lix-project/lix
20
57
Fork 31
Code Issues 349 Code Review (Gerrit) Projects 3 Releases Wiki Activity

runinpty.py triggers CrowdStrike security alerts on MacOS #480

New issue
Closed
opened 2024-08-20 20:21:04 +00:00 by codingkoi · 3 comments
codingkoi commented 2024-08-20 20:21:04 +00:00
Copy link

Describe the bug

A recent change to remove a dependency on expect(1) added a Python script that seems to trigger CrowdStrike security checks when it runs. As a result I've had to revert to CppNix on my work MacOS machine.

This is mostly an FYI since I'm not sure how you'd fix it (aside from reverting), or if you want to.

Here's a redacted version of the report I received:

Escalation by Falcon Complete Team

An escalation has been raised that requires your action.

Actions Required

Validate Activity

Notes on Required Actions:

At Aug. 13, 2024 22:02:53 UTC, Falcon triggered a detection on the host <HOST_NAME_REDACTED> for activity assoicated with a potential remote access software.

The following instance of Python created what appears to be an interactive instance of BASH.

Command Line: /nix/store/dgky6xnjyxriicbk3rbqycfp05niqk0v-python3-3.11.9/bin/python3 /private/tmp/nix-build-lix-2.92.0-dev-pre20240813-b016eb0.drv-0/source/build/misc/runinpty.py sh -c stty rows 0 cols 0 TERM=xterm-256color NOCOLOR=1 nix flake show

The script runinpty.py was written to disk as the result of the execution of the following script:
File Path: /nix/store/v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh
SHA256: 6ad51d3204d86970d472da2e39d6f7c73a578913ae689676e2770e162ed58743

This appears to be administrator resulting from the user <USERNAME_REDACTED> deploying packages using Nix, however similar activity has not previously been observed in your environment.

Please verify this activity was expected and approved.

Steps To Reproduce

Not sure how you'd test this without a system running CrowdStrike, so this is more of an FYI

Expected behavior

Ideally Nix/Lix shouldn't trigger security alerts.

nix --version output

nix (Lix, like Nix) 2.92.0-dev-pre20240813-b016eb0
## Describe the bug A recent [change to remove a dependency on `expect(1)`](https://git.lix.systems/lix-project/lix/commit/0c7619535112e19232384e15e82ffa6a5af7569d) added a Python script that seems to trigger CrowdStrike security checks when it runs. As a result I've had to revert to CppNix on my work MacOS machine. This is mostly an FYI since I'm not sure how you'd fix it (aside from reverting), or if you want to. Here's a redacted version of the report I received: > ## Escalation by Falcon Complete Team > An escalation has been raised that requires your action. > > ### Actions Required > Validate Activity > > ### Notes on Required Actions: > >At Aug. 13, 2024 22:02:53 UTC, Falcon triggered a detection on the host <HOST_NAME_REDACTED> for activity assoicated with a potential remote access software. > >The following instance of Python created what appears to be an interactive instance of BASH. > >Command Line: /nix/store/dgky6xnjyxriicbk3rbqycfp05niqk0v-python3-3.11.9/bin/python3 /private/tmp/nix-build-lix-2.92.0-dev-pre20240813-b016eb0.drv-0/source/build/misc/runinpty.py sh -c stty rows 0 cols 0 TERM=xterm-256color NOCOLOR=1 nix flake show > >The script runinpty.py was written to disk as the result of the execution of the following script: File Path: /nix/store/v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh SHA256: 6ad51d3204d86970d472da2e39d6f7c73a578913ae689676e2770e162ed58743 > >This appears to be administrator resulting from the user <USERNAME_REDACTED> deploying packages using Nix, however similar activity has not previously been observed in your environment. > >Please verify this activity was expected and approved. ## Steps To Reproduce Not sure how you'd test this without a system running CrowdStrike, so this is more of an FYI ## Expected behavior Ideally Nix/Lix shouldn't trigger security alerts. ## `nix --version` output ``` nix (Lix, like Nix) 2.92.0-dev-pre20240813-b016eb0 ```
codingkoi added the
bug
 label 2024-08-20 20:21:04 +00:00
jade commented 2024-08-20 21:02:58 +00:00
Owner
Copy link

Please get your corporate security team to hold CrowdStrike's feet to the fire on this one. The code in that script is copy pasted from the Python standard library and lightly modified, and does not perform any network access (although hm, I wonder if the Nix offline detection inside or something is what triggered their EDR by looking like network access).

