Bastion Released For Mac!
Banda Philpot
In an increasingly connected world, the security of our digital lives has become more critical than ever. As users rely heavily on their computers for work, personal communication, and handling sensitive information, the need for a secure operating system is paramount.
While macOS is widely regarded for its user-friendly nature, it's important to acknowledge that no operating system is immune to security threats. From malware and phishing attacks to data breaches and unauthorized access, macOS users must be vigilant and proactive in safeguarding their systems and personal information.
macOS takes a multi-faceted approach to safeguarding its system against potential threats from Internet-downloaded applications. It integrates a variety of protective measures to ensure that such apps are free from known malware. By leveraging advanced technologies, macOS not only detects and eliminates malware but also establishes additional barriers to prevent untrusted apps from compromising user data.
Transparency, Consent, and Control (TCC) is a fundamental aspect of privacy and security in modern digital ecosystems. It refers to a set of mechanisms and practices designed to provide users with clear visibility and control over the permissions and access rights granted to applications and services on their devices.
In macOS, TCC serves as a crucial component of privacy protection by offering users the ability to manage which applications have access to sensitive data and system resources. This includes permissions for accessing location data, contacts, calendars, microphones, cameras, and more. By allowing users to review and modify these permissions, macOS ensures that individuals have granular control over their personal information.
The transparency aspect of TCC ensures that users are fully informed about the data an application requests and the specific purpose for which it is required. When an application attempts to access sensitive data for the first time, macOS displays a consent prompt, clearly stating the information being requested and the purpose it will serve. This transparency empowers users to make informed decisions about granting or denying access.
Gatekeeper is a built-in security technology designed to run trusted software on macOS. When downloading an application from the Internet outside the AppStore and opening that application, Gatekeeper confirms that the application comes from the identified developer and is known to Apple (notarization).
Gatekeeper performs the controls from its own database, and it keeps a blocklist for applications. The Gatekeeper's database is in SQLite format and is located at /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/gk.db.
macOS has a built-in security tool called XProtect that provides signature-based detection. XProtect performs malware detection using YARA signatures. YARA rules are regularly updated by Apple.
XProtect performs a continuous security scan of the macOS system, including in the following cases.
When an application downloaded from the Internet using an application sensitive to File Quarantine technology is opened, A warning appears in front of the user that the application is downloaded from the Internet (Gatekeeper).
XProtect checks application files and file hashes against these signatures when the application is first launched or whenever it changes. When XProtect detects a matching signature, it prevents the relevant code from running, and the user is informed of the option to delete the relevant application (Gatekeeper).
XProtect.meta.plist: This .plist file contains information about malicious application plugins (Java, Flash, etc.) and harmful Safari extensions. Extension block definitions are made according to the bundle identifier and related Developer ID information.
XProtect.plist: This .plist file contains information about the application bundle and the harmful content in it. As an example, the content of the OSX.28a9883 signature name in XProtect.plist is given below.
LegacyEntitlementAllowlist.plist: This plist file is undocumented by Apple.
It is seen that only cdhash information is included in the plist. Detailed information about cdhash can be found in Apple documentation.
MRT is another built-in anti-malware tool for macOS which is available on macOS 10.8.3 and higher versions. When it is infected with malware, the macOS system is cleaned with MRT. MRT checks the malware database regularly updated by Apple and removes infections. Similar to XProtect, MRT is activated automatically at system startup. MRT is located at /Library/Apple/System/Library/CoreServices/MRT.app.
For example, when the data of the Mughtesec malware is examined, it is understood that the MRT application keeps behavioral patterns of the malicious software and detects the malware by comparing the activities in the system with these patterns.
With the release of macOS 12.3, Apple also released a new macOS tool called XProtect Remediator (XPR). XProtect Remediator is reminiscent of MRT in the sense that it is an application package, but it contains different binaries for different malware.
Apple has released a new XProtect module with macOS Ventura. With this module, it is seen that XProtect has a behavioral detection feature. The SQLite database file of this module is located at /var/protected/xprotect/XPdb.
