santa icon indicating copy to clipboard operation
santa copied to clipboard

Published 20 hours ago verified publisher icon google

Allow access to SCOPE rules in Sync servers

Open zbuc opened this issue 6 years ago • 6 comments

I notice that only binary and certificate rules can be synced from servers: https://github.com/google/santa/blob/b70442e483887ed2368003dbe5f736931401d535/Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m#L146

Would it be possible to allow SCOPE rules to be served by Sync servers? Managing them in the properties for the app is additional complexity and difficult because not all rules can be managed in a single location.

zbuc avatar Jun 06 '18 00:06 zbuc

There aren't really SCOPE rules, just a number of hardcoded checks (see fileIsScopeWhitelisted: and fileIsScopeBlacklisted:. The two regexes can be configured using a sync server.

What specifically were you hoping to block/allow?

russellhancox avatar Jun 06 '18 17:06 russellhancox

I got the idea about SCOPE rules from a snippet in the Upvote docs:

https://github.com/google/upvote/blob/master/docs/santa_sync.md

Policy Syncing Santa supports three different policy types:

WHITELIST: Allow execution BLACKLIST: Block execution REMOVE: Remove any pre-existing policy entry (NOT the file itself) ...and three different Rule types:

BINARY: Apply the policy to a binary. CERTIFICATE: Apply the policy to any binary signed by the signing certificate. SCOPE: Apply the policy to any file whose path matches a regex.

Basically I'm looking for an easier way for our analysts to manage path-based whitelist, as they don't have access to our configuration management server which manages the plist used by Santa, but they do have access to our Santa sync server.

zbuc avatar Jun 06 '18 17:06 zbuc

Gotcha. So, yes, if the sync server fully implements the preflight request the path-based whitelists can be delivered there; Upvote implements this as a per-host setting.

russellhancox avatar Jun 06 '18 17:06 russellhancox

I didn't realize the preflight request had support for delivering path-based whitelists.

How does this interact with the paths defined in the plist?

zbuc avatar Jun 06 '18 17:06 zbuc

Config pulled from a sync server has higher precedence than local configuration.

russellhancox avatar Jun 06 '18 18:06 russellhancox

Hey @zbuc!

Upvote dev here. Given the dubious security proposition of path-based whitelisting, we haven't put much effort into surfacing that feature. Notably, the Upvote documentation is definitely wrong in its description of Santa's sync process. Santa has the notion of a {ALLOW/BLOCK}_SCOPE reason for a decision but not a SCOPE rule.

wrt Upvote-based configuration of these fields, I've filed an issue against Upvote to track the change.

Thanks for reaching out!

msuozzo avatar Jun 06 '18 19:06 msuozzo

Marking this as closed. Since it's been two years and we support the requested feature via the sync protocol.

pmarkowsky avatar Mar 10 '23 20:03 pmarkowsky