Login
      Contents x
      Configure a macOS Sensor with Red Canary
      • 16 Jul 2024
      • 1 Minute to read
      • PDF
      Contents

      Configure a macOS Sensor with Red Canary

      • Updated on 16 Jul 2024
      • 1 Minute to read
      • PDF
      Article summary

      Red Canary recommends macOS sensor configurations to optimize performance and detection in light of system extension changes introduced with macOS Catalina (version 10.15) and finalized in macOS Big Sur (version 11).

      Apple sensor background

      Endpoint detection and response (EDR) sensors developed for macOS were traditionally designed around insecure, error-prone kernel programming interfaces (KPI) called kernel extensions (kexts). The interface between the user space macOS EDR sensor and the EDR's kext is usually a root-level launch program located in the ‘/Library/LaunchDaemons/`directory. This directory is not protected by System Integrity Protection (SIP), and is vulnerable to unauthorized modifications.

      Apple macOS sensor update

      Apple has introduced a new secure and reliable framework for extending the functionality of macOS without entering kernel mode, which can introduce vulnerabilities and is unsupported in macOS versions beyond macOS Catalina (version 10.15). System extensions on macOS are composed of: 

      • Security extensions for interacting with the endpoint security framework (ESF)

      • Network extensions for the network extension framework (NEF)

      • A DriverKit for interfacing with the endpoint input and output process

      By implementing these extensions in the user space rather than the kernel of macOS, many of the intricacies and risky side effects of deployment are allocated to the ESF, NEF, and DriverKit utilities. This allows for risk mitigation by using the comprehensive framework testing and security maintained by Apple’s security architectural teams.

      EDR vendors who implement their sensor with system extensions will benefit from Apple’s native SIP anti-tamper technology. These benefits include restrictions on the ability of macOS's root user account to make changes to the file system. Thus, even if an adversary were to achieve root access on the endpoint, the adversary would still not be able to delete or modify system extensions. Additionally, since system extensions are also user space processes, the extensions can be manipulated in the user space at runtime, avoiding reboots when modifications are necessary. 

      System extension guidance

      Red Canary recommends installing and operating EDR sensors on macOS Catalina (version 10.15 or later) with system extensions if possible. SIP must be enabled on the endpoint. To learn more about turning SIP on or off, see Disabling and enabling SIP

      For more information about the anti-tamper technologies exposed by system extensions, check out these vendor-specific articles: 

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout