Questions for Security lab:

Question: Are there any operational changes for FileVault management between macOS Sonoma and macOS Sequoia?

Answer: One change, with regards to PlatformSSO. In Sequoia, there&#39;s enough of a network stack at the FileVault pre-boot login screen to support connecting to PlatformSSO identity providers via a network connection (Wi-Fi, Ethernet, etc.) 


Question: OpenBSM auditing is deprecated and switched off in macOS Sonoma, but it can be re-enabled. Has there been any change to this situation in macOS Sequoia?

Answer: No changes to OpenBSM&#39;s status as of this date, with Sequoia beta 1.


Question: If there has been a change to OpenBSM&#39;s status, is there an Apple-provided replacement for OpenBSM auditing available?

Answer: No changes to OpenBSM&#39;s status as of this date, with Sequoia beta 1.


Question: Logging of commands run by the sudo tool is disabled by default in macOS Sequoia. Does this affect logging which is being sent on to an EDR tool by the Endpoint Security framework? 

For context, we&#39;re using Microsoft Defender for EDR logging.

Answer: Sudo is an event type, which should be subscribable by an EDR tool. Test your EDR tool to see if sudo event types can subscribed to, and if so, if those events are recorded.


Question: What are the security implications running the following command?:

/usr/sbin/DevToolsSecurity --enable

I know it does the following:

• Allows developer mode to be enabled 
• Apps are allowed to debug other apps, with permission via account authentication from a user which is a member of the _developer group 

Note: Running the following command removes the password prompt for users in the _developer group:

sudo security authorizationdb write system.privilege.taskport allow

Aside from that, are there other risks to be aware of? For example, could a malicious binary running as a user in the _developer group get secrets from system memory?


Answer: For the malicious binary question, no. That would require elevation to access kernel space, which should require the use of a kernel extension.