santa
santa copied to clipboard
google
Listening to Events
How do I subscribe to events generated by Santa.
For example, I have an app that would like to listen in when Santa blocks a binary and would like to trigger additional flow. I assume the Santa Notification is not customizable; would like to provide the user with additional info and next steps when a binary is blocked.
Is there a better way to do it that does not involve the SyncServer and all done locally?
I assume the Santa Notification is not customizable
The notification is somewhat customizable, see https://santa.dev/deployment/configuration.html; specifically the keys UnknownBlockMessage, BannedBlockMessage, EventDetailText, EventDetailURL.
We did at one point try to re-work the UI in HTML so that it could be completely customized but it was very difficult to make this UI act like a native UI.
I have an app that would like to listen in when Santa blocks a binary and would like to trigger additional flow
If you're interested only in acting on block notifications I think it would be fairly trivial to post NSDistributedNotificationCenter notifications before the existing Santa UI appears. Combined with #862 (to allow you to disable the Santa notifications, if desired) it sounds like this could achieve your goal?
Making use of these notifications would be something like:
@interface MyObject : NSObject
@end
@implementation MyObject
- (void)notification:(NSNotification *)notif {
NSDictionary *info = notif.userInfo;
NSLog(@"Santa blocked binary %@ (path %@, part of bundle %@)", info[@"sha256"], info[@"path"], info[@"bundle_name"]);
}
@end
int main(int argc, char *argv[]) {
@autoreleasepool {
MyObject *myo = [[MyObject alloc] init];
NSDistributedNotificationCenter *dc = [NSDistributedNotificationCenter defaultCenter];
[dc addObserver:myo
selector:@selector(notification:)
name:@"com.google.santa.notification.blockedeexecution"
object:nil];
[[NSRunLoop mainRunLoop] run];
}
}
I'll need to consider any ramifications for doing this but let us know if this sounds like it meets your needs.
Thank you! This should work and I am testing it now. Will report back that notification are received on my app.
To be clear: that feature doesn't exist yet, that's just how you would receive notifications if it were implemented. If that does meet your needs I'll try and work on it this week.
Ahh!! Ok, makes sense then that I could not find the notification name 'com.google.santa.notification.blockedeexecution' in the codebase. Yes please, this will meet the need of listening to the notification without having to create a separate XPC Client.
This will be included in the 2022.8 release. The keys are similar to those used in syncing, here's an example for an unsigned binary:
2022-08-11 15:19:22.682 Untitled[33681:13696936] {
"executing_user" = rah;
"execution_time" = "1660245562.677781";
"file_bundle_id" = "com.google.santa.BundleExample";
"file_bundle_name" = BundleExample;
"file_bundle_version" = 1;
"file_bundle_version_string" = "1.0";
"file_path" = "/Users/rah/src/santa/Source/common/testdata/BundleExample.app/Contents/MacOS/BundleExample";
"file_sha256" = b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670;
"parent_name" = zsh;
pid = 33697;
ppid = 67074;
"team_id" = "";
}
And a signed (system) binary:
2022-08-11 15:21:57.117 Untitled[33681:13696936] {
cn = "Software Signing";
"executing_user" = rah;
"execution_time" = "1660245717.105617";
"file_bundle_id" = "";
"file_bundle_name" = "";
"file_bundle_version" = "";
"file_bundle_version_string" = "";
"file_path" = "/usr/bin/yes";
"file_sha256" = 2e4c209792b8c847063b94422adeee4ebeb523a1c28a8becfd99a77588c1c247;
org = "Apple Inc.";
ou = "Apple Software";
"parent_name" = zsh;
pid = 34805;
ppid = 67074;
sha256 = d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57;
"team_id" = "";
"valid_from" = 1603996358;
"valid_until" = 1792863581;
}
Feature #862 will also be in the 2022.8 release so you can disable Santa's UI if you wish, using these notifications to provide your own.
Now that I look at this again, those keys could do with some improvement
Is there a 2022.8 branch that has this code? Any estimate on when the build will be released? Thank you!
We don't do branches, everything is from main. We expect 2022.8 to be released by 8/28.
Newer example output, with the most recent changes:
2022-08-12 16:18:10.815 santa_distnote_example[94324:6231643] {
"executing_user" = rah;
"execution_time" = "1660335490.802887";
"file_bundle_id" = "com.google.santa.BundleExample";
"file_bundle_name" = BundleExample;
"file_bundle_version" = 1;
"file_bundle_version_string" = "1.0";
"file_path" = "/Users/rah/src/santa/Source/common/testdata/BundleExample.app/Contents/MacOS/BundleExample";
"file_sha256" = b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670;
"parent_name" = zsh;
pid = 94413;
ppid = 41697;
"signing_chain" = (
);
"team_id" = "";
}
2022-08-12 16:18:27.620 santa_distnote_example[94324:6231643] {
"executing_user" = rah;
"execution_time" = "1660335507.60704";
"file_bundle_id" = "com.apple.configurator.ui";
"file_bundle_name" = "Apple Configurator 2";
"file_bundle_version" = 755;
"file_bundle_version_string" = "2.14";
"file_path" = "/Applications/Apple Configurator 2.app/Contents/MacOS/Apple Configurator 2";
"file_sha256" = bebe44deed2d70c877d6d2e05bf24582f61ca662ece01c59b0128f2376e25473;
"parent_name" = zsh;
pid = 94485;
ppid = 41697;
"signing_chain" = (
{
cn = "Apple Mac OS Application Signing";
org = "Apple Inc.";
ou = "";
sha256 = 61977d6006459c4cefe9b988a453589946224957bfc07b262cd7ca1b7a61e04e;
"valid_from" = 1452150602;
"valid_until" = 1675728000;
},
{
cn = "Apple Worldwide Developer Relations Certification Authority";
org = "Apple Inc.";
ou = "Apple Worldwide Developer Relations";
sha256 = ce057691d730f89ca25e916f7335f4c8a15713dcd273a658c024023f8eb809c2;
"valid_from" = 1360273727;
"valid_until" = 1675806527;
},
{
cn = "Apple Root CA";
org = "Apple Inc.";
ou = "Apple Certification Authority";
sha256 = b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024;
"valid_from" = 1146001236;
"valid_until" = 2054670036;
}
);
"team_id" = K36BKF7T3D;
}
This looks much better. The "execution_time" is a UNIX epoch timestamp.