pmarkowsky
commented
8 months ago This potentially could be done with something like CEL as proposed in #1200.
Open S-Groening opened 8 months ago
pmarkowsky
commented
8 months ago This potentially could be done with something like CEL as proposed in #1200.
It would be immensely powerful, being able to only let a given rule either apply or not apply to a given user.
Effectively, this could help admins secure [configuration] files that are not governed by System Integrity Protection (SIP) from any user(-s) or any other user(-s) than certain user(-s) - e.g. securing /etc/sudoers and /etc/sudoers.d/* from any user(-s) except your local admin or the user that your management solution (e.g. Jamf Pro) uses for management purposes.
This way, through the use of rules with Santa, you'd be able to secure otherwise vulnerable files from users exploring their sudo rights' capabilities in a potentially harmful manner.