Git Product home page Git Product logo

santa's Introduction

Santa

license CI latest release latest release date downloads

Santa Icon

Santa is a binary and file access authorization system for macOS. It consists of a system extension that monitors for executions, a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.

It is named Santa because it keeps track of binaries that are naughty or nice.

Docs

The Santa docs are stored in the Docs directory and published at https://santa.dev.

The docs include deployment options, details on how parts of Santa work and instructions for developing Santa itself.

Get Help

If you have questions or otherwise need help getting started, the santa-dev group is a great place.

If you believe you have a bug, feel free to report an issue and we'll respond as soon as we can.

If you believe you've found a vulnerability, please read the security policy for disclosure reporting.

Features

  • Multiple modes: In the default MONITOR mode, all binaries except those marked as blocked will be allowed to run, whilst being logged and recorded in the events database. In LOCKDOWN mode, only listed binaries are allowed to run.

  • Event logging: When the system extension is loaded, all binary launches are logged. When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.

  • Certificate-based rules, with override levels: Instead of relying on a binary's hash (or 'fingerprint'), executables can be allowed/blocked by their signing certificate. You can therefore allow/block all binaries by a given publisher that were signed with that cert across version updates. A binary can only be allowed by its certificate if its signature validates correctly but a rule for a binary's fingerprint will override a decision for a certificate; i.e. you can allowlist a certificate while blocking a binary signed with that certificate, or vice-versa.

  • Path-based rules (via NSRegularExpression/ICU): This allows a similar feature to that found in Managed Client (the precursor to configuration profiles, which used the same implementation mechanism), Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and not relying on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precedence.

  • Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore automatically allowed. This does not affect binaries from Apple's App Store, which use various certs that change regularly for common apps. Likewise, you cannot block Santa itself, and Santa uses a distinct separate cert than other Google apps.

  • Userland components validate each other: each of the userland components (the daemon, the GUI agent and the command-line utility) communicate with each other using XPC and check that their signing certificates are identical before any communication is accepted.

  • Caching: allowed binaries are cached so the processing required to make a request is only done if the binary isn't already cached.

Intentions and Expectations

No single system or process will stop all attacks, or provide 100% security. Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a large fleet of machines. Independently, Santa can aid in analyzing what is running on your computer.

Santa is part of a defense-in-depth strategy, and you should continue to protect hosts in whatever other ways you see fit.

Security and Performance-Related Features

Known Issues

  • Santa only blocks execution (execve and variants), it doesn't protect against dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or libraries loaded using DYLD_INSERT_LIBRARIES.

  • Scripts: Santa is currently written to ignore any execution that isn't a binary. This is because after weighing the administration cost vs the benefit, we found it wasn't worthwhile. Additionally, a number of applications make use of temporary generated scripts, which we can't possibly allowlist and not doing so would cause problems. We're happy to revisit this (or at least make it an option) if it would be useful to others.

Sync Servers

  • The santactl command-line client includes a flag to synchronize with a management server, which uploads events that have occurred on the machine and downloads new rules. There are several open-source servers you can sync with:

    • Moroz - A simple golang server that serves hardcoded rules from simple configuration files.
    • Rudolph - An AWS-based serverless sync service primarily built on API GW, DynamoDB, and Lambda components to reduce operational burden. Rudolph is designed to be fast, easy-to-use, and cost-efficient.
    • Zentral - A centralized service that pulls data from multiple sources and deploy configurations to multiple services.
    • Zercurity - A dockerized service for managing and monitoring applications across a large fleet utilizing Santa + Osquery.
  • Alternatively, santactl can configure rules locally (without a sync server).

Screenshots

A tool like Santa doesn't really lend itself to screenshots, so here's a video instead.

Santa Block Video

Contributing

Patches to this project are very much welcome. Please see the CONTRIBUTING doc.

Disclaimer

This is not an official Google product.

santa's People

Contributors

alessandrogario avatar arubdesu avatar bfreezy avatar georgekola avatar googlewalt avatar groob avatar headmin avatar hughneale avatar hugo-syn avatar itf avatar johnlunney avatar kallsyms avatar kathancox avatar keith avatar kyoshisuki avatar liamn avatar marczak avatar mlw avatar msuozzo avatar nguyen-phillip avatar nl5887 avatar np5 avatar p-harrison avatar pmarkowsky avatar radsec avatar russellhancox avatar tburgin avatar the80srobot avatar tnek avatar videlanicolas avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

santa's Issues

Missing #include "SNTEventLog.h"?

