macOS Agent Hardening

It is not currently possible to prevent a local administrator account on macOS from starting and stopping a background service like the Verify Privilege Manager agent. The generally accepted best practice is for the end user to log into a "standard" (non-administrative) account. This should not be a hardship in conjunction with Verify Privilege Manager, once an appropriate but limited set of tools are enabled for the end user.

When the Verify Privilege Manager agent is installed on a macOS endpoint, three processes run in the background. Two of these are macOS launch daemons that run as root, and the third is a macOS launch agent that runs in the current user's context. These processes are run by the launchd process, which will automatically relaunch them if they are terminated. Moving Verify Privilege Manager to the Trash in an attempt to disable the functionality will not be allowed by the Finder while the processes are still running; bypassing this requires administrative privileges.

The term "launch agent" has a specific meaning in macOS, and is not related to the use of the word "agent" to describe the Verify Privilege Manager endpoint software.

In addition, a sudo plugin is installed that connects the sudo command to the Verify Privilege Manager policy engine. This modifies the default behavior of the sudo command.

Possible Areas of Concern

  • An administrative user could use the launchctl command to disable the Verify Privilege Manager processes (the launch daemons com.delinea.acsd and pmcored and the launch agent Verify Privilege Manager).

    To mitigate, create a blocking policy for /bin/launchctl. Block Agent Removal - launchctl prevents a privileged user from unloading, removing, and/or stopping either of the above LaunchDaemons and LaunchAgents.

  • The application bundle Verify Privilege Manager.app could be deleted from the command line by an administrative user (possibly after first disabling the sudo plugin).

  • The sudo plugin could be disabled by an administrative user by removing or renaming the file /etc/sudo.conf. This can be done from the Finder (i.e., even if the normal use of sudo is blocked by policies implemented through the plugin itself, or if the plugin fails to work normally due to other issues with Verify Privilege Manager).

  • On most Unix systems, the command su can be used to log into the root account (assuming one knows the root password), which gives complete access to the system. On macOS the root account is disabled by default, but can be enabled by an administrative user; see the Apple support document at https://support.apple.com/en-us/HT204012.

Refer to this video demonstration.

Locations of Verify Privilege Manager Files

The Verify Privilege Manager agent is implemented by files in the following locations:

  • /Applications/Privilege Manager.app

    This application bundle contains the Verify Privilege Manager launch agent and the launch daemons, which together implement the main functionality of the PM agent.

  • /Library/Application Support/Delinea/Agent

    This folder contains configuration information and other data necessary for the Verify Privilege Manager agent.

  • /Library/LaunchAgents/com.delinea.acsgui.plist

    This file is used by the macOS launchd system service to start the Verify Privilege Manager launch agent when the user logs in.

  • /Library/LaunchDaemons

    Verify Privilege Manager installs a number of plist files into this folder; the macOS launchd system service uses these files to start the Verify Privilege Manager background processes when the Mac starts up or as required.

  • /Library/SystemExtensions

    In macOS Big Sur and later, the com.delinea.acsd.systemextension system extension is automatically copied into this folder when Verify Privilege Manager is first installed. If Verify Privilege Manager is uninstalled, the extension will be deactivated by the system and will be fully removed when the Mac is next restarted. This is currently only possible if SIP is disabled.

  • /usr/local/delinea/agent

    This folder contains a number of shell scripts that are present for compatibility with older versions of the Verify Privilege Manager agent (they now invoke the pmagentctl command line tool).

  • /usr/local/libexec/sudo

    This folder contains the sudo plugin delinea_plugin.so that integrates Verify Privilege Manager with the sudo command.

  • /etc/sudo.conf

    This file is added by the Verify Privilege Manager installer to configure the sudo command to use the IBM Security sudo plugin delinea_plugin.so when it is run from the command line.