XPdb and XProtect activities, in general, are handled by the System Configuration Policy Daemon - syspolicyd.
When the syspolicyd binary is analyzed, the registerBastionProfile function is seen in the SandboxManager class. The retain array draws attention to this function.
The first filter, BastionRule-1, restricts file access to specific subpaths within Chrome, Firefox, and Safari application support directories, but only if the accessed binary is not part of either bastion-usual-offenders or rule-one-offenders.
The second filter, BastionRule-2, allows access to subpaths within Messages, Microsoft Teams, Slack, and WhatsApp application support directories, but only if the accessed binary is not part of either bastion-usual-offenders or rule-two-offenders.
The third filter, BastionRule-3, grants access to a specific file ( com.apple.LaunchServices.QuarantineEventsV2 ) in the user's preferences directory ( Library/Preferences/ ) but only if the accessed binary is not part of either bastion-usual-offenders or rule-three-offenders.
For those who are looking for a more secure, safe, and reliable computing experience, learning the details of Apple's security utilities is a great way to safeguard user data and privacy. Understanding long-standing applications such as File Quarantine and Gatekeeper and new features such as XProtect Remediator would help users and security professionals attain a higher level of security.
Red Hat OpenShift Container Platform provides developers and IT organizations with a hybrid cloud application platform for deploying both new and existing applications on secure, scalable resources with minimal configuration and management overhead. OpenShift Container Platform supports a wide selection of programming languages and frameworks, such as Java, JavaScript, Python, Ruby, and PHP.
OpenShift Container Platform (RHSA-2023:5006) is now available. This release uses Kubernetes 1.27 with CRI-O runtime. New features, changes, and known issues that pertain to OpenShift Container Platform 4.14 are included in this topic.
OpenShift Container Platform 4.14 clusters are available at With the Red Hat OpenShift Cluster Manager application for OpenShift Container Platform, you can deploy OpenShift Container Platform clusters to either on-premises or cloud environments.
Starting with OpenShift Container Platform 4.14, Red Hat offers a 12-month additional EUS add-on, denoted as Additional EUS Term 2, that extends the total available lifecycle from 24 months to 36 months. The Additional EUS Term 2 is available on all architecture variants of OpenShift Container Platform.
Commencing with the 4.14 release, Red Hat is simplifying the administration and management of Red Hat shipped cluster Operators with the introduction of three new life cycle classifications; Platform Aligned, Platform Agnostic, and Rolling Stream. These life cycle classifications provide additional ease and transparency for cluster administrators to understand the life cycle policies of each Operator and form cluster maintenance and upgrade plans with predictable support boundaries. For more information, see OpenShift Operator Life Cycles.
OpenShift Container Platform is designed for FIPS. When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
For more information about the NIST validation program, see Cryptographic Module Validation Program. For the latest NIST status for the individual versions of RHEL cryptographic libraries that have been submitted for validation, see Compliance Activities and Government Standards.
The scope of support for layered and dependent components of OpenShift Container Platform changes independently of the OpenShift Container Platform version. To determine the current support status and compatibility for an add-on, refer to its release notes. For more information, see the Red Hat OpenShift Container Platform Life Cycle Policy.
RHCOS now uses Red Hat Enterprise Linux (RHEL) 9.2 packages in OpenShift Container Platform 4.14. These packages ensure that your OpenShift Container Platform instance receives the latest fixes, features, enhancements, hardware support, and driver updates. Excluded from this change, OpenShift Container Platform 4.12 is an Extended Update Support (EUS) release that will continue to use RHEL 8.6 EUS packages for the entirety of its lifecycle.
In OpenShift Container Platform 4.14, you can install a cluster on AWS that uses a shared Virtual Private Cloud (VPC), with a private hosted zone in a different account than the cluster. For more information, see Installing a cluster on AWS into an existing VPC.
7fc3f7cf58