Issue with agent reading Santa config about santa HOT 6 OPEN

Can you send us the output from log stream --predicate 'sender == "com.google.santa.daemon"?

/var/db/santa/santa.log is the output log where we log execution telemetry.

e.g. [2024-01-27T00:47:59.176Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=417c54bd19c3e02e0b0728eb407b75ce7912e7898585c94ecc8755242a483c61|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=30214|pidversion=67632|ppid=1525|uid=501|user=user|gid=20|group=staff|mode=M|path=/bin/ls|args=ls -F

If you're trying to load rules without a sync server you have a few options.

1. Static rules in your application config

This requires that you update your config and set static rules.

These are set as an array of dicts that describe the rule similarly to the Sync protocol Rules.

<key>StaticRules</key>
<array>
  <dict>
	<!-- Always allow files signed by Google LLC -->
	<key>identifier</key>
	<string>EQHXZ8M8AV</string>
	<key>policy</key>
	<string>ALLOWLIST</string>
	<key>rule_type</key>
	<string>TEAMID</string>
  </dict>
  <dict>
    <!-- Always allow files signed by "Internal Tools Certificate" -->
      <key>identifier</key>
							 
     <string>b2617611fb6c008bfe9e05b7a633d4f21c403a0a1a88b514a04c3e5e111be025</string>
     <key>policy</key>
     <string>ALLOWLIST</string>
     <key>rule_type</key>
     <string>CERTIFICATE</string>
   </dict>  
</array>

2. JSON rules

If you're running without a Sync server you can also import and export a JSON rules file.

The file is expected to contain a single JSON object with a rules key that's an array of JSON objects that describe a rule again similarly to the Sync Protocol.

{"rules": [
    {"policy": "BLOCKLIST",
      "identifier": "84de9c61777ca36b13228e2446d53e966096e78db7a72c632b5c185b2ffe68a6"
      "custom_url" : "",
      "custom_msg": "/bin/ls block for demo"}
]}

This file can be imported using santactl rule --import <path to file> e.g. sudo santactl rule --import rules.json

A rule file can be generated using the santactl rule --export <path to file> command e.g. sudo santactl rule --export ./rules.json

from santa.

FWIW I have tried to deploy both the default template as well as a few slimmed-down versions I modified--nothing changes the rule count from zero though.

@Zehpto Since it sounds like you're doing static rules with Jamf can you send us the log output from log show --predicate 'sender == "com.google.santa.daemon"?

from santa.

Hey @pmarkowsky,

Thanks for the response. Yes, you are correct, I am trying to define the rules in the XML statically. When a few test items I added didn't work, I exclusively attempted to use the three that ship with the template in case that I introduce a syntax error or the like. FWIW, I have tried to deploy the system extensions, PPPC, and Santa config as both one configuration profile as well as three different ones--not that I would expect different behavior. Additionally, I have tried to both upload the mobileconfig as well as manually port the configuration over so that a custom payload isn't used in the Jamf configuration profile. I very likely am overlooking something simple...

I have tested in two different Jamf environments and blown everything away a few times in each. To avoid inundating you with multiple disparate issues I will just focus only on one.

log.txt
I do see reference in the log to full-disk access missing so I went ahead and uploaded screenshots of that configuration

One quick follow-up question, hypothetically, if rules were defined via the commandline then rules were also loaded via config profile or JSON, would it overwrite the entire rule.db file or would it just insert additional rules?

Thanks in advance!

from santa.

I went back and verified. Both environments have the same configuration profiles (literal export and import). Environment #2 has nothing other than high CPU warns. What is weird is that adding local rules say the rules.db database is corrupt.

from santa.

@Zehpto were you able to sort this out?

Your comments about the database being corrupted seems like something is off environmentally.

from santa.

Hey @pmarkowsky, this got backburned due to issues. I think you are probably right. Is there a clean/preferred way to completely nuke the local instance between experiments? I have been removing the binary and /var/db/santa but I'm not exactly sure where any other cached files might live.

from santa.