google / santa Goto Github PK
View Code? Open in Web Editor NEWA binary authorization and monitoring system for macOS
Home Page: https://santa.dev
License: Apache License 2.0
A binary authorization and monitoring system for macOS
Home Page: https://santa.dev
License: Apache License 2.0
RE2 is faster than ICU (used by NSRegularExpression) for most types of expression at both matching and compiling.
It would possibly be prudent to benchmark some example regexes that are likely to be used in Santa (generally short input text, not recompiled regularly, lots of use of OR) before implementing but given the benchmarks already done I think it very unlikely ICU will come out ahead on average.
For implementation: I think a very simple ObjC wrapper around RE2 would make switching and memory management easier. It would also limit the exposure to Objective-C++ to just that wrapper class, which is nice.
The biggest issue is getting RE2 into the build process: the other dependencies are installed with CocoaPods and a Pod for RE2 is not available.
Pardon that this is in a similar vein to #14, and also that I haven't started trial-ing Santa or dug in deep enough to know if this can be reported on in 'observation' mode, but as per exploit tpwn's purported mitigation NULLGuard, supposedly more than just this POC would be caught by checking binaries for lack-of-__PAGEZERO. Not sure I have much to add, I understand if enabling Santa to report on this wouldn't be worth the effort if it is indeed not present in 10.11.
<insert I have no idea what I'm doing dog meme>
Just noticed this on Sierra b7 when running an unzipped app from ~/Downloads while a /Users/* BlacklistRegex is in effect:
[2016-08-29T14:32:34.630Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=34816961a6212c39805175cc96ef49f2becffa735860f03309633dc1c6b9a123|path=/private/var/folders/68/kkjfhl7x02q6jm24yhz3qpfhs2__5t/T/AppTranslocation/8EB845D2-BE0C-41DB-BEFB-5E0BF5DCD270/d/BitBar.app/Contents/MacOS/BitBar|args=/private/var/folders/68/kkjfhl7x02q6jm24yhz3qpfhs2__5t/T/AppTranslocation/8EB845D2-BE0C-41DB-BEFB-5E0BF5DCD270/d/BitBar.app/Contents/MacOS/BitBar -psn_0_1782195|cert_sha256=9870c06f1e263263353b3394d304752389a48f3c92454602a70f2656356b4a0d|cert_cn=Developer ID Application: Code and That Ltd (B3T8QSC4HG)|quarantine_url=https://github-cloud.s3.amazonaws.com/releases/14376285/aed19af8-f5af-11e5-8392-8569a48c2fcf.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160829%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160829T143224Z&X-Amz-Expires=300&X-Amz-Signature=317eb3f720c5165558b00c6c09dbe00225ef1f35af08ca5a47261cd4b00ba34a&X-Amz-SignedHeaders=host&actor_id=388808&response-content-disposition=attachment%3B%20filename%3DBitBar-v1.9.1.zip&response-content-type=application%2Foctet-stream|pid=5436|ppid=1|uid=841296058|user=abanks|gid=xxxxxx|mode=M
I would think this harms the effectiveness of path-based blacklisting.
without config client configuration , how to change monitor mode to lockdown mode , I can not find the option in help or somewhere
I'm unable to install due to missing pods,
%> pod install
Analyzing dependencies
[!] The version of CocoaPods used to generate the lockfile (1.0.1) is higher than the version of the current executable (1.0.0). Incompatibility issues may arise.
[!] Unable to find a specification for `MOLAuthenticatingURLSession
Any ideas?
I am planning on forking and modifying santa to be part of a commercial product idea I have. However, for reasons that should be obvious I must use the upstream santa-driver KEXT. This bundle contains the binaries for santactl
and santad
, which I want to replace with modified versions. Unfortunately, these binaries are listed in the code-signing manifest for the KEXT, so I cannot remove or replace them without breaking the code signature. Is there any way I can do this? Your README recommends using just this methodology to modify Santa without needing my own KEXT-signing certificate. Any pointers?
An install script would be nice for those that:
Santa is looking for $APP/Contents/MacOS/$APP, but sometimes the binary name will be different.
