Sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift. It uses the user-mode EndpointSecurity API to subscribe to and receive authorization callbacks from the macOS kernel, for a set of security-relevant event types.
The current version of Sinter supports allowing/denying process executions; in future versions we intend to support other types of events such as file, socket, and kernel events.
Sinter is a work-in-progress. Feedback is welcome. If you are interested in contributing or sponsoring us to help achieve its potential, let’s get in touch.
Features
Planned upcoming features:
Anti-Features
Background
The first open-source macOS solution for allowing/denying processes was Google Santa. We’re fans of Santa, and have contributed to its codebase in the past. For a long time, however, many in the macOS community have asked for an open-source solution to track and manage more than just process events.
We saw the ideal platform to build such a capability with the EndpointSecurity API in macOS 10.15. Starting from the ground-up around a strictly user-mode API meant that we could attempt a simpler design, and use a modern programming language with safer memory handling and better performance. Thus, we set out to develop Sinter, short for “Sinter Klausen,” another name for Santa Claus.
Getting Started
Download and install the latest version of Sinter using the pkg
installer link from the Releases page.
After installing Sinter, you must enable the “Full Disk Access” permission for Sinter.app
. Do this by opening System Preferences, Security, Privacy tab, Full Disk Access. Check the item for Sinter.app
. If using MDM, you can automatically enable this permission on your endpoints, and no user interaction will be required.
Configuration
Sinter requires a configuration file to be present at /etc/sinter/config.json
. An example is provided in the source tree at ./config/config.json
:
{
“Sinter”: {
“decision_manager”: “local”,
“logger”: “filesystem”,
“allow_unsigned_programs”: “true”,
“allow_invalid_programs”: “true”,
“allow_unknown_programs”: “true”,
“allow_expired_auth_requests”: “true”,
“allow_misplaced_applications”: “true”,
“config_update_interval”: 600,
“allowed_application_directories”: [
“/bin”,
“/usr/bin”,
“/usr/local/bin”,
“/Applications”,
“/System”,
“/usr/sbin”,
“/usr/libexec”,
],
},
“FilesystemLogger”: {
“log_file_path”: “/var/log/sinter.log”,
},
“RemoteDecisionManager”: {
“server_url”: “https://server_address:port”,
“machine_identifier”: “identifier”,
},
“LocalDecisionManager”: {
“rule_database_path”: “/etc/sinter/rules.json”,
}
}
The decision manager plugin can be selected by changing the decision_manager
value. The local plugin will enable the LocalDecisionManager configuration section, pointing Sinter to use the local rule database present at the given path. It is possible to use a Santa-compatible sync-server, by using the sync-server plugin instead. This enables the RemoteDecisionManager configuration section, where the server URL and machine identifier can be set.
There are two logger plugins currently implemented:
Allowed Application Directories
It is possible to configure Sinter to log and optionally deny applications that have not been started from an allowed folder.
Enabling UI Notifications
sudo /Applications/Sinter.app/Contents/MacOS/Sinter --install-notification-server
/Applications/Sinter.app/Contents/MacOS/Sinter --start-notification-server
Configuring Sinter in MONITOR Mode
Modes are not implemented in Sinter, as everything is rule-based. It is possible to implement the monitoring functionality by tweaking the following settings:
Rule Format
Rule databases are written in JSON format. Here’s an example database that allows the CMake application bundle from cmake.org:
{
“rules”: [
{
“rule_type”: “BINARY”,
“policy”: “ALLOWLIST”,
“sha256”: “BDD0AF132D89EA4810566B3E1E0D1E48BAC6CF18D0C787054BB62A4938683039”,
“custom_msg”: “CMake”
}
]
}
Sinter only supports BINARY rules for now, using either ALLOWLIST or DENYLIST policies. The code directory hash value can be taken from the codesign
tool output (example: codesign -dvvv /Applications/CMake.app
). Note that even though the CLI tools can acquire the full SHA256 hash, the Kernel/EndpointSecurity API is limited to the first 20 bytes.
Building From Source
Building Sinter requires certain code-signing certificates and entitlements that Apple must grant your organization. However, Sinter can still be built from source and run locally on a test system with SIP disabled. For instructions, see the Sinter wiki.
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…