santa
santa copied to clipboard
google
Latest Allows Blocked Binary in Monitor Mode
I built off the main branch in ad-hoc mode with SIP disabled and while testing attempted to block the Xcode binary. santactl rule --check --sha256 691d6b3a7bb41ca4042cc30a769d79b4708f6c27ab602a940b0dbb7c529a5071 rule check shows Blocked (Binary) but I am still able to run Xcode.
I am using a static rule in Monitor Mode and expected I should not be able to start Xcode. The file in the plist is:
<dict>
<!-- BLOCK xcode for testing -->
<key>identifier</key>
<string>691d6b3a7bb41ca4042cc30a769d79b4708f6c27ab602a940b0dbb7c529a5071</string>
<key>policy</key>
<string>BLOCKLIST</string>
<key>rule_type</key>
<string>BINARY</string>
</dict>
My version shown below is a dev build and not using the release since I needed to test un released code:
$ santactl version
santad | 9999.1 (build 1)
santactl | 9999.1 (build 1)
SantaGUI | 9999.1 (build 1)
Also found 1 of the unit test is failing with:
bazel test :unit_tests --define=SANTA_BUILD_TYPE=adhoc --test_output=errors
The result of the above shows 1 failing test:
** TEST EXECUTE FAILED **
Testing started
================================================================================
INFO: Elapsed time: 60.570s, Critical Path: 59.92s
INFO: 2 processes: 2 darwin-sandbox.
INFO: Build completed, 1 test FAILED, 2 total actions
//Source/common:SNTFileInfoTest (cached) PASSED in 7.4s
//Source/common:SNTMetricSetTest (cached) PASSED in 12.3s
//Source/common:SNTPrefixTreeTest (cached) PASSED in 13.8s
//Source/common:SantaCacheTest (cached) PASSED in 10.0s
//Source/gui:SNTNotificationManagerTest (cached) PASSED in 7.7s
//Source/santactl:SNTCommandFileInfoTest (cached) PASSED in 7.3s
//Source/santactl:SNTCommandMetricsTest (cached) PASSED in 7.9s
//Source/santad:SNTApplicationCoreMetricsTest (cached) PASSED in 11.3s
//Source/santad:SNTDeviceManagerTest (cached) PASSED in 8.8s
//Source/santad:SNTEndpointSecurityManagerTest (cached) PASSED in 6.5s
//Source/santad:SNTEventTableTest (cached) PASSED in 10.8s
//Source/santad:SNTExecutionControllerTest (cached) PASSED in 5.9s
//Source/santad:SNTProtobufEventLogTest (cached) PASSED in 6.3s
//Source/santad:SNTRuleTableTest (cached) PASSED in 7.4s
//Source/santametricservice:SNTMetricServiceTest (cached) PASSED in 5.0s
//Source/santametricservice/Formats:SNTMetricMonarchJSONFormatTest (cached) PASSED in 9.5s
//Source/santametricservice/Formats:SNTMetricRawJSONFormatTest (cached) PASSED in 5.5s
//Source/santametricservice/Writers:SNTMetricFileWriterTest (cached) PASSED in 6.4s
//Source/santametricservice/Writers:SNTMetricHTTPWriterTest (cached) PASSED in 6.2s
//Source/santasyncservice:NSDataZlibTest (cached) PASSED in 7.0s
//Source/santasyncservice:SNTSyncTest (cached) PASSED in 47.9s
//Source/santad:SNTApplicationTest FAILED in 59.6s
/private/var/tmp/_bazel_eoche/418fe1a0dd8829fc276fd3c03c07a8c4/execroot/santa/bazel-out/darwin-fastbuild/testlogs/Source/santad/SNTApplicationTest/test.log
Executed 1 out of 22 tests: 21 tests pass and 1 fails locally.
INFO: Build completed, 1 test FAILED, 2 total actions
This is likely due to the dev build not having correct permissions, like full disk access. What do santactl status and systemextensionsctl list report?.
$ santactl status
>>> Daemon Info
Mode | Monitor
File Logging | Yes
USB Blocking | No
Watchdog CPU Events | 0 (Peak: 16.54%)
Watchdog RAM Events | 0 (Peak: 58.42MB)
>>> Cache Info
Root cache count | 237
Non-root cache count | 0
>>> Database Info
Binary Rules | 0
Certificate Rules | 0
TeamID Rules | 0
Compiler Rules | 0
Transitive Rules | 0
Events Pending Upload | 19
>>> Static Rules
Rules | 4
$ systemextensionsctl list
3 extension(s)
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
* * PXPZ95SK77 com.paloaltonetworks.GlobalProtect.client.extension (5.2.11-10/1) GlobalProtectExtension [activated enabled]
* * DE8Y96K9QP com.cisco.anyconnect.macos.acsockext (4.10.05111/4.10.05111) Cisco AnyConnect Socket Filter Extension [activated enabled]
--- com.apple.system_extension.endpoint_security
enabled active teamID bundleID (version) name [state]
* * - com.google.santa.daemon (9999.1/9999.1.1) santad [activated enabled]
The output looks correct. I'm not able to reproduce the issue of blocked binaries not being blocked but I can reproduce SNTApplicationTest failing and I'm unsure why, even reverting back to the 2022.7 tag and running the test fails where it used to pass. Will need to dig into this a bit more.
We published 2022.8, which allows/blocks binaries as expected (and there have been no significant code changes since the commit that build is based upon). I'm unable to reproduce any errors in an adhoc build too.
The failing SNTApplicationTest we've tracked down to being an issue caused by installed StaticRules in an on-device profile - the test doesn't sufficiently isolate the configuration installed on the host. We don't see this issue in CI because no such configuration profile exists. A fix is on the way.
Just submitted #885. Let us know if this doesn't solve your issue regarding the tests.
@eopeter I'm going to mark this closed. Please let us know if this is still an issue you're encountering.