$ santactl fileinfo /Applications/YubiKey\ NEO\ Manager.app
Invalid or empty file
$ santactl fileinfo /Applications/YubiKey\ NEO\ Manager.app/Contents/MacOS/neoman
Path : /Applications/YubiKey NEO Manager.app/Contents/MacOS/neoman
SHA-256 : 4e23599890afe0500cbc198cec53737f14a64fcd7ba51fefa3e621b1113add35
SHA-1 : 2961bfb9390a6a1897fcc37e087e3a7e1e5a2f98
Type : Thin Binary (x86-64)
Code-signed : Yes
Signing chain:
1. SHA-256 : f4ec6daf9ae6ad49f6d3999ad8928ea1d3a945941590bc33ba9d8e3559023cbd
SHA-1 : c2f8bdd13149fe7911b6bb20886bb65cdcc5b57b
Common Name : Developer ID Application: Yubico Limited
Organization : Yubico Limited
Organizational Unit : LQA3CS5MM7
Valid From : 2012/10/04 07:57:20 +0100
Valid Until : 2017/10/05 07:57:20 +0100
[...]
I'd like to do several enhancements in SantaGUI, like adding an icon to the statusbar with information about the connection with the daemon, the last events etc. Any suggestions about that?
I'm hoping to make this easier to trial without a sync server, which I know is already asking for a bit much, but on behalf of lazy selfish admins I thought I'd ask:
Along with #78, could we look at ways of making adding whitelist rules at the CLI easier? I'd think the common-case for using santactl at all is to whitelist, and --path
seems to would be easiest to copy-paste into terminal from the block dialog (would also be nice if the dialog went to the pasteboard escaped... I'm asking too much, aren't I.) Could we make the rule subcommand not require --whitelist or --path? Path also doesn't currently try to extract leaf certs for building the rule (if present), could that functionality be enabled?
Similar to how osquery collects common queries into 'packs' to be enabled in their config, it would be great to be able to import/export rules from the database as an option to santactl. Bonus points would be if output from santactl fileinfo
was in that format to start with, so you could build up a collection from the results of fingerprinting a binary or its cert.
Currently if execution is blocked without a user logged in (like during startup) no notification is created as SantaGUI isn't running. This can be confusing when packages install daemon processes which are then blocked, causing the application to not function, with no notification that this has occurred.
santad should queue up messages to SantaGUI when no connection is established.
We run Santa connected to Zentral (https://github.com/zentralopensource) as TLS server for Santa - while base functionality is same, blacklisting works as with santa 0.9.7 - we don't see any GUI MessageWindow on clients with Santa 0.9.8.
Once we reinstall previous santa 0.9.7 version again via munki the GUI window appears as did in all earlier versions of Santa we have used.
Would be great to get a short hint what could go wrong, new key required ? - probably we just missed something from release notes for Santa 0.9.8 ?
BTW the JSON blob that works with 0.9.7 and fails with 0.9.8:
{'custom_msg': 'Blocked to launch Transmission.app - be aware this is is a infected binary', 'policy': 'BLACKLIST', 'rule_type': 'BINARY', 'sha256': 'ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a'}
Hi,
First, you guys rock! It's so amazing and nicely coded project.
I understand that the purpose of Santa was for executable scanning. However, some files are not directly executables. I was trying to filter files by sending the FILEOP scope results to the daemon for filtering, but the system freezed once the kext was loaded. (I do always return KAUTH_RESULT_DEFER
as Apple's suggested on FILEOP scope. But seems the action of sending messages from that scope to the daemon will cause the freeze. I haven't been able to retrieve the log as the system will freeze again on the reboot, and I haven't been able to get into single user mode in a VM.)
Have you guys try something like that and decided not to do so because the performance was bad? Or there were other limitations regarding the system itself on "on access" filtering?
Best,
Cai
Steps to repro: 1. use path-based blocking in MONITOR mode for /Users/*, as specified in the BlacklistRegex example. 2. Install app(link below)
It immediately tries to launch and displays a block message, but the Chrome App opens behind the Santa window.
I've taken a video to display the triggering of a block message that doesn't result in stopping the Chrome App in question, Sign Builder, from launching. Only seems to occur once per Chrome session, so it will recur during a login session if Chrome is quit and reopened.