Hi,

Is the SNTExecutionController.h missing a #include "SNTEventLog.h?

Also, to prevent dylib injection via environment variables, you can use MAC policy to filter the. (Tho it can't stop them all, as there are other ways to load the dylib.) I've tried using KAUTH_VNODE_READ to perform file scanning on dylib files (check it's header with VNOP_* directly within kernel space to increase the speed), but seems the system still will freeze due to the slow communication with the daemon.

Best,
Cai

syntax for plist

Does anyone have an example of the syntax used for blacklisting in monitor mode or whitelisting in lockdown mode? Thanks!

Similar to #14, __PAGEZERO

Pardon that this is in a similar vein to #14, and also that I haven't started trial-ing Santa or dug in deep enough to know if this can be reported on in 'observation' mode, but as per exploit tpwn's purported mitigation NULLGuard, supposedly more than just this POC would be caught by checking binaries for lack-of-__PAGEZERO. Not sure I have much to add, I understand if enabling Santa to report on this wouldn't be worth the effort if it is indeed not present in 10.11.
<insert I have no idea what I'm doing dog meme>

Need more guidance

The wiki is incomplete.

  1. How can I put santa into a "learning" mode, so that it can add binaries to "allowed" database automatically?
  2. How can I list all programs (blacklisted or whitelisted) with santactl rule command? I'm trying not to open the SQLite file directly ....
  3. You did not provide a uninstallation script in the DMG file, that's critical. Take a look at Little Snitch's installer file perhaps.
  4. Can I change the location of /var/log/santa.log, or disable logging completely? (If everything is I need is whitelisted)

Homebrew Cask

G'day!

I've created a Homebrew Cask so that I can install Santa as part of a bootstrap script, would you be okay with me submitting a PR for it, or would you like to submit it?

Rich

Investigate logging disk image mounts

Knowing which disk image an executable came from can be very useful when tracking down possible malware. Knowing where that DMG was downloaded from is even better.

Possible method for this:

  1. Use DiskArbitration to monitor for new mounts
  2. Run hdiutil info -plist each time a mount happens
  3. Retrieve the record matching the new mount, get image-path
  4. Get quarantine data (if possible) and hash of image-path

santactl/rule segfault when passed a directory

I'm trying to whitelist google auto updater (perhaps) with a certificate rule,

When the santa dialog pops up I copied the path, and issued a command,

%> sudo santactl rule --whitelist --certificate --path /tmp/KSOutOfProcessFetcher.501.xxxxx\=/
2016-08-28 11:03:34.142 santactl[4340:46065] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSURL initFileURLWithPath:]: nil string parameter'
*** First throw call stack:
(
    0   CoreFoundation                      0x00007fff98c874f2 __exceptionPreprocess + 178
    1   libobjc.A.dylib                     0x00007fff979e8f7e objc_exception_throw + 48
    2   CoreFoundation                      0x00007fff98cee4bd +[NSException raise:format:] + 205
    3   Foundation                          0x00007fff970b8449 -[NSURL(NSURL) initFileURLWithPath:] + 131
    4   Foundation                          0x00007fff970b83b1 +[NSURL(NSURL) fileURLWithPath:] + 45
    5   santactl                            0x000000010dd6274c -[MOLCodesignChecker initWithBinaryPath:error:] + 44
    6   santactl                            0x000000010dd62804 -[MOLCodesignChecker initWithBinaryPath:] + 36
    7   santactl                            0x000000010dd49e97 +[SNTCommandRule runWithArguments:daemonConnection:] + 1383
    8   santactl                            0x000000010dd53005 +[SNTCommandController runCommandWithName:arguments:] + 181
    9   santactl                            0x000000010dd4baad main + 621
    10  libdyld.dylib                       0x00007fff8fec45ad start + 1
    11  ???                                 0x0000000000000006 0x0 + 6
)
libc++abi.dylib: terminating with uncaught exception of type NSException

Log an error if SyncBaseURL is set but invalid

If you try incomplete commands looking for interactive help on the command line, santactl crashes:

    $ sudo santactl rule add --whitelist --path
    2015-07-22 08:54:02.591 santactl[21154:230605] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSArrayM objectAtIndex:]: index 3 beyond bounds [0 .. 2]'
    *** First throw call stack:
    (
        0   CoreFoundation                      0x00007fff8e96f03c __exceptionPreprocess + 172
        1   libobjc.A.dylib                     0x00007fff8e61e76e objc_exception_throw + 43
        2   CoreFoundation                      0x00007fff8e8381e4 -[__NSArrayM objectAtIndex:] + 260
        3   santactl                            0x0000000105c2e355 +[SNTCommandRule runWithArguments:daemonConnection:] + 853
        4   santactl                            0x0000000105c36312 +[SNTCommandController runCommandWithName:arguments:] + 193
        5   santactl                            0x0000000105c2f4e8 main + 514
        6   libdyld.dylib                       0x00007fff964a75c9 start + 1
    )
    libc++abi.dylib: terminating with uncaught exception of type NSException
    $

I would prefer some usage output (including an early warning if SyncBaseURL is set).

discussion - BannedBlockMessage not applicable when BlacklistRegex rule triggered

I think I'm not clearing the launchagent properly while testing, so I'm therefore having some difficulty reproducing what I'm talking about cleanly, but I'm hoping to make end users less concerned while in trial data-gathering mode. During this time, I'm pretty sure I want path-based blocks to use the UnknownBlockMessage instead of Banned, as it is more applicable to the reality of what users have encountered. (i.e., there isn't an explicit blacklist entry for the binary/dev cert, but instead is just being launched from a blacklist path that doesn't have an explicitly whitelisted binary/cert.)
It almost makes sense to me that the common case would instead call for the default message when a BlacklistRegex rule is triggered should be what the UnknownBlockMessage is unless overridden, as that may be more faithful to the recommended workflow admins should be encouraged to follow. I don't want this to be death by a thousand customizations, but would PathBlockMessage be a useful pref to expose?

GUI block message should surface cert_sha256 where available

To accelerate adding to the whitelist, the most applicable criteria for building a rule to be fed into the database should be surfaced in the block GUI, rather than tracking it down in the log every time. (At least it didn't seem accessible from the cert inspection GUI when I tested with .9.13.) If we already have a crowded window, the identifier seem like a lower priority, as less-savvy customers may not find that useful in common practice.

New Idea for an easier tool to inventory all executables

I don't see an easy way to set up the initial information about executables on your system. I played with a Python script (sorry my ruby skills are limited) that parses the log file and grabs unique paths and developers that have been launched. My idea is to extend this to allow the user to let this run for a while, and then run this tool that would parse through the logs and allow them to add exceptions as they would see fit. Right now, it is just dumping out the info.

More ideas for the future:
-Dump to some sort of json/xml structure and allow the user to edit, user can then accept all executables in that xml structure
-Allow the user to see what recently has been denied, then maybe approve the executable easily
-Allow the user to only see non-signed executables and signed executables (so that they can accept the cert first, then add a rule for the path

Is there any tool like this? Would you be interested in me extending this idea? Should I just make it a separate project or would you be interested in integrating this with your project?

The output is this:

Unique Executables:
Path of the executable: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker
Common name of the certificate that signed the executable: (null)
SHA256 hash of the executable: None
SHA256 hash of the cert that signed the executable: None

 Path of the executable: /Users/dlohin/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent
     Common name of the certificate that signed the executable: Developer ID Application: Google Inc.
     SHA256 hash of the executable: a71d1105b521135c071b34c3912f9e1fb7dcd14efcb4c699d27838c977294c20
     SHA256 hash of the cert that signed the executable: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153

 Path of the executable: /bin/ps
     Common name of the certificate that signed the executable: Software Signing
     SHA256 hash of the executable: 0b0f518e945e2803772a85dcd48366955abf345b2cd1cbc24b2004aab70e94e7
     SHA256 hash of the cert that signed the executable: 2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32

 Path of the executable: /Applications/Google Chrome.app/Contents/Versions/45.0.2454.93/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
     Common name of the certificate that signed the executable: Developer ID Application: Google Inc.
     SHA256 hash of the executable: 1d8d25946e09aecb63fb683e019914db235540d5ae80a925dda9092b19a13411
     SHA256 hash of the cert that signed the executable: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153

 Path of the executable: /Applications/GPG Keychain.app/Contents/MacOS/GPG Keychain
     Common name of the certificate that signed the executable: Developer ID Application: Lukas Pitschl
     SHA256 hash of the executable: 4a9d7ef5f8ff93f346802ec5d541e7fbf002a7ba3eb5d5464ce69ff32bc56329
     SHA256 hash of the cert that signed the executable: cc4c6b01ade3162ee5d3aa46139efe89f210767edc9227a8185df8d3b1906bf0

 Path of the executable: /sbin/umount
     Common name of the certificate that signed the executable: (null)
     SHA256 hash of the executable: None
     SHA256 hash of the cert that signed the executable: None

 Path of the executable: /Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word
     Common name of the certificate that signed the executable: Developer ID Application: Microsoft Corporation (UBF8T346G9)
     SHA256 hash of the executable: 8fa785826445d9b3e86d37f53d101639431ded8bc763f1f0321b1d5ca6f1fb0e
     SHA256 hash of the cert that signed the executable: adced5ef3635ab1debda86f02dc55e96cefedf7bd7fe7519f0a806092bf75873

 ...CONTINUED......

