Version 1.1, Minimum Viable Product Mar 13, 2020
@mike-myers-tob mike-myers-tob moved this from To do to In progress in Santa Replacement Mar 13, 2020
@alessandrogario alessandrogario moved this from In progress to Ideas in Santa Replacement Jun 8, 2020
@alessandrogario alessandrogario added this to Next up in Sinter Jun 8, 2020
@alessandrogario alessandrogario removed this from the Minimum Viable Product milestone Jun 8, 2020
@MatthewARinehart MatthewARinehart changed the title Blacklist and whitelist control of process executions, by executable file path Only Allow Process Execution from Specific Paths Jun 8, 2020
@MatthewARinehart MatthewARinehart changed the title Only Allow Process Execution from Specific Paths Only Allow Process Execution from Specific Directories Jun 8, 2020
@alessandrogario alessandrogario moved this from To Do to Acceptance in Sinter Jun 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
Santa Replacement
Ideas
Sinter
Acceptance
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@MatthewARinehart @alessandrogario @mike-myers-tob
You can’t perform that action at this time.