Repro'd on both Sierra b7 and 10.11.6, Chrome 52.0.2743.116
The logged message:
[2016-08-28T22:54:47.562Z] I santad: action=EXEC|decision=DENY|reason=SCOPE|explain=Blacklist Regex|sha256=99d94d9c
4106baf98918b6472a3b7e0532a1b9398c5fceead4436c859b45f5a5|path=/Users/abanks/Applications/Chrome Apps.localized/Defa
ult odjaaghiehpobimgdjjfofmablbaleem.app/Contents/MacOS/app_mode_loader|cert_sha256=15b8ce88e10f04c88a5542234fbdfc1
487e9c2f64058a05027c7c34fc4201153|cert_cn=Developer ID Application: Google Inc.|pid=3098|ppid=1|uid=841296058|user=
abanks|gid=xxxxxx|group=(null)|mode=M
Hi,
Is the SNTExecutionController.h
missing a #include "SNTEventLog.h
?
Also, to prevent dylib injection via environment variables, you can use MAC policy to filter the. (Tho it can't stop them all, as there are other ways to load the dylib.) I've tried using KAUTH_VNODE_READ
to perform file scanning on dylib files (check it's header with VNOP_*
directly within kernel space to increase the speed), but seems the system still will freeze due to the slow communication with the daemon.
Best,
Cai
Hi!
Thanks for putting this out there, it's really needed for OS X! I was able to get this working on OS X 10.9, however, I noticed that there was no example config.plist (for /var/db/santa/config.plist ref:
santa/Source/common/SNTConfigurator.m
Line 26 in 0798868
Is it possible to include an example in the project?
Thanks,
Josh
i think you can copy a signed binary to somewhere you can modify it. open the signed binary with write access. execute the signed binary. change the signed binary to do bad stuff. then execute the binary again. this is my understanding of this code because the write event is only created when you open a file for writing:
Here is the santa logs for two scenarios. One is executing a binary. Overwriting the binary. Then executing the binary again. This generates two log entries.
The other opens the binary. Then executes the binary. Then overwrites the binary using the fd generated before executing the binary. This generates only one log entry. I think this is bypassing santa. However, I'm running in MONITOR mode so I'm not 100% sure.
#include <fcntl.h>
int main() {
system("rm -f ./foo.target");
system("cp ./foo ./foo.target");
system("./foo.target");
system("cp ./foobar ./foo.target");
system("./foo.target");
}
[2015-04-21 13:27:03.925Z] I santad: A|?|ea3e2e2c8b1e8515bbc536192113a40b2386bc8ba3f68805edfc2a66944a3461|/private/tmp/normal
[2015-04-21 13:27:03.940Z] I santad: A|?|c820d5e53c2de264dc29e5575d77b71417b51f035fe4c794c0c823a797784054|/private/tmp/foo.target
[2015-04-21 13:27:03.962Z] I santad: A|?|5d4d87dceda695fb9df2b647399886088d4d3e0754a00ac3f77f99c03ea5d44c|/private/tmp/foo.target
#include <fcntl.h>
int main() {
system("rm -f ./foo.target");
system("cp ./foo ./foo.target");
int fd = open("./foo.target", O_WRONLY);
if (fd < 0) {
perror("openw");
exit(-1);
}
system("./foo.target");
char buf[1024];
int rfd = open("./foobar", O_RDONLY);
if (rfd < 0) {
perror("open");
exit(-1);
}
int len;
while ((len = read(rfd, buf, sizeof(buf))) != 0) {
if (len < 0) {
perror("wat");
exit(-1);
}
int wlen = write(fd, buf, len);
if (wlen != len) {
exit(-1);
}
}
system("./foo.target");
}
[2015-04-21 13:32:36.791Z] I santad: A|?|f8495ffe1bde4c61d145ba606326e2ecc396297ef127af492cfc2a7023602494|/private/tmp/break
[2015-04-21 13:32:36.822Z] I santad: A|?|c820d5e53c2de264dc29e5575d77b71417b51f035fe4c794c0c823a797784054|/private/tmp/foo.target
G'day!