Unique Publishers:
Common Name: Apple Mac OS Application Signing
SHA256 hash of the cert that signed the executable: ad9dba778a3a1204a02298193be3c8d184a6bdc0d10ae109dfaf356722b3cf92

 Common Name: Developer ID Application: Google Inc.
 SHA256 hash of the cert that signed the executable: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153

 Common Name: Software Signing
 SHA256 hash of the cert that signed the executable: 2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32

 Common Name: Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)
 SHA256 hash of the cert that signed the executable: 9f9dd26b6ad69cd86438ee416d527b8a9ed871a2bd75cdf8f9cf2345a9cbeb38

....Continued......

Code is:

SantaParseLibs.py:

author = 'dlohin'

class santa_data_structure(object):
def init(self,executable_cn = None, executable_hash = None, cert_hash = None):
"""
Pass in each entry of santa.log and add it to a dictionary
:type executable_cn: str
:type executable_hash: str
:type cert_hash: str
"""
self.executable_cn= executable_cn
self.executable_hash = executable_hash
self.cert_hash = cert_hash

SantaParser.py:

author = 'dlohin'

from SantaParseLibs import santa_data_structure
import re

f = open('/var/log/santa.log',mode='r')

unique_executables = {}
unique_publishers={}

for line in f:
#print(i)
exectuble_info = line.split("|")
executable_dict = {}

#Hit each variable in the log file
for i in exectuble_info:
    info = i.split("=")
    #We have some stuff about service starting in the beginning, ignore it
    try:
        executable_dict[info[0]] = info[1]
    except:
        pass

if executable_dict:
    #Already have the executable, ignore
    if executable_dict['path'] not in unique_executables:
        #see if it is a signed executable first
        if 'cert_cn' in executable_dict:
            #Add the unique exectuable to a dictionary with certs
            unique_executables[executable_dict['path']] = santa_data_structure(executable_dict['cert_cn'],executable_dict['sha256'],executable_dict['cert_sha256'])
            #Lets add the unique publisher if it doesn't exist already
            if executable_dict['cert_cn'] not in unique_publishers:
                unique_publishers[executable_dict['cert_cn']] = executable_dict['cert_sha256']
        else:
            #This isn't a signed executable, just add the path
            unique_executables[executable_dict['path']] = santa_data_structure(executable_dict['sha256'])
        #print(unique_executables)

Lets print out all the information

print("Unique Executables:")
for key, value in unique_executables.items():
print(" Path of the executable: %s" % key)
print(" Common name of the certificate that signed the executable: %s" % value.executable_cn)
print(" SHA256 hash of the executable: %s" % value.executable_hash)
print(" SHA256 hash of the cert that signed the executable: %s\n" % value.cert_hash)

print("Unique Publishers:")
for key, value in unique_publishers.items():
print(" Common Name: %s" % key)
print(" SHA256 hash of the cert that signed the executable: %s\n" % value)

Should Be A Dismiss For X Period Of Time Button

There will be times when a user wants to dismiss a Santa pop-up and not have it pop-up again for some period of time. For instance if the user installs something that is not whitelisted and runs every few minutes, but they are off-line and can not get a new rule to allow the binary. They should be able to dismiss notifications about that binary for 24-hours or until next restart or something.

How to temporarily disable santa?

I need to install XtraFinder and but santa blocked the execution of preflight binary

screen 2016-08-29 at 21 22 53

I tried to remove the config file completely, nothing changes.

sudo rm -f /var/db/santa/config.plist

Is there a way to temporarily disable Santa?

Installation Script or Copy/Pasta Instructions

An install script would be nice for those that:

  1. Do not have a kext signing certificate and with to roll the pre-built, pre-signed version of the kext that Google supplies
  2. Users that do not wish to roll kext-dev mode

Bypass Santa By Overwriting a Binary

i think you can copy a signed binary to somewhere you can modify it. open the signed binary with write access. execute the signed binary. change the signed binary to do bad stuff. then execute the binary again. this is my understanding of this code because the write event is only created when you open a file for writing:

if (action & KAUTH_VNODE_WRITE_DATA ||

Here is the santa logs for two scenarios. One is executing a binary. Overwriting the binary. Then executing the binary again. This generates two log entries.

