-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduced code reuse for lockdown method #62
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -286,7 +286,10 @@ def final_configuration(): | |
# else: | ||
# print(Fore.RED + Style.BRIGHT + "WARNING: Configuration not complete! A full restart is necessary." + Style.RESET_ALL) | ||
# sys.exit() | ||
|
||
def run_command(command): | ||
""" Runs a shell command using subprocess call""" | ||
command_list = command.split() | ||
return sp.run(command_list, stdout=sp.PIPE) | ||
|
||
def lockdown_procedure(): | ||
"""Set secure config without any user interaction.""" | ||
|
@@ -295,48 +298,48 @@ def lockdown_procedure(): | |
print_confirmation("Set secure configuration without user interaction.") | ||
|
||
# Get sudo priv | ||
sp.run("sudo -E -v", shell=True, stdout=sp.PIPE) | ||
run_command("sudo -E -v") | ||
|
||
#### | ||
# FIREWALL | ||
#### | ||
|
||
sp.run(['sudo', 'launchctl', 'load', '/System/Library/LaunchDaemons/com.apple.alf.agent.plist'], stdout=sp.PIPE) | ||
sp.run(['sudo', 'launchctl', 'load', '/System/Library/LaunchAgents/com.apple.alf.useragent.plist'], stdout=sp.PIPE) | ||
sp.run(['sudo', '/usr/libexec/ApplicationFirewall/socketfilterfw', '--setglobalstate', 'on'], stdout=sp.PIPE) | ||
sp.run(['sudo', '/usr/libexec/ApplicationFirewall/socketfilterfw', '--setloggingmode', 'on'], stdout=sp.PIPE) | ||
sp.run(['sudo', '/usr/libexec/ApplicationFirewall/socketfilterfw', '--setstealthmode', 'on'], stdout=sp.PIPE) | ||
sp.run(['sudo', '/usr/libexec/ApplicationFirewall/socketfilterfw', '--setallowsigned', 'off'], stdout=sp.PIPE) | ||
sp.run(['sudo', '/usr/libexec/ApplicationFirewall/socketfilterfw', '--setallowsignedapp', 'off'], stdout=sp.PIPE) | ||
sp.run(['sudo', 'pkill', '-HUP', 'socketfilterfw'], stdout=sp.PIPE) | ||
run_command("sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist") | ||
run_command("sudo launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist") | ||
run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on") | ||
run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on") | ||
run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on") | ||
run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off") | ||
run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off") | ||
run_command("sudo pkill -HUP socketfilterfw") | ||
Comment on lines
+307
to
+314
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This refactor looks good to me. Strings in favor of lists. |
||
|
||
#### | ||
# SYSTEM PROTECTION | ||
#### | ||
|
||
sp.run('sudo spctl --master-enable', shell=True, stdout=sp.PIPE) | ||
sp.run(['sudo', '/usr/libexec/ApplicationFirewall/socketfilterfw', '--setallowsigned', 'off'], stdout=sp.PIPE) | ||
sp.run(['sudo', '/usr/libexec/ApplicationFirewall/socketfilterfw', '--setallowsignedapp', 'off'], stdout=sp.PIPE) | ||
sp.run(['sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false'], stdout=sp.PIPE) | ||
run_command("sudo spctl --master-enable") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Lost another |
||
run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off") | ||
run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off") | ||
run_command("sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false") | ||
|
||
#### | ||
# METADATA STORAGE | ||
#### | ||
|
||
sp.run(['rm', '-rfv', '"~/Library/LanguageModeling/*"', '"~/Library/Spelling/*"', '"~/Library/Suggestions/*"']) | ||
sp.run(['rm', '-rfv', '"~/Library/Application Support/Quick Look/*"'], stdout=sp.PIPE) | ||
sp.run([':>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2'], shell=True, stdout=sp.PIPE) | ||
run_command("rm -rfv '~/Library/LanguageModeling/*' '~/Library/Spelling/*' '~/Library/Suggestions/*'") | ||
run_command("rn -rfv '~/Library/Application Support/Quick Look/*'") | ||
run_command(":>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2") | ||
|
||
#### | ||
# USER SAFETY | ||
#### | ||
|
||
sp.run(['defaults', 'write', 'com.apple.screensaver', 'askForPassword', '-int', '1'], stdout=sp.PIPE) | ||
sp.run(['defaults', 'write', 'com.apple.screensaver', 'askForPasswordDelay', '-int', '0'], stdout=sp.PIPE) | ||
sp.run(['defaults', 'write', 'NSGlobalDomain', 'AppleShowAllExtensions', '-bool', 'true'], stdout=sp.PIPE) | ||
sp.run(['defaults', 'write', 'NSGlobalDomain', 'NSDocumentSaveNewDocumentsToCloud', '-bool', 'false'], stdout=sp.PIPE) | ||
sp.run(['defaults', 'write', 'com.apple.finder', 'AppleShowAllFiles', '-boolean', 'true'], shell=True, stdout=sp.PIPE) | ||
sp.run(['killAll', 'Finder'], stdout=sp.PIPE) | ||
run_command("defaults write com.apple.screensaver askForPassword -int 1") | ||
run_command("defaults write com.apple.screensaver askForPasswordDelay -int 0") | ||
run_command("defaults write NSGlobalDomain AppleShowAllExtensions -bool true") | ||
run_command("defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false") | ||
run_command("defaults write com.apple.finder AppleShowAllFiles -boolean true") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Missing |
||
run_command("killAll Finder") | ||
|
||
#### | ||
# RESTART | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Careful... You lost a
shell=True
on this line that's really important.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, I explicitly didn’t want to invoke the shell through
shell=True
to avoid shell injection vulnerability. I tried it out through the interpreter andrun_command("sudo -E -v")
executes. Please let me know if I am misunderstanding theshell=True
argument. Also, I'll try and define methods to perform actions.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think there is a way to exploit this particular
shell=True
since there's no user input besides the sudo password. You're right to be careful though.Take a look at the example here: https://docs.python.org/2/library/subprocess.html#frequently-used-arguments
I remember not being able to get it to work without that
shell=True
but it has been a very long time since I sat down with this code. I'll find some time to mess with it soon.