I've created a Homebrew Cask so that I can install Santa as part of a bootstrap script, would you be okay with me submitting a PR for it, or would you like to submit it?
Rich
Would it be possible to add the ability to blacklist applications based on specific location path instead of hash. Such as a application in "/Applications/Safari.app" with that exact path and name could not be ran.
Enabling you to blacklist applications, that constantly being updated such stock Apple apps without having to constantly update the hash ever time they update.
edit:fixed :)
The Rule field in santactl/fileinfo output is useful but it only works for binary/cert rules, it doesn't account for page zero configuration or whitelist/blacklist regexes.
Projects like https://github.com/sektioneins/osx_verify allow us to start with a fingerprinted system state, and if things are deterministic we should end up with a state on-disk of all binaries possibly run before 3rd party software or updates are applied. I'd like to run fileinfo on a couple of things to get whitelisted off the bat as a base system state, with the idea that you could therefore go into LOCKDOWN with some assurance that you won't let the system eat itself. To do so, I'm not sure the most optimal workflow, but I envision it would be something like doing a db dump and restore, with TLS-endpoint/API integration coming later.
It also seems like a good idea to tag it to a specific build version, so you can degrade more safely if changes happen without the db keeping in sync.
I'm trying to whitelist google auto updater (perhaps) with a certificate rule,
When the santa dialog pops up I copied the path, and issued a command,
%> sudo santactl rule --whitelist --certificate --path /tmp/KSOutOfProcessFetcher.501.xxxxx\=/
2016-08-28 11:03:34.142 santactl[4340:46065] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[NSURL initFileURLWithPath:]: nil string parameter'
*** First throw call stack:
(
0 CoreFoundation 0x00007fff98c874f2 __exceptionPreprocess + 178
1 libobjc.A.dylib 0x00007fff979e8f7e objc_exception_throw + 48
2 CoreFoundation 0x00007fff98cee4bd +[NSException raise:format:] + 205
3 Foundation 0x00007fff970b8449 -[NSURL(NSURL) initFileURLWithPath:] + 131
4 Foundation 0x00007fff970b83b1 +[NSURL(NSURL) fileURLWithPath:] + 45
5 santactl 0x000000010dd6274c -[MOLCodesignChecker initWithBinaryPath:error:] + 44
6 santactl 0x000000010dd62804 -[MOLCodesignChecker initWithBinaryPath:] + 36
7 santactl 0x000000010dd49e97 +[SNTCommandRule runWithArguments:daemonConnection:] + 1383
8 santactl 0x000000010dd53005 +[SNTCommandController runCommandWithName:arguments:] + 181
9 santactl 0x000000010dd4baad main + 621
10 libdyld.dylib 0x00007fff8fec45ad start + 1
11 ??? 0x0000000000000006 0x0 + 6
)
libc++abi.dylib: terminating with uncaught exception of type NSException
Also please append sudo
to the front of the blacklist example at the top of the getting started guide
is it possible to block or grant execution based off of where an executable is stored?
Does this look correct? I'm not able to get it to work.
There will be times when a user wants to dismiss a Santa pop-up and not have it pop-up again for some period of time. For instance if the user installs something that is not whitelisted and runs every few minutes, but they are off-line and can not get a new rule to allow the binary. They should be able to dismiss notifications about that binary for 24-hours or until next restart or something.
I don't see an easy way to set up the initial information about executables on your system. I played with a Python script (sorry my ruby skills are limited) that parses the log file and grabs unique paths and developers that have been launched. My idea is to extend this to allow the user to let this run for a while, and then run this tool that would parse through the logs and allow them to add exceptions as they would see fit. Right now, it is just dumping out the info.
More ideas for the future:
-Dump to some sort of json/xml structure and allow the user to edit, user can then accept all executables in that xml structure
-Allow the user to see what recently has been denied, then maybe approve the executable easily
-Allow the user to only see non-signed executables and signed executables (so that they can accept the cert first, then add a rule for the path
Is there any tool like this? Would you be interested in me extending this idea? Should I just make it a separate project or would you be interested in integrating this with your project?