It is impossible to test the code path in nix flake show without running an instance of Bash with a pseudoterminal attached, as it tests terminal size (you can see that from the stty command included in there), so we cannot remove it.

If you do feel like causing them an alert with just corporate-approved(tm) software literally included in macOS, try script -q /dev/null sh -c 'stty cols 0; nix flake show github:lix-project/lix'.

I don't know what to say, this is just your corporate security software breaking legitimate use cases. We would love to not need that python script, but if you read its sources, it exists because script(1) has inconsistent command line arguments across systems, and so it is most reasonable to write a custom wrapper.

If it is absolutely unacceptable that your system runs this code, consider writing a Nix overlay something like: final: prev: { lix = prev.lix.overrideAttrs { doInstallCheck = false; }; } and including it after the lix-overlay in your configuration. That would disable the testsuite that contains this code.

Please get your corporate security team to hold CrowdStrike's feet to the fire on this one. The code in that script is copy pasted from the Python standard library and lightly modified, and does not perform any network access (although hm, I wonder if the Nix offline detection inside or something is what triggered their EDR by looking like network access). It is impossible to test the code path in `nix flake show` without running an instance of Bash with a pseudoterminal attached, as it tests terminal size (you can see that from the stty command included in there), so we cannot remove it. If you do feel like causing them an alert with just corporate-approved(tm) software literally included in macOS, try `script -q /dev/null sh -c 'stty cols 0; nix flake show github:lix-project/lix'`. I don't know what to say, this is just your corporate security software breaking legitimate use cases. We would love to not need that python script, but if you read its sources, it exists because `script(1)` has inconsistent command line arguments across systems, and so it is most reasonable to write a custom wrapper. If it is absolutely unacceptable that your system runs this code, consider writing a Nix overlay something like: `final: prev: { lix = prev.lix.overrideAttrs { doInstallCheck = false; }; }` and including it after the lix-overlay in your configuration. That would disable the testsuite that contains this code.
jade closed this issue 2024-08-20 21:02:58 +00:00
jade added the
Status
invalid
 label 2024-08-20 21:03:02 +00:00
codingkoi commented 2024-08-20 21:09:36 +00:00
Author
Copy link

Thanks for the reply. Yeah it's not an ideal situation, and I didn't expect y'all to try to fix it. It's corporate BS that is causing the problem here.

Like I said, I opened this more as an FYI, and for anyone else who runs into this to find.

Thanks for the reply. Yeah it's not an ideal situation, and I didn't expect y'all to try to fix it. It's corporate BS that is causing the problem here. Like I said, I opened this more as an FYI, and for anyone else who runs into this to find.
jade commented 2024-08-20 21:12:10 +00:00
Owner
Copy link

I have given a workaround to stop Lix triggering it, but I would honestly recommend writing a strongly worded reply to your corporate security department that the alert is illegitimate and that you'll continue causing similar ones until they fix their EDR.

You can of course also use binary versions of Lix from nixpkgs, which will not have this problem.

