runinpty.py triggers CrowdStrike security alerts on MacOS #480

New issue

Closed

opened 2024-08-20 20:21:04 +00:00 by codingkoi · 3 comments

codingkoi commented 2024-08-20 20:21:04 +00:00

Copy link

Describe the bug

A recent change to remove a dependency on expect(1) added a Python script that seems to trigger CrowdStrike security checks when it runs. As a result I've had to revert to CppNix on my work MacOS machine.

This is mostly an FYI since I'm not sure how you'd fix it (aside from reverting), or if you want to.

Here's a redacted version of the report I received:

Escalation by Falcon Complete Team

An escalation has been raised that requires your action.

Actions Required

Validate Activity

Notes on Required Actions:

At Aug. 13, 2024 22:02:53 UTC, Falcon triggered a detection on the host <HOST_NAME_REDACTED> for activity assoicated with a potential remote access software.

The following instance of Python created what appears to be an interactive instance of BASH.

Command Line: /nix/store/dgky6xnjyxriicbk3rbqycfp05niqk0v-python3-3.11.9/bin/python3 /private/tmp/nix-build-lix-2.92.0-dev-pre20240813-b016eb0.drv-0/source/build/misc/runinpty.py sh -c stty rows 0 cols 0 TERM=xterm-256color NOCOLOR=1 nix flake show

The script runinpty.py was written to disk as the result of the execution of the following script:
File Path: /nix/store/v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh
SHA256: 6ad51d3204d86970d472da2e39d6f7c73a578913ae689676e2770e162ed58743

This appears to be administrator resulting from the user <USERNAME_REDACTED> deploying packages using Nix, however similar activity has not previously been observed in your environment.

Please verify this activity was expected and approved.

Steps To Reproduce

Not sure how you'd test this without a system running CrowdStrike, so this is more of an FYI

Expected behavior

Ideally Nix/Lix shouldn't trigger security alerts.

nix --version output

nix (Lix, like Nix) 2.92.0-dev-pre20240813-b016eb0

## Describe the bug A recent [change to remove a dependency on `expect(1)`](https://git.lix.systems/lix-project/lix/commit/0c7619535112e19232384e15e82ffa6a5af7569d) added a Python script that seems to trigger CrowdStrike security checks when it runs. As a result I've had to revert to CppNix on my work MacOS machine. This is mostly an FYI since I'm not sure how you'd fix it (aside from reverting), or if you want to. Here's a redacted version of the report I received: > ## Escalation by Falcon Complete Team > An escalation has been raised that requires your action. > > ### Actions Required > Validate Activity > > ### Notes on Required Actions: > >At Aug. 13, 2024 22:02:53 UTC, Falcon triggered a detection on the host <HOST_NAME_REDACTED> for activity assoicated with a potential remote access software. > >The following instance of Python created what appears to be an interactive instance of BASH. > >Command Line: /nix/store/dgky6xnjyxriicbk3rbqycfp05niqk0v-python3-3.11.9/bin/python3 /private/tmp/nix-build-lix-2.92.0-dev-pre20240813-b016eb0.drv-0/source/build/misc/runinpty.py sh -c stty rows 0 cols 0 TERM=xterm-256color NOCOLOR=1 nix flake show > >The script runinpty.py was written to disk as the result of the execution of the following script: File Path: /nix/store/v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh SHA256: 6ad51d3204d86970d472da2e39d6f7c73a578913ae689676e2770e162ed58743 > >This appears to be administrator resulting from the user <USERNAME_REDACTED> deploying packages using Nix, however similar activity has not previously been observed in your environment. > >Please verify this activity was expected and approved. ## Steps To Reproduce Not sure how you'd test this without a system running CrowdStrike, so this is more of an FYI ## Expected behavior Ideally Nix/Lix shouldn't trigger security alerts. ## `nix --version` output ``` nix (Lix, like Nix) 2.92.0-dev-pre20240813-b016eb0 ```

codingkoi added the

bug

label 2024-08-20 20:21:04 +00:00

jade commented 2024-08-20 21:02:58 +00:00

Owner

Copy link

Please get your corporate security team to hold CrowdStrike's feet to the fire on this one. The code in that script is copy pasted from the Python standard library and lightly modified, and does not perform any network access (although hm, I wonder if the Nix offline detection inside or something is what triggered their EDR by looking like network access).

It is impossible to test the code path in nix flake show without running an instance of Bash with a pseudoterminal attached, as it tests terminal size (you can see that from the stty command included in there), so we cannot remove it.

If you do feel like causing them an alert with just corporate-approved(tm) software literally included in macOS, try script -q /dev/null sh -c 'stty cols 0; nix flake show github:lix-project/lix'.

I don't know what to say, this is just your corporate security software breaking legitimate use cases. We would love to not need that python script, but if you read its sources, it exists because script(1) has inconsistent command line arguments across systems, and so it is most reasonable to write a custom wrapper.

If it is absolutely unacceptable that your system runs this code, consider writing a Nix overlay something like: final: prev: { lix = prev.lix.overrideAttrs { doInstallCheck = false; }; } and including it after the lix-overlay in your configuration. That would disable the testsuite that contains this code.

