From 379f283c627434a4f5dd43308917e6a984100ea1 Mon Sep 17 00:00:00 2001 From: Pete Markowsky Date: Fri, 28 Oct 2022 20:21:38 -0400 Subject: [PATCH] Update Known Limitations for USB Mass Storage Blocking (#924) * Updated known limitations. --- docs/known-limitations.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/known-limitations.md b/docs/known-limitations.md index 9ca573eb2..a36b98e84 100644 --- a/docs/known-limitations.md +++ b/docs/known-limitations.md @@ -7,4 +7,9 @@ nav_order: 7 - Santa only blocks execution (execve and variants), it doesn't protect against dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or libraries loaded using `DYLD_INSERT_LIBRARIES`. -- Scripts: Santa is currently written to ignore any execution that isn't a binary. After weighing the administration cost versus the benefit, we found it wasn't worthwhile to manage the execution of scripts. Additionally, a number of applications make use of temporary generated scripts and blocking these could cause problems. We're happy to revisit this (or at least make it an option) if it would be useful to others. \ No newline at end of file +- Scripts: Santa is currently written to ignore any execution that isn't a binary. After weighing the administration cost versus the benefit, we found it wasn't worthwhile to manage the execution of scripts. Additionally, a number of applications make use of temporary generated scripts and blocking these could cause problems. We're happy to revisit this (or at least make it an option) if it would be useful to others. + +- USB Mass Storage Blocking: Santa's USB Mass Storage blocking feature is only meant to stop incidental + data exfiltration. It is not meant as a hard control. It cannot block: + * Storage devices mounted during boot prior to Santa having an opportunity to begin authorizing mounts + * Directly writing to an unmounted, but attached device