I have given a workaround to stop Lix triggering it, but I would honestly recommend writing a strongly worded reply to your corporate security department that the alert is illegitimate and that you'll continue causing similar ones until they fix their EDR. You can of course also use binary versions of Lix from nixpkgs, which will not have this problem.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release-2.91
sb/raito/phantom-referrers-gc
repl-overlay-example
reuse-compliance
release-2.90
git-series/activity-cleanup
sb/tom-hubrecht/primops.cc-v2
sb/bacchanalia/cache-strlen%topic=substr-perf
sb/arcuru/commit-msg
sb/qyriad/beta-1
sb/qyriad/2.90-beta.0
rbt/pre-commit-update
sb/rbt/test-branch
sb/rbt/justfile
sb/rbt/repl-overlays
sb/fuck/what
sb/rbt/pre-commit
sb/rbt/makeflags
sb/pennae/io-rewrite
sb/qyriad/maint-meson
sb/qyriad/maint/meson
sb/puck/meson-c-api
sb/pennae/parser-rewrite
sb/jade/burn-it-all
dependabot/github_actions/zeebe-io/backport-action-2.4.1
dependabot/github_actions/cachix/install-nix-action-25
dependabot/github_actions/actions/labeler-5
dependabot/github_actions/cachix/cachix-action-14
2.91.1
2.91.0
2.90.0
2.90.0-rc1
2.90-beta.1
2.90-beta.0
Labels
Clear labels   
Area/build-packaging

regarding the building or packaging of Lix itself

  
Area/cli

The command line interface of Lix

  
Area/evaluator

libexpr and anything else related to the evaluation of Nix expressions

  
Area/fetching

Fetching sources or other materials from the World Wide Web in Lix

  
Area/flakes

   
Area/language

language design, features, extensions, etc

  
Area/profiles

profiles: nix-env, nix profile, and installer flavors all alike

  
Area/protocol

The protocol, used for communicating between the client and the daemon

  
Area/releng

Release engineering

  
Area/remote-builds

remote builds

  
Area/repl

nix repl

  
Area/store

libstore and anything else relating to the Nix store

  
bug

it's a bug

  
crash 💥

Lix crashes (possibly bad error handling)

  
Cross Compilation

   
devx

development experience issues

  
docs

requires or is about documentation changes

  
Downstream Dependents

regarding an external tool's usage with Lix (e.g. nix-eval-jobs)

  
E/easy

bug is relatively simple and could simply be fixed with some minor effort

  
E/hard

this issue should probably be solved with close involvement of an expert

  
E/help wanted

maintainers may not get to this soon, but we want it fixed

  
E/reproducible

This bug is reproducible and obvious.

  
E/requires rearchitecture

this bug cannot be fixed properly without fixing a known architectural flaw

  
imported

Issue imported from upstream nix (please do not remove this label, it will cause dupes if import is rerun)

  
Needs Langver

We can't get to this until we implement language versioning

  
OS/Linux

Affects specifically Lix on Linux

  
OS/macOS

Affects specifically Lix on macOS

  
performance

make lix go faster

  
regression

This is a regression since some previous version of Lix

  
release-blocker

Blocks public release

  
RFD

Request for discussion

  
stability

Fixing this makes the software more stable

  
Status
blocked
Blocked on something

  
Status
invalid
not our bug, duplicate, similar

  
Status
postponed
closed but should maybe look at later (generally with S-wontfix)

  
Status
wontfix
We chose not to change this (see issue comments for more detail).

  
testing

Tests that should be added

  
testing/flakey

Tests that are unreliable/flakey (not to be confused with flakes that test)

  
ux

makes the user experience better :)

No labels
Area/build-packaging
Area/cli
Area/evaluator
Area/fetching
Area/flakes
Area/language
Area/profiles
Area/protocol
Area/releng
Area/remote-builds
Area/repl
Area/store
bug
crash 💥
Cross Compilation
devx
docs
Downstream Dependents
E/easy
E/hard
E/help wanted
E/reproducible
E/requires rearchitecture
imported
Needs Langver
OS/Linux
OS/macOS
performance
regression
release-blocker
RFD
stability
Status
blocked
Status
invalid
Status
postponed
Status
wontfix
testing
testing/flakey
ux
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix#480
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?