The other opens the binary. Then executes the binary. Then overwrites the binary using the fd generated before executing the binary. This generates only one log entry. I think this is bypassing santa. However, I'm running in MONITOR mode so I'm not 100% sure.

#include <fcntl.h>

int main() {
  system("rm -f ./foo.target");
  system("cp ./foo ./foo.target");
  system("./foo.target");
  system("cp ./foobar ./foo.target");
  system("./foo.target");

}

[2015-04-21 13:27:03.925Z] I santad: A|?|ea3e2e2c8b1e8515bbc536192113a40b2386bc8ba3f68805edfc2a66944a3461|/private/tmp/normal
[2015-04-21 13:27:03.940Z] I santad: A|?|c820d5e53c2de264dc29e5575d77b71417b51f035fe4c794c0c823a797784054|/private/tmp/foo.target
[2015-04-21 13:27:03.962Z] I santad: A|?|5d4d87dceda695fb9df2b647399886088d4d3e0754a00ac3f77f99c03ea5d44c|/private/tmp/foo.target

#include <fcntl.h>

int main() {
  system("rm -f ./foo.target");
  system("cp ./foo ./foo.target");
  int fd = open("./foo.target", O_WRONLY);
  if (fd < 0) {
    perror("openw");
    exit(-1);
  }
  system("./foo.target");
  char buf[1024];
  int rfd = open("./foobar", O_RDONLY);
  if (rfd < 0) {
    perror("open");
    exit(-1);
  }
  int len;
  while ((len = read(rfd, buf, sizeof(buf))) != 0) {
    if (len < 0) {
      perror("wat");
      exit(-1);
    }
    int wlen = write(fd, buf, len);
    if (wlen != len) {
      exit(-1);
    }
  }
  system("./foo.target");
}

[2015-04-21 13:32:36.791Z] I santad: A|?|f8495ffe1bde4c61d145ba606326e2ecc396297ef127af492cfc2a7023602494|/private/tmp/break
[2015-04-21 13:32:36.822Z] I santad: A|?|c820d5e53c2de264dc29e5575d77b71417b51f035fe4c794c0c823a797784054|/private/tmp/foo.target

Missing /var/db/santa/config.plist?

Hi!

Thanks for putting this out there, it's really needed for OS X! I was able to get this working on OS X 10.9, however, I noticed that there was no example config.plist (for /var/db/santa/config.plist ref:

static NSString * const kConfigFilePath = @"/var/db/santa/config.plist";
). Maybe I'm missing something.

Is it possible to include an example in the project?

Thanks,
Josh

v0.9.11 doesn't work on macOS <10.11

Dyld Error Message:
  Symbol not found: _IORegistryEntryCopyFromPath
  Referenced from: /Library/Extensions/santa-driver.kext/Contents/MacOS/santad
  Expected in: /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Will need to find an alternative or weak-link and only use that code on OS versions that support it.

GUI MessageWindow will no more appear in 0.9.8

We run Santa connected to Zentral (https://github.com/zentralopensource) as TLS server for Santa - while base functionality is same, blacklisting works as with santa 0.9.7 - we don't see any GUI MessageWindow on clients with Santa 0.9.8.
Once we reinstall previous santa 0.9.7 version again via munki the GUI window appears as did in all earlier versions of Santa we have used.
Would be great to get a short hint what could go wrong, new key required ? - probably we just missed something from release notes for Santa 0.9.8 ?

BTW the JSON blob that works with 0.9.7 and fails with 0.9.8:
{'custom_msg': 'Blocked to launch Transmission.app - be aware this is is a infected binary', 'policy': 'BLACKLIST', 'rule_type': 'BINARY', 'sha256': 'ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a'}

GUI notifications should be queued when SantaGUI isn't running

Currently if execution is blocked without a user logged in (like during startup) no notification is created as SantaGUI isn't running. This can be confusing when packages install daemon processes which are then blocked, causing the application to not function, with no notification that this has occurred.

santad should queue up messages to SantaGUI when no connection is established.

Unable to get Plist Blacklisting to work

BlacklistRegex ^/Applications/Utilities/[.]{1,}|^/Users/[.]{1,} ClientMode 1 WhitelistRegex ^/Applications/[0-9A-Za-z\ ]{1,}

Does this look correct? I'm not able to get it to work.

