search

google / grr

GRR Rapid Response: remote live forensics for incident response
https://grr-doc.readthedocs.io/
Apache License 2.0
4.75k stars 761 forks source link

Catalina (macos 10.15.5) - Operation not permitted #786

Open siftuser opened 4 years ago

siftuser commented 4 years ago

Anybody noticed Operation not permitted error on filesystem operations such as listing or collecting files from agents running catalina ? If so, any workaround ? Thank you

mari0d commented 4 years ago

Hello @siftuser - is your GRR agent signed/notarised? Catalina now enforces integrity checks via GateKeeper by default. See https://support.apple.com/en-us/HT202491 .

If you are a member of the grr-users Google Group you might find this discussion helpful: https://groups.google.com/forum/#!topic/grr-users/a4xWecZm_AA

siftuser commented 4 years ago

Thanks @mari0d for sharing both useful links. The code signing steps described in google groups seems bit tricky ... appreciate if anybody has working guide or procedure. Thanks

mbushkov commented 4 years ago

There was a similar request concerning the Windows binary signing documentation. Our GRR client signing instructions are out of date. Unfortunately, I didn't have free cycles to update them yet - will do that on Monday of the coming week.

siftuser commented 4 years ago

Thank you @mbushkov. Greatly appreciated

mbushkov commented 4 years ago

@siftuser - I did an iteration on our GRR client signing docs. The PR is here (will submit it soon): https://github.com/google/grr-doc/pull/121/files

Hope this helps.

siftuser commented 4 years ago

Thank you @mbushkov