santa
tpm-fido
Our great sponsors
santa | tpm-fido | |
---|---|---|
20 | 8 | |
4,303 | 273 | |
0.7% | - | |
9.0 | 2.4 | |
14 days ago | 9 months ago | |
Objective-C | Go | |
Apache License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
santa
- Linux being secure is a common misconception
-
Unable to install ruby due to google santa
For anyone wondering: https://github.com/google/santa
-
Reporting on new installed applications
Have you looked at SANTA?
-
Remote Code Execution Vulnerability in Google They Are Not Willing to Fix
Not directly relevant but interesting...
https://github.com/google/santa
This is a product developed by Google that has at least been utilized internally to some extent. It's not perfect, but my previous company used it and it does prevent unexpected unknown code from running in the background.
What it does not do is prevent someone from intentionally downloading and executing a library unless the upvoter actually comes to some demand that you do so. I found that it quickly became a bit of a "alert fatigue" where you approve things your coworkers send you so they can get back to work without properly vetting.
-
is it possible to see what account made changes to the system?
If you really want to get draconian with your controls/logging have a look into https://github.com/google/santa
-
MacOS + MDM Policies (Privacy, Notifications, Native Apps)
Is your company open to adopting open source tooling? There is a tool called Santa that could be used to block binaries from executing.
- Possible to restrict which applications a user can install/execute?
-
On Oct 24th Apple will release macOS Ventura - Are you ready?
you may like https://github.com/google/santa
-
Uber Investigating Breach of Its Computer Systems
> Infostealers for Mac are a thing (Uber is a mac heavy shop I hear)
Block unknown executables on company machines. Google developed Santa to protect themselves: https://github.com/google/santa
> and that's all it takes to steal cookies and tokens post-mfa,
Make post-MFA cookies and tokens short-lived. Require MFA re-authentication at least daily.
> or why even bother with that, if you're running code just make it a reverse shell.
All outbound connections should be strictly monitored, especially from production servers, which should have no ability to make outbound connections. With modern dependency management, that's harder for build servers, but still doable.
-
What Anti-Keylogging Software do you use or recommend?
https://github.com/google/santa for anyone curious
tpm-fido
- Tailscale doesn't want your password
- On-device WebAuthn and what makes it hard to do well
- Passkeys in Chrome
-
WebAuthN and Fido for Linux
I also found this: https://github.com/psanford/tpm-fido
FIDO2 should be used more, hopefully more sites end up supporting it sooner rather than later.
- Bringing Modern Authentication APIs (FIDO2 WebAuthn, Passkeys) to Linux Desktop
-
Uber Investigating Breach of Its Computer Systems
If you have a Linux PC with a TPM, you can use https://github.com/psanford/tpm-fido to create and "plug in" a virtual USB WebAuthn key whose secret is irretrievably stored in the machine's TPM. This effectively asserts that your specific machine is being used to enter a given site. However, it's important to remember it doesn't necessarily verify that *you're* present, or even if *anyone* is present at all, since the presence check is done via a software dialog and can be pwned along with the rest of the system.
-
WebAuthn, and Only WebAuthn
There are a huge number of other vendors supporting Webauthn apart from Yubikey. (From the top of my head Nitrokey, Solo, Tomu, Mooltipass, Ledger, Trezor, Google Titan, OnlyKey, Token2).
You could also use the system TPM (https://github.com/psanford/tpm-fido).
A brief search didn't yield any FIDO2 software-only solutions for Linux, but I see no reason why in principle you couldn't implement it (perhaps interfacing https://github.com/google/OpenSK through hidg - similar projects do exist for U2F).
-
How to bypass Sprint/T-Mobile 2FA in under 5 minutes
I made a FIDO token (a platform authenticator) implementation that uses the TPM to protect your private keys on Linux: https://github.com/psanford/tpm-fido
What are some alternatives?
sequelpro - MySQL/MariaDB database management for macOS
virtual-fido - A Virtual FIDO2 USB Device
macOSLAPS - Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
SoftU2F - Software U2F authenticator for macOS
macos_security - macOS Security Compliance Project
OpenSK - OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
MacPass - A native macOS KeePass client
keepassxc - KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
CocoaLumberjack - A fast & simple, yet powerful & flexible logging framework for macOS, iOS, tvOS and watchOS
certifi-system-store - certifi-system-store, a certifi hack to use system trust store on Linux and FreeBSD
pip - The Python package installer
truststore - Verify certificates using OS trust stores