Switch regexes from NSRegularExpression to RE2

RE2 is faster than ICU (used by NSRegularExpression) for most types of expression at both matching and compiling.

It would possibly be prudent to benchmark some example regexes that are likely to be used in Santa (generally short input text, not recompiled regularly, lots of use of OR) before implementing but given the benchmarks already done I think it very unlikely ICU will come out ahead on average.

For implementation: I think a very simple ObjC wrapper around RE2 would make switching and memory management easier. It would also limit the exposure to Objective-C++ to just that wrapper class, which is nice.

The biggest issue is getting RE2 into the build process: the other dependencies are installed with CocoaPods and a Pod for RE2 is not available.

Quarantine data not being collected

We're meant to be collecting quarantine data for events but the collection mechanism in SNTFileInfo isn't working properly in santad (though it seems to work fine in santactl)

Apple aren't happy granting a signing key for development

Just a minor thing - in the readme you offer 2 different solutions to signed kexts, the second being:-

  1. Apply for your own kext signing certificate.

I applied for one of these (saying I wanted to play with santa) and apple replied with the following:-

KEXT signing is intended for signing commercially shipping kexts or projects broadly distributed in a large organization. The use you describe does not need a signed kext.

The email goes on to suggest the debug mode you mention, enclosing here in case it's useful:-

"In order to load unsigned kexts, the system must have "KEXT Developer Mode" enabled by adding the "kext-dev- mode=1" boot-arg. The following command (followed by a reboot) would be suitable to prepare a system for testing non-production kexts:
sudo nvram boot-args="debug=0x146 kext-dev-mode=1"

Once this is done, the machine will be able to load any valid kext; signatures will still be checked, but a failed verification will just result in a log message. Note: This applies to kexts that contain a binary, as well as codeless
(plist-only) kexts.

Wiki tweaks - blacklistregex example, update fileinfo commands/clarify expected output

On Getting Started and Configuration, there's incorrect syntax for adding a BlacklistRegex:

$ sudo defaults write /var/db/santa/config.plist BlacklistRegex '^(?:/Users)/.*'
Password:
2016-08-28 15:25:52.813 defaults[1324:124497] Could not parse: ^(?:/Users)/.*.  Try single-quoting it.

With the new fileinfo output, we should update the syntax for gathering a leaf cert sha256 in step 2 of Getting Started's Recommended Deployment section.
I also think we should clarify that if the daemon is stopped, you wouldn't see Rule information in fileinfo full output, to proactively address what could be a FAQ for the nervous.

Chrome Store app gets spurious block message w/ /Users/* BlacklistRegex

Steps to repro: 1. use path-based blocking in MONITOR mode for /Users/*, as specified in the BlacklistRegex example. 2. Install app(link below)
It immediately tries to launch and displays a block message, but the Chrome App opens behind the Santa window.
I've taken a video to display the triggering of a block message that doesn't result in stopping the Chrome App in question, Sign Builder, from launching. Only seems to occur once per Chrome session, so it will recur during a login session if Chrome is quit and reopened.

Repro'd on both Sierra b7 and 10.11.6, Chrome 52.0.2743.116
The logged message:

[2016-08-28T22:54:47.562Z] I santad: action=EXEC|decision=DENY|reason=SCOPE|explain=Blacklist Regex|sha256=99d94d9c
4106baf98918b6472a3b7e0532a1b9398c5fceead4436c859b45f5a5|path=/Users/abanks/Applications/Chrome Apps.localized/Defa
ult odjaaghiehpobimgdjjfofmablbaleem.app/Contents/MacOS/app_mode_loader|cert_sha256=15b8ce88e10f04c88a5542234fbdfc1
487e9c2f64058a05027c7c34fc4201153|cert_cn=Developer ID Application: Google Inc.|pid=3098|ppid=1|uid=841296058|user=
abanks|gid=xxxxxx|group=(null)|mode=M

Signed release pkg/hash of signed contents

I'm working on autopkg recipes for santa, but can't use code signature verification for the pkg, which adds multiple steps unpacking the payload and verifying the signatures after each release gets pulled. Waiting on this pr to be merged before I can even check the kext separately. Ideally we'd just need to run pkgutil --check-signature /Volumes/santa-0.9.8/santa-0.9.8.pkg to generate the config that would verify all artifacts contained therein. If that's not desirable or doable in the meantime, is it possible to publicly post a hash of each release pkg that we can query over the GitHub API?
I'd assume once you hit 1.0 you may have signed pkgs, just starting the conversation now.

santactl fileinfo: Invalid or empty file

Santa is looking for $APP/Contents/MacOS/$APP, but sometimes the binary name will be different.

