Opened 10 months ago

Last modified 10 months ago

#69187 new defect

Updated from version 2.8.1 to 2.9 Crowdstrike altert from IT

Reported by: eraldtroja Owned by:
Priority: Normal Milestone:
Component: base Version: 2.9.0
Keywords: crowdstrike alerts, data dump Cc: jmroot (Joshua Root)
Port:

Description (last modified by ryandesign (Ryan Carsten Schmidt))

I can provide more details as I get them from IT but in a nutshell this has occurred and I need some guidance.

I was at version 2.8.1 as of yesterday morning. I fired up the following commands to update my ports:

sudo port selfupdate
sudo port upgrade outdated
sudo port uninstall inactive

I'm running MacOS Sonoma 14.3. The system is managed by my IT department.

Within minutes of performing the update I received calls from IT stating that Crowdstrike had alerted them of a data dump, hence my machine would need to be brought in for a complete wipe.

I think this might be a case of a false positive, and I'll provide more details if needed, but I need to get some guidance of what an update from 2.8.1 to 2.9 does in order to possible categorize it as a false positive when it comes to a "data dump"

Thank you.

Change History (4)

comment:1 Changed 10 months ago by jmroot (Joshua Root)

Cc: jmroot added
Component: portsbase

Selfupdate involves downloading the latest tarballs of MacPorts base and the ports tree with rsync, then installing base if outdated, which is essentially just a typical ./configure && make && make install. I don't know what Crowdstrike considers a "data dump" so it's hard to say what might have triggered it. There was another ticket about Crowdstrike, where it didn't like the installer script examining and updating the macports unprivileged user account that we use for running builds: #66878

Last edited 10 months ago by jmroot (Joshua Root) (previous) (diff)

comment:2 Changed 10 months ago by ryandesign (Ryan Carsten Schmidt)

Description: modified (diff)

comment:3 in reply to:  1 Changed 10 months ago by eraldtroja

Replying to jmroot:

Selfupdate involves downloading the latest tarballs of MacPorts base and the ports tree with rsync, then installing base if outdated, which is essentially just a typical ./configure && make && make install. I don't know what Crowdstrike considers a "data dump" so it's hard to say what might have triggered it. There was another ticket about Crowdstrike, where it didn't like the installer script examining and updating the macports unprivileged user account that we use for running builds: #66878

Ok, where can I get some documentation on what are the exact system changes that ./configure && make && make install brings onto the system in order to have IT consider it and perhaps bring it up with Crowdstrike to classify it as a false-positive?

I practice very good cyber hygiene, so I am 100% confident that this is the only change that has triggered their alert.

Thanks!

comment:4 Changed 10 months ago by jmroot (Joshua Root)

./configure && make builds the source and shouldn't change anything outside the build directory. make install creates, deletes, and/or updates the files that comprise the MacPorts base installation, and creates or updates the macports user. That's pretty much it. https://github.com/macports/macports-base/blob/v2.9.0/Makefile.in#L34

Last edited 10 months ago by jmroot (Joshua Root) (previous) (diff)
Note: See TracTickets for help on using tickets.