macOS Agent Hardening

It is not currently possible to prevent a local administrator account on macOS from starting and stopping a background service like the Privilege Manager agent. The generally accepted best practice is for the end user to log into a "standard" (non-administrative) account. This should not be a hardship in conjunction with Privilege Manager, once an appropriate but limited set of tools are enabled for the end user.

When the Privilege Manager agent is installed on a macOS endpoint, three processes run in the background. Two of these are macOS launch daemons that run as root, and the third is a macOS launch agent that runs in the current user's context. These processes are run by the launchd process, which will automatically relaunch them if they are terminated. Moving Privilege Manager to the Trash in an attempt to disable the functionality will not be allowed by the Finder while the processes are still running; bypassing this requires administrative privileges.

The term "launch agent" has a specific meaning in macOS, and is not related to the use of the word "agent" to describe the Privilege Manager endpoint software.

In addition, a sudo plugin is installed that connects the sudo command to the Privilege Manager policy engine. This modifies the default behavior of the sudo command.

Possible Areas of Concern

  • An administrative user could use the launchctl command to disable the Privilege Manager processes (the launch daemons com.delinea.acsd and pmcored and the launch agent Privilege Manager).

    To mitigate, create a blocking policy for /bin/launchctl. Block Agent Removal - launchctl prevents a privileged user from unloading, removing, and/or stopping either of the above LaunchDaemons and LaunchAgents.

  • The application bundle Privilege Manager.app could be deleted from the command line by an administrative user (possibly after first disabling the sudo plugin).

  • The sudo plugin could be disabled by an administrative user by removing or renaming the file /etc/sudo.conf. This can be done from the Finder (i.e., even if the normal use of sudo is blocked by policies implemented through the plugin itself, or if the plugin fails to work normally due to other issues with Privilege Manager).

  • On most Unix systems, the command su can be used to log into the root account (assuming one knows the root password), which gives complete access to the system. On macOS the root account is disabled by default, but can be enabled by an administrative user; see the Apple support document at https://support.apple.com/en-us/HT204012.

Refer to this video demonstration.

Locations of Privilege Manager Files

The Privilege Manager agent is implemented by files in the following locations:

  • /Applications/Privilege Manager.app

    This application bundle contains the Privilege Manager launch agent and the launch daemons, which together implement the main functionality of the PM agent.

  • /Library/Application Support/Delinea/Agent

    This folder contains configuration information and other data necessary for the Privilege Manager agent.

  • /Library/LaunchAgents/com.delinea.acsgui.plist

    This file is used by the macOS launchd system service to start the Privilege Manager launch agent when the user logs in.

  • /Library/LaunchDaemons

    Privilege Manager installs a number of plist files into this folder; the macOS launchd system service uses these files to start the Privilege Manager background processes when the Mac starts up or as required.

  • /Library/SystemExtensions

    In macOS Big Sur and later, the com.delinea.acsd.systemextension system extension is automatically copied into this folder when Privilege Manager is first installed. If Privilege Manager is uninstalled, the extension will be deactivated by the system and will be fully removed when the Mac is next restarted. This is currently only possible if SIP is disabled.

  • /usr/local/delinea/agent

    This folder contains a number of shell scripts that are present for compatibility with older versions of the Privilege Manager agent (they now invoke the pmagentctl command line tool).

  • /usr/local/libexec/sudo

    This folder contains the sudo plugin delinea_plugin.so that integrates Privilege Manager with the sudo command.

  • /etc/sudo.conf

    This file is added by the Privilege Manager installer to configure the sudo command to use the Delinea sudo plugin delinea_plugin.so when it is run from the command line.