Comments (6)
Can you send us the output from log stream --predicate 'sender == "com.google.santa.daemon"
?
/var/db/santa/santa.log
is the output log where we log execution telemetry.
e.g. [2024-01-27T00:47:59.176Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=417c54bd19c3e02e0b0728eb407b75ce7912e7898585c94ecc8755242a483c61|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=30214|pidversion=67632|ppid=1525|uid=501|user=user|gid=20|group=staff|mode=M|path=/bin/ls|args=ls -F
If you're trying to load rules without a sync server you have a few options.
1. Static rules in your application config
This requires that you update your config and set static rules.
These are set as an array of dicts that describe the rule similarly to the Sync protocol Rules.
<key>StaticRules</key>
<array>
<dict>
<!-- Always allow files signed by Google LLC -->
<key>identifier</key>
<string>EQHXZ8M8AV</string>
<key>policy</key>
<string>ALLOWLIST</string>
<key>rule_type</key>
<string>TEAMID</string>
</dict>
<dict>
<!-- Always allow files signed by "Internal Tools Certificate" -->
<key>identifier</key>
<string>b2617611fb6c008bfe9e05b7a633d4f21c403a0a1a88b514a04c3e5e111be025</string>
<key>policy</key>
<string>ALLOWLIST</string>
<key>rule_type</key>
<string>CERTIFICATE</string>
</dict>
</array>
2. JSON rules
If you're running without a Sync server you can also import and export a JSON rules file.
The file is expected to contain a single JSON object with a rules
key that's an array of JSON objects that describe a rule again similarly to the Sync Protocol.
{"rules": [
{"policy": "BLOCKLIST",
"identifier": "84de9c61777ca36b13228e2446d53e966096e78db7a72c632b5c185b2ffe68a6"
"custom_url" : "",
"custom_msg": "/bin/ls block for demo"}
]}
This file can be imported using santactl rule --import <path to file>
e.g. sudo santactl rule --import rules.json
A rule file can be generated using the santactl rule --export <path to file>
command e.g. sudo santactl rule --export ./rules.json
from santa.
FWIW I have tried to deploy both the default template as well as a few slimmed-down versions I modified--nothing changes the rule count from zero though.
@Zehpto Since it sounds like you're doing static rules with Jamf can you send us the log output from log show --predicate 'sender == "com.google.santa.daemon"
?
from santa.
Hey @pmarkowsky,
Thanks for the response. Yes, you are correct, I am trying to define the rules in the XML statically. When a few test items I added didn't work, I exclusively attempted to use the three that ship with the template in case that I introduce a syntax error or the like. FWIW, I have tried to deploy the system extensions, PPPC, and Santa config as both one configuration profile as well as three different ones--not that I would expect different behavior. Additionally, I have tried to both upload the mobileconfig as well as manually port the configuration over so that a custom payload isn't used in the Jamf configuration profile. I very likely am overlooking something simple...
I have tested in two different Jamf environments and blown everything away a few times in each. To avoid inundating you with multiple disparate issues I will just focus only on one.
log.txt
I do see reference in the log to full-disk access missing so I went ahead and uploaded screenshots of that configuration
One quick follow-up question, hypothetically, if rules were defined via the commandline then rules were also loaded via config profile or JSON, would it overwrite the entire rule.db file or would it just insert additional rules?
Thanks in advance!
from santa.
I went back and verified. Both environments have the same configuration profiles (literal export and import). Environment #2 has nothing other than high CPU warns. What is weird is that adding local rules say the rules.db database is corrupt.
from santa.
@Zehpto were you able to sort this out?
Your comments about the database being corrupted seems like something is off environmentally.
from santa.
Hey @pmarkowsky, this got backburned due to issues. I think you are probably right. Is there a clean/preferred way to completely nuke the local instance between experiments? I have been removing the binary and /var/db/santa but I'm not exactly sure where any other cached files might live.
from santa.
Related Issues (20)
- Big Sur Style Icon for Santa HOT 1
- Enhancement: Allow rules to be filtered by user HOT 1
- deadline exceeded in monitor mode still ends up denying execution HOT 3
- Symbolic Link Scope HOT 2
- Santa should evaluate and potentially kill running processes HOT 2
- `santactl rule` should allow clearing ruleset HOT 1
- How to Allow debugserver Output HOT 5
- Extend the Sync Protocol's PostFlight step to indicate if policies blocking system critical binaries were pushed
- Rewrite Santactl Command Line Parsing to use Abseil HOT 1
- So Many Copies of santactl Process. Is this Normal? HOT 6
- Add OIDs to Certificates in EventUpload HOT 1
- Apple Signed Binary Blocked: RemotePairingDataVaultHelper HOT 3
- CDHash serialization issue in fileinfo HOT 3
- Migrate to bazel modules HOT 1
- Document formatting conventions
- Document differences between events for sync servers and telemetry
- compiler rule with golang HOT 5
- Document transitive allowlisting limitations HOT 1
- Missing variable sequences in EventDetailURL HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from santa.