Please get your corporate security team to hold CrowdStrike's feet to the fire on this one. The code in that script is copy pasted from the Python standard library and lightly modified, and does not perform any network access (although hm, I wonder if the Nix offline detection inside or something is what triggered their EDR by looking like network access). It is impossible to test the code path in `nix flake show` without running an instance of Bash with a pseudoterminal attached, as it tests terminal size (you can see that from the stty command included in there), so we cannot remove it. If you do feel like causing them an alert with just corporate-approved(tm) software literally included in macOS, try `script -q /dev/null sh -c 'stty cols 0; nix flake show github:lix-project/lix'`. I don't know what to say, this is just your corporate security software breaking legitimate use cases. We would love to not need that python script, but if you read its sources, it exists because `script(1)` has inconsistent command line arguments across systems, and so it is most reasonable to write a custom wrapper. If it is absolutely unacceptable that your system runs this code, consider writing a Nix overlay something like: `final: prev: { lix = prev.lix.overrideAttrs { doInstallCheck = false; }; }` and including it after the lix-overlay in your configuration. That would disable the testsuite that contains this code.

jade closed this issue 2024-08-20 21:02:58 +00:00

jade added the

Status

invalid

label 2024-08-20 21:03:02 +00:00

codingkoi commented 2024-08-20 21:09:36 +00:00

Author

Copy link

Thanks for the reply. Yeah it's not an ideal situation, and I didn't expect y'all to try to fix it. It's corporate BS that is causing the problem here.

Like I said, I opened this more as an FYI, and for anyone else who runs into this to find.

Thanks for the reply. Yeah it's not an ideal situation, and I didn't expect y'all to try to fix it. It's corporate BS that is causing the problem here. Like I said, I opened this more as an FYI, and for anyone else who runs into this to find.

jade commented 2024-08-20 21:12:10 +00:00

Owner

Copy link

I have given a workaround to stop Lix triggering it, but I would honestly recommend writing a strongly worded reply to your corporate security department that the alert is illegitimate and that you'll continue causing similar ones until they fix their EDR.

You can of course also use binary versions of Lix from nixpkgs, which will not have this problem.

I have given a workaround to stop Lix triggering it, but I would honestly recommend writing a strongly worded reply to your corporate security department that the alert is illegitimate and that you'll continue causing similar ones until they fix their EDR. You can of course also use binary versions of Lix from nixpkgs, which will not have this problem.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

release-2.91

sb/raito/phantom-referrers-gc

repl-overlay-example

reuse-compliance

release-2.90

git-series/activity-cleanup

sb/tom-hubrecht/primops.cc-v2

sb/bacchanalia/cache-strlen%topic=substr-perf

sb/arcuru/commit-msg

sb/qyriad/beta-1

sb/qyriad/2.90-beta.0

rbt/pre-commit-update

sb/rbt/test-branch

sb/rbt/justfile

sb/rbt/repl-overlays

sb/fuck/what

sb/rbt/pre-commit

sb/rbt/makeflags

sb/pennae/io-rewrite

sb/qyriad/maint-meson

sb/qyriad/maint/meson

sb/puck/meson-c-api

sb/pennae/parser-rewrite

sb/jade/burn-it-all

dependabot/github_actions/zeebe-io/backport-action-2.4.1

dependabot/github_actions/cachix/install-nix-action-25

dependabot/github_actions/actions/labeler-5

dependabot/github_actions/cachix/cachix-action-14

2.91.1

2.91.0

2.90.0

2.90.0-rc1

2.90-beta.1

2.90-beta.0

Labels

Clear labels   

Area/build-packaging

regarding the building or packaging of Lix itself

  

Area/cli

The command line interface of Lix

  

Area/evaluator

libexpr and anything else related to the evaluation of Nix expressions

  

Area/fetching

Fetching sources or other materials from the World Wide Web in Lix

  

Area/flakes

  

Area/language

language design, features, extensions, etc

  

Area/profiles

profiles: nix-env, nix profile, and installer flavors all alike

  

Area/protocol

The protocol, used for communicating between the client and the daemon

  

Area/releng

Release engineering

  

Area/remote-builds

remote builds

  

Area/repl

nix repl

  

Area/store

libstore and anything else relating to the Nix store

  

bug

it's a bug

  

Cross Compilation

  

devx

development experience issues

  

docs

requires or is about documentation changes

  

Downstream Dependents

regarding an external tool's usage with Lix (e.g. nix-eval-jobs)

  

E/easy

bug is relatively simple and could simply be fixed with some minor effort

  

E/hard

this issue should probably be solved with close involvement of an expert

  

E/help wanted

maintainers may not get to this soon, but we want it fixed

  

E/reproducible

This bug is reproducible and obvious.

  

E/requires rearchitecture

this bug cannot be fixed properly without fixing a known architectural flaw

  

imported

Issue imported from upstream nix (please do not remove this label, it will cause dupes if import is rerun)

  

Needs Langver

We can't get to this until we implement language versioning

  

OS/Linux

Affects specifically Lix on Linux

  

OS/macOS

Affects specifically Lix on macOS

  

performance

make lix go faster

  

regression

This is a regression since some previous version of Lix

  

release-blocker

Blocks public release

  

RFD

Request for discussion

  

stability

Fixing this makes the software more stable

  

Status

blocked

Blocked on something

  

Status

invalid

not our bug, duplicate, similar

  

Status

postponed

closed but should maybe look at later (generally with S-wontfix)

  

Status

wontfix

We chose not to change this (see issue comments for more detail).

  

testing

Tests that should be added

  

testing/flakey

Tests that are unreliable/flakey (not to be confused with flakes that test)

  

ux

makes the user experience better :)

No labels

Area/build-packaging

Area/cli

Area/evaluator

Area/fetching

Area/flakes

Area/language

Area/profiles

Area/protocol

Area/releng

Area/remote-builds

Area/repl

Area/store

bug

Cross Compilation

devx

docs

Downstream Dependents

E/easy

E/hard

E/help wanted

E/reproducible

E/requires rearchitecture

imported

Needs Langver

OS/Linux

OS/macOS

performance

regression

release-blocker

RFD

stability

Status

blocked

Status

invalid

Status

postponed

Status

wontfix

testing

testing/flakey

ux

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix#480

No description provided.