Restrict Dangerous Security Command Operations
Block the security command from dumping Keychain contents or adding trusted certificates, stopping credential theft and MITM attack vectors.
Idea
macOS has a built-in security command which allows attackers to do lots of insecure things, such as dumping the Keychain contents or adding a trusted certificate for MITM attacks. Using examples from LOOBins, we can prevent all of these nasty actions using Workshop and Santa CEL rules.
The security command is a powerful tool that can dump credentials, keys, certificates, and other sensitive information from the keychain. It can also be used to add trusted certificates, which could enable MITM attacks. While the command has legitimate uses, we can block the most dangerous operations with CEL rules.
Solutions
- Identifier
- Rule Type
- Policy
- CEL Expression
- Custom Message
Mitre Attack
Tags
Deployment Notes
This rule blocks the most dangerous security command operations:
- dump-keychain: Dump entire keychain contents
- dump-trust-settings: Dump certificate trust settings
- add-trusted-cert: Add a trusted certificate (MITM risk)
- find-generic-password: Find and display generic passwords
- find-internet-password: Find and display internet passwords
All other security command operations remain allowed.
False Positive Guidance
Developers and system administrators occasionally need to use these security command operations for legitimate purposes:
- Debugging authentication issues
- Managing certificates
- Troubleshooting keychain problems
Consider using Workshop tags to exempt specific users or create approval workflows.