$ santactl fileinfo /Applications/YubiKey\ NEO\ Manager.app
Invalid or empty file

$ santactl fileinfo /Applications/YubiKey\ NEO\ Manager.app/Contents/MacOS/neoman
Path                 : /Applications/YubiKey NEO Manager.app/Contents/MacOS/neoman
SHA-256              : 4e23599890afe0500cbc198cec53737f14a64fcd7ba51fefa3e621b1113add35
SHA-1                : 2961bfb9390a6a1897fcc37e087e3a7e1e5a2f98
Type                 : Thin Binary (x86-64)
Code-signed          : Yes
Signing chain:
     1. SHA-256             : f4ec6daf9ae6ad49f6d3999ad8928ea1d3a945941590bc33ba9d8e3559023cbd
        SHA-1               : c2f8bdd13149fe7911b6bb20886bb65cdcc5b57b
        Common Name         : Developer ID Application: Yubico Limited
        Organization        : Yubico Limited
        Organizational Unit : LQA3CS5MM7
        Valid From          : 2012/10/04 07:57:20 +0100
        Valid Until         : 2017/10/05 07:57:20 +0100
[...]

Log quarantine data

Currently quarantine data is being collected only for uploading to a server but it would be good for the data to also go to the logs.

can't build, pod install issue

I'm unable to install due to missing pods,

%> pod install
Analyzing dependencies
[!] The version of CocoaPods used to generate the lockfile (1.0.1) is higher than the version of the current executable (1.0.0). Incompatibility issues may arise.
[!] Unable to find a specification for `MOLAuthenticatingURLSession

Any ideas?

Investigate bypassing syslog

Syslog/ASL logging can be quite slow, given that amount of string parsing we have to do. To make matters worse we're converting structured data into a string only to later send that to a server and use regexes to convert it back to structured data.

A potentially better solution would be to use protobufs or similar, writing structured records directly to disk as a stream.

This should probably be a configurable option as not all log-collection systems can be made to cope with protobufs.

Sent "fileop_scope_callback" result to daemon for filtering?

Hi,

First, you guys rock! It's so amazing and nicely coded project.

I understand that the purpose of Santa was for executable scanning. However, some files are not directly executables. I was trying to filter files by sending the FILEOP scope results to the daemon for filtering, but the system freezed once the kext was loaded. (I do always return KAUTH_RESULT_DEFER as Apple's suggested on FILEOP scope. But seems the action of sending messages from that scope to the daemon will cause the freeze. I haven't been able to retrieve the log as the system will freeze again on the reboot, and I haven't been able to get into single user mode in a VM.)

Have you guys try something like that and decided not to do so because the performance was bad? Or there were other limitations regarding the system itself on "on access" filtering?

Best,
Cai

santad Modification

I am planning on forking and modifying santa to be part of a commercial product idea I have. However, for reasons that should be obvious I must use the upstream santa-driver KEXT. This bundle contains the binaries for santactl and santad, which I want to replace with modified versions. Unfortunately, these binaries are listed in the code-signing manifest for the KEXT, so I cannot remove or replace them without breaking the code signature. Is there any way I can do this? Your README recommends using just this methodology to modify Santa without needing my own KEXT-signing certificate. Any pointers?

json 'pack' format to allow import/export of a group of rules

Similar to how osquery collects common queries into 'packs' to be enabled in their config, it would be great to be able to import/export rules from the database as an option to santactl. Bonus points would be if output from santactl fileinfo was in that format to start with, so you could build up a collection from the results of fingerprinting a binary or its cert.

discussion - CLI usability

I'm hoping to make this easier to trial without a sync server, which I know is already asking for a bit much, but on behalf of lazy selfish admins I thought I'd ask:
Along with #78, could we look at ways of making adding whitelist rules at the CLI easier? I'd think the common-case for using santactl at all is to whitelist, and --path seems to would be easiest to copy-paste into terminal from the block dialog (would also be nice if the dialog went to the pasteboard escaped... I'm asking too much, aren't I.) Could we make the rule subcommand not require --whitelist or --path? Path also doesn't currently try to extract leaf certs for building the rule (if present), could that functionality be enabled?

santa 0.9.9 doesn't report all names correctly

I've noticed certain machine names will not reported back correctly while running santa 0.9.9 connected to Zentral as TLS server for santa policies/event reporting ( compared to munki and other tools providing similar information ). Noticed for 10.11.4 / 10.11.5 clients tested with some UTF-8 characters in name:
i.e. a Mac named "testømat" will result in "testmat"
or "t€apot" will result in "tapot", etc.

