Opened 10 months ago
Last modified 10 months ago
#69187 new defect
Updated from version 2.8.1 to 2.9 Crowdstrike altert from IT
Reported by: | eraldtroja | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | base | Version: | 2.9.0 |
Keywords: | crowdstrike alerts, data dump | Cc: | jmroot (Joshua Root) |
Port: |
Description (last modified by ryandesign (Ryan Carsten Schmidt))
I can provide more details as I get them from IT but in a nutshell this has occurred and I need some guidance.
I was at version 2.8.1 as of yesterday morning. I fired up the following commands to update my ports:
sudo port selfupdate sudo port upgrade outdated sudo port uninstall inactive
I'm running MacOS Sonoma 14.3. The system is managed by my IT department.
Within minutes of performing the update I received calls from IT stating that Crowdstrike had alerted them of a data dump, hence my machine would need to be brought in for a complete wipe.
I think this might be a case of a false positive, and I'll provide more details if needed, but I need to get some guidance of what an update from 2.8.1 to 2.9 does in order to possible categorize it as a false positive when it comes to a "data dump"
Thank you.
Change History (4)
comment:1 follow-up: 3 Changed 10 months ago by jmroot (Joshua Root)
Cc: | jmroot added |
---|---|
Component: | ports → base |
comment:2 Changed 10 months ago by ryandesign (Ryan Carsten Schmidt)
Description: | modified (diff) |
---|
comment:3 Changed 10 months ago by eraldtroja
Replying to jmroot:
Selfupdate involves downloading the latest tarballs of MacPorts base and the ports tree with rsync, then installing base if outdated, which is essentially just a typical
./configure && make && make install
. I don't know what Crowdstrike considers a "data dump" so it's hard to say what might have triggered it. There was another ticket about Crowdstrike, where it didn't like the installer script examining and updating themacports
unprivileged user account that we use for running builds: #66878
Ok, where can I get some documentation on what are the exact system changes that ./configure && make && make install
brings onto the system in order to have IT consider it and perhaps bring it up with Crowdstrike to classify it as a false-positive?
I practice very good cyber hygiene, so I am 100% confident that this is the only change that has triggered their alert.
Thanks!
comment:4 Changed 10 months ago by jmroot (Joshua Root)
./configure && make
builds the source and shouldn't change anything outside the build directory. make install
creates, deletes, and/or updates the files that comprise the MacPorts base installation, and creates or updates the macports user. That's pretty much it. https://github.com/macports/macports-base/blob/v2.9.0/Makefile.in#L34
Selfupdate involves downloading the latest tarballs of MacPorts base and the ports tree with rsync, then installing base if outdated, which is essentially just a typical
./configure && make && make install
. I don't know what Crowdstrike considers a "data dump" so it's hard to say what might have triggered it. There was another ticket about Crowdstrike, where it didn't like the installer script examining and updating themacports
unprivileged user account that we use for running builds: #66878