The output is this:
Unique Executables:
Path of the executable: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker
Common name of the certificate that signed the executable: (null)
SHA256 hash of the executable: None
SHA256 hash of the cert that signed the executable: None
Path of the executable: /Users/dlohin/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent
Common name of the certificate that signed the executable: Developer ID Application: Google Inc.
SHA256 hash of the executable: a71d1105b521135c071b34c3912f9e1fb7dcd14efcb4c699d27838c977294c20
SHA256 hash of the cert that signed the executable: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153
Path of the executable: /bin/ps
Common name of the certificate that signed the executable: Software Signing
SHA256 hash of the executable: 0b0f518e945e2803772a85dcd48366955abf345b2cd1cbc24b2004aab70e94e7
SHA256 hash of the cert that signed the executable: 2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32
Path of the executable: /Applications/Google Chrome.app/Contents/Versions/45.0.2454.93/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
Common name of the certificate that signed the executable: Developer ID Application: Google Inc.
SHA256 hash of the executable: 1d8d25946e09aecb63fb683e019914db235540d5ae80a925dda9092b19a13411
SHA256 hash of the cert that signed the executable: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153
Path of the executable: /Applications/GPG Keychain.app/Contents/MacOS/GPG Keychain
Common name of the certificate that signed the executable: Developer ID Application: Lukas Pitschl
SHA256 hash of the executable: 4a9d7ef5f8ff93f346802ec5d541e7fbf002a7ba3eb5d5464ce69ff32bc56329
SHA256 hash of the cert that signed the executable: cc4c6b01ade3162ee5d3aa46139efe89f210767edc9227a8185df8d3b1906bf0
Path of the executable: /sbin/umount
Common name of the certificate that signed the executable: (null)
SHA256 hash of the executable: None
SHA256 hash of the cert that signed the executable: None
Path of the executable: /Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word
Common name of the certificate that signed the executable: Developer ID Application: Microsoft Corporation (UBF8T346G9)
SHA256 hash of the executable: 8fa785826445d9b3e86d37f53d101639431ded8bc763f1f0321b1d5ca6f1fb0e
SHA256 hash of the cert that signed the executable: adced5ef3635ab1debda86f02dc55e96cefedf7bd7fe7519f0a806092bf75873
...CONTINUED......
Unique Publishers:
Common Name: Apple Mac OS Application Signing
SHA256 hash of the cert that signed the executable: ad9dba778a3a1204a02298193be3c8d184a6bdc0d10ae109dfaf356722b3cf92
Common Name: Developer ID Application: Google Inc.
SHA256 hash of the cert that signed the executable: 15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153
Common Name: Software Signing
SHA256 hash of the cert that signed the executable: 2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32
Common Name: Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)
SHA256 hash of the cert that signed the executable: 9f9dd26b6ad69cd86438ee416d527b8a9ed871a2bd75cdf8f9cf2345a9cbeb38
....Continued......
Code is:
SantaParseLibs.py:
author = 'dlohin'
class santa_data_structure(object):
def init(self,executable_cn = None, executable_hash = None, cert_hash = None):
"""
Pass in each entry of santa.log and add it to a dictionary
:type executable_cn: str
:type executable_hash: str
:type cert_hash: str
"""
self.executable_cn= executable_cn
self.executable_hash = executable_hash
self.cert_hash = cert_hash
SantaParser.py:
author = 'dlohin'
from SantaParseLibs import santa_data_structure
import re
f = open('/var/log/santa.log',mode='r')
unique_executables = {}
unique_publishers={}
for line in f:
#print(i)
exectuble_info = line.split("|")
executable_dict = {}
#Hit each variable in the log file
for i in exectuble_info:
info = i.split("=")
#We have some stuff about service starting in the beginning, ignore it
try:
executable_dict[info[0]] = info[1]
except:
pass
if executable_dict:
#Already have the executable, ignore
if executable_dict['path'] not in unique_executables:
#see if it is a signed executable first
if 'cert_cn' in executable_dict:
#Add the unique exectuable to a dictionary with certs
unique_executables[executable_dict['path']] = santa_data_structure(executable_dict['cert_cn'],executable_dict['sha256'],executable_dict['cert_sha256'])