(Sierra) AppTranslocation has side-effect of bypassing BlacklistRegex

Just noticed this on Sierra b7 when running an unzipped app from ~/Downloads while a /Users/* BlacklistRegex is in effect:

[2016-08-29T14:32:34.630Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=34816961a6212c39805175cc96ef49f2becffa735860f03309633dc1c6b9a123|path=/private/var/folders/68/kkjfhl7x02q6jm24yhz3qpfhs2__5t/T/AppTranslocation/8EB845D2-BE0C-41DB-BEFB-5E0BF5DCD270/d/BitBar.app/Contents/MacOS/BitBar|args=/private/var/folders/68/kkjfhl7x02q6jm24yhz3qpfhs2__5t/T/AppTranslocation/8EB845D2-BE0C-41DB-BEFB-5E0BF5DCD270/d/BitBar.app/Contents/MacOS/BitBar -psn_0_1782195|cert_sha256=9870c06f1e263263353b3394d304752389a48f3c92454602a70f2656356b4a0d|cert_cn=Developer ID Application: Code and That Ltd (B3T8QSC4HG)|quarantine_url=https://github-cloud.s3.amazonaws.com/releases/14376285/aed19af8-f5af-11e5-8392-8569a48c2fcf.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160829%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160829T143224Z&X-Amz-Expires=300&X-Amz-Signature=317eb3f720c5165558b00c6c09dbe00225ef1f35af08ca5a47261cd4b00ba34a&X-Amz-SignedHeaders=host&actor_id=388808&response-content-disposition=attachment%3B%20filename%3DBitBar-v1.9.1.zip&response-content-type=application%2Foctet-stream|pid=5436|ppid=1|uid=841296058|user=abanks|gid=xxxxxx|mode=M

I would think this harms the effectiveness of path-based blacklisting.

Enhancements in SantaGUI

I'd like to do several enhancements in SantaGUI, like adding an icon to the statusbar with information about the connection with the daemon, the last events etc. Any suggestions about that?

Please review/revise/import wiki pages from my fork

Please import https://github.com/arubdesu/santa/wiki as you see fit, probably by cloning down with your creds and replacing the files locally.

I have three points that I could use help clarifying, although I know I'm hand-wave-y other places as well:

  • Can the regex's be arrays that therefore evaluate sequentially, or does it have to be 'one superregex to rule them all'?
  • Also about regex's, I'm assuming the code comments are telling me the truth about prepending ^ to those that don't have it
  • I messed up the attempt at putting 'skip's in asl.conf, if you could please throw in your working example

I also renamed pages over there, and probably didn't set all of the links between page sections 100% correctly, but unless you made me a collaborator on the repo it seems I can't edit the wiki here.

ksfetch is annoying

Keystone puts an executable into a folder in /tmp.
And constantly gets flagged by Santa, regardless of any futile effort to whitelist it.
There are probably explanations for it, but it is a bit annoying.

Ironic, too.

Blacklist Applications basted on exact location

Would it be possible to add the ability to blacklist applications based on specific location path instead of hash. Such as a application in "/Applications/Safari.app" with that exact path and name could not be ran.

Enabling you to blacklist applications, that constantly being updated such stock Apple apps without having to constantly update the hash ever time they update.

edit:fixed :)

Provide better visibility into codesigning errors

Currently if a binary fails codesign validation for any reason, it's assumed to not be codesigned. This is fine for decision-making purposes but it would be nice for santactl fileinfo to provide clearer output.

feature request - 'trusted' Apple base set of signatures (db) import

Projects like https://github.com/sektioneins/osx_verify allow us to start with a fingerprinted system state, and if things are deterministic we should end up with a state on-disk of all binaries possibly run before 3rd party software or updates are applied. I'd like to run fileinfo on a couple of things to get whitelisted off the bat as a base system state, with the idea that you could therefore go into LOCKDOWN with some assurance that you won't let the system eat itself. To do so, I'm not sure the most optimal workflow, but I envision it would be something like doing a db dump and restore, with TLS-endpoint/API integration coming later.
It also seems like a good idea to tag it to a specific build version, so you can degrade more safely if changes happen without the db keeping in sync.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.