#Lets add the unique publisher if it doesn't exist already
if executable_dict['cert_cn'] not in unique_publishers:
unique_publishers[executable_dict['cert_cn']] = executable_dict['cert_sha256']
else:
#This isn't a signed executable, just add the path
unique_executables[executable_dict['path']] = santa_data_structure(executable_dict['sha256'])
#print(unique_executables)
print("Unique Executables:")
for key, value in unique_executables.items():
print(" Path of the executable: %s" % key)
print(" Common name of the certificate that signed the executable: %s" % value.executable_cn)
print(" SHA256 hash of the executable: %s" % value.executable_hash)
print(" SHA256 hash of the cert that signed the executable: %s\n" % value.cert_hash)
print("Unique Publishers:")
for key, value in unique_publishers.items():
print(" Common Name: %s" % key)
print(" SHA256 hash of the cert that signed the executable: %s\n" % value)
If you try incomplete commands looking for interactive help on the command line, santactl crashes:
$ sudo santactl rule add --whitelist --path
2015-07-22 08:54:02.591 santactl[21154:230605] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSArrayM objectAtIndex:]: index 3 beyond bounds [0 .. 2]'
*** First throw call stack:
(
0 CoreFoundation 0x00007fff8e96f03c __exceptionPreprocess + 172
1 libobjc.A.dylib 0x00007fff8e61e76e objc_exception_throw + 43
2 CoreFoundation 0x00007fff8e8381e4 -[__NSArrayM objectAtIndex:] + 260
3 santactl 0x0000000105c2e355 +[SNTCommandRule runWithArguments:daemonConnection:] + 853
4 santactl 0x0000000105c36312 +[SNTCommandController runCommandWithName:arguments:] + 193
5 santactl 0x0000000105c2f4e8 main + 514
6 libdyld.dylib 0x00007fff964a75c9 start + 1
)
libc++abi.dylib: terminating with uncaught exception of type NSException
$
I would prefer some usage output (including an early warning if SyncBaseURL is set).
I've noticed certain machine names will not reported back correctly while running santa 0.9.9 connected to Zentral as TLS server for santa policies/event reporting ( compared to munki and other tools providing similar information ). Noticed for 10.11.4 / 10.11.5 clients tested with some UTF-8 characters in name:
i.e. a Mac named "testømat" will result in "testmat"
or "t€apot" will result in "tapot", etc.
Currently quarantine data is being collected only for uploading to a server but it would be good for the data to also go to the logs.
The wiki is incomplete.
santactl rule
command? I'm trying not to open the SQLite file directly ....Common case when collecting certs from binaries to whitelist is just grabbing the leaf cert sha256 fingerprint. Please expose that as an option, maybe something like --certsha
.
I'm working on autopkg recipes for santa, but can't use code signature verification for the pkg, which adds multiple steps unpacking the payload and verifying the signatures after each release gets pulled. Waiting on this pr to be merged before I can even check the kext separately. Ideally we'd just need to run pkgutil --check-signature /Volumes/santa-0.9.8/santa-0.9.8.pkg
to generate the config that would verify all artifacts contained therein. If that's not desirable or doable in the meantime, is it possible to publicly post a hash of each release pkg that we can query over the GitHub API?
I'd assume once you hit 1.0 you may have signed pkgs, just starting the conversation now.
Does anyone have an example of the syntax used for blacklisting in monitor mode or whitelisting in lockdown mode? Thanks!
Dyld Error Message:
Symbol not found: _IORegistryEntryCopyFromPath
Referenced from: /Library/Extensions/santa-driver.kext/Contents/MacOS/santad
Expected in: /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Will need to find an alternative or weak-link and only use that code on OS versions that support it.
Syslog/ASL logging can be quite slow, given that amount of string parsing we have to do. To make matters worse we're converting structured data into a string only to later send that to a server and use regexes to convert it back to structured data.
A potentially better solution would be to use protobufs or similar, writing structured records directly to disk as a stream.
This should probably be a configurable option as not all log-collection systems can be made to cope with protobufs.
We're meant to be collecting quarantine data for events but the collection mechanism in SNTFileInfo isn't working properly in santad (though it seems to work fine in santactl)
On Getting Started and Configuration, there's incorrect syntax for adding a BlacklistRegex:
$ sudo defaults write /var/db/santa/config.plist BlacklistRegex '^(?:/Users)/.*'
Password:
2016-08-28 15:25:52.813 defaults[1324:124497] Could not parse: ^(?:/Users)/.*. Try single-quoting it.
With the new fileinfo output, we should update the syntax for gathering a leaf cert sha256 in step 2 of Getting Started's Recommended Deployment section.
I also think we should clarify that if the daemon is stopped, you wouldn't see Rule information in fileinfo full output, to proactively address what could be a FAQ for the nervous.
Keystone puts an executable into a folder in /tmp.
And constantly gets flagged by Santa, regardless of any futile effort to whitelist it.
There are probably explanations for it, but it is a bit annoying.
Ironic, too.
Currently if a binary fails codesign validation for any reason, it's assumed to not be codesigned. This is fine for decision-making purposes but it would be nice for santactl fileinfo
to provide clearer output.
Knowing which disk image an executable came from can be very useful when tracking down possible malware. Knowing where that DMG was downloaded from is even better.
Possible method for this:
hdiutil info -plist
each time a mount happensJust a minor thing - in the readme you offer 2 different solutions to signed kexts, the second being:-
- Apply for your own kext signing certificate.
I applied for one of these (saying I wanted to play with santa) and apple replied with the following:-
KEXT signing is intended for signing commercially shipping kexts or projects broadly distributed in a large organization. The use you describe does not need a signed kext.
The email goes on to suggest the debug mode you mention, enclosing here in case it's useful:-
"In order to load unsigned kexts, the system must have "KEXT Developer Mode" enabled by adding the "kext-dev- mode=1" boot-arg. The following command (followed by a reboot) would be suitable to prepare a system for testing non-production kexts:
sudo nvram boot-args="debug=0x146 kext-dev-mode=1"Once this is done, the machine will be able to load any valid kext; signatures will still be checked, but a failed verification will just result in a log message. Note: This applies to kexts that contain a binary, as well as codeless
(plist-only) kexts.
I think you have a corrupt .dmg on your hands!
Please import https://github.com/arubdesu/santa/wiki as you see fit, probably by cloning down with your creds and replacing the files locally.
I have three points that I could use help clarifying, although I know I'm hand-wave-y other places as well:
^
to those that don't have itI also renamed pages over there, and probably didn't set all of the links between page sections 100% correctly, but unless you made me a collaborator on the repo it seems I can't edit the wiki here.
Hi,
I'm not sure if you've seen this or not, but its possible to bypass santa using DYLD_INSERT_LIBRARIES, as per https://reverse.put.as/2015/04/13/how-to-bypass-googles-santa-lockdown-mode/
I think I'm not clearing the launchagent properly while testing, so I'm therefore having some difficulty reproducing what I'm talking about cleanly, but I'm hoping to make end users less concerned while in trial data-gathering mode. During this time, I'm pretty sure I want path-based blocks to use the UnknownBlockMessage instead of Banned, as it is more applicable to the reality of what users have encountered. (i.e., there isn't an explicit blacklist entry for the binary/dev cert, but instead is just being launched from a blacklist path that doesn't have an explicitly whitelisted binary/cert.)
It almost makes sense to me that the common case would instead call for the default message when a BlacklistRegex rule is triggered should be what the UnknownBlockMessage is unless overridden, as that may be more faithful to the recommended workflow admins should be encouraged to follow. I don't want this to be death by a thousand customizations, but would PathBlockMessage be a useful pref to expose?
Hi there,
As above, the latest Santa .dmg does not appear to install the config.plist file, included in the source .tar. Is this intentional, or am I missing something?
Thanks,
Andrew
To accelerate adding to the whitelist, the most applicable criteria for building a rule to be fed into the database should be surfaced in the block GUI, rather than tracking it down in the log every time. (At least it didn't seem accessible from the cert inspection GUI when I tested with .9.13.) If we already have a crowded window, the identifier seem like a lower priority, as less-savvy customers may not find that useful in common practice.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.