Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"deadline reached" in a File Access Authorization rule #1094

Closed
slashnick opened this issue May 9, 2023 · 6 comments · Fixed by #1095
Closed

"deadline reached" in a File Access Authorization rule #1094

slashnick opened this issue May 9, 2023 · 6 comments · Fixed by #1095
Labels
bug

Comments

@slashnick
Copy link

slashnick commented May 9, 2023
edited

I have a File Access Authorization rule that blocks access to certain files, even though the rule is in audit-only mode.

Are there steps I can take to get more debugging information out of Santa?

Version

  • macOS version: 13.3.1 (a)
  • Santa version: 2023.4

Reproduction steps

  1. Install iTerm2 - https://iterm2.com/
  2. Create a Santa config with this FileAccessPolicy
<dict>
  <key>Version</key>
  <string>v1</string>
  <key>WatchItems</key>
  <dict>
    <key>iTerm2</key>
    <dict>
      <key>Paths</key>
      <array>
        <dict>
          <key>Path</key>
          <string>/Users/*/Library/Application Support/iTerm2</string>
          <key>IsPrefix</key>
          <true/>
        </dict>
      </array>
      <key>Options</key>
      <dict>
        <key>AllowReadAccess</key>
        <true/>
        <key>AuditOnly</key>
        <true/>
      </dict>
      <key>Processes</key>
      <array></array>
    </dict>
  </dict>
</dict>
  1. Launch iTerm2

Behavior

iTerm is unable to read some of its local state in ~/Library/Application Support/iTerm2, and crashes.

Santa still records FILE_ACCESS logs with decision=AUDIT_ONLY, but I guess by then it's too late to respond to the file event?

Logs

Santa logs from the macOS system log: 
11:24:10.593076-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.593216-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.593313-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.594744-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.594896-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.594964-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.595087-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.595208-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.600471-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.600622-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.600848-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.600882-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.601028-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.601099-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.601150-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.601053-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.601356-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.601303-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.602232-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.602366-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.602432-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.602488-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.602479-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.602842-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.602972-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.603326-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.603409-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.603523-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.608547-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.608706-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.608881-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.608942-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.609040-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.609275-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.609312-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.609467-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.611586-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.609617-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.609441-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.611844-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.611264-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.612221-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.615039-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.615092-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.615178-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.615226-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.615304-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.619441-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.619911-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.620141-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.620374-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.620441-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.620536-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.620589-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.620685-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.620733-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.620877-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.622010-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.622077-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.622153-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.622268-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.622345-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.623214-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.623295-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.623420-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.623493-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.623555-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.625263-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.625339-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.625466-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.625572-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.625653-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.626965-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.627022-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.627132-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.627252-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.627311-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.629084-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.629142-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.629251-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.629339-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.629405-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.630578-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.630669-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.630688-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.630758-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.630806-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.633028-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.633541-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.633889-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.633982-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.634098-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.635106-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.635184-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.635637-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.635911-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.635957-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.637844-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.637883-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.637970-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.638123-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.638165-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.640533-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.640611-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.640697-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.640794-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.640858-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=319, event type: 1 ret=0
11:24:10.644259-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.644490-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.644572-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.644552-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.644632-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.646287-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.646380-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
11:24:10.646542-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=1
11:24:10.646745-0400	com.google.santa.daemon	E com.google.santa.daemon: SNTEndpointSecurityClient: deadline reached: deny pid=371, event type: 1 ret=0
/var/db/santa/santa.log 
[2023-05-09T15:24:10.437Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/SavedState/restorable-state.sqlite|access_type=OPEN|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.437Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/SavedState/restorable-state.sqlite-shm|access_type=OPEN|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.437Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/SavedState/restorable-state.sqlite-wal|access_type=OPEN|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.437Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.E8Rcyj|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.438Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.E8Rcyj|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.438Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.438Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.438Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/SavedState/restorable-state.sqlite-shm|access_type=TRUNCATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.466Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/version.txt|access_type=OPEN|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.476Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.yVnEvP|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.476Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.yVnEvP|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.476Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.476Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.481Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.HQKCxx|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.481Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.HQKCxx|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.481Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/SavedState/restorable-state.sqlite|access_type=TRUNCATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.WBXOZX|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.WBXOZX|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/SavedState/restorable-state.sqlite-wal|access_type=TRUNCATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.zTRpyP|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.zTRpyP|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.LyA1KU|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.LyA1KU|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.I676HM|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.I676HM|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.482Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.483Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.528Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.J8f4UH|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.529Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.J8f4UH|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.529Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.529Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.529Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.GRxJru|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.529Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.GRxJru|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.529Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.529Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.585Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.Mg7icy|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.585Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.Mg7icy|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.585Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.585Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.588Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.wsmb4w|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.588Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.wsmb4w|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.588Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.588Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.653Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-1.socket|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.656Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-1.socket|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.657Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.AZ6ekS|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.657Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.AZ6ekS|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.657Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.657Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.657Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-2.socket|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.657Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-2.socket|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.658Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.7d6ajv|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.658Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.7d6ajv|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.658Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.658Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.658Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-3.socket|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.658Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-3.socket|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.5hzCGV|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.5hzCGV|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-4.socket|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-4.socket|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.jWsOQ0|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.jWsOQ0|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-5.socket|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-5.socket|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.Cyvbgx|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.dat.nosync4536.Cyvbgx|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=RENAME|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/.testwritable.17718|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-6.socket|access_type=UNLINK|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
[2023-05-09T15:24:10.659Z] I santad: action=FILE_ACCESS|policy_version=v1|policy_name=iTerm2|path=/Users/user/Library/Application Support/iTerm2/iterm2-daemon-6.socket|access_type=CREATE|decision=AUDIT_ONLY|pid=17718|ppid=15922|process=iTerm2|processpath=/Applications/iTerm.app/Contents/MacOS/iTerm2|uid=502|user=user|gid=20|group=staff
iTerm.app stderr 
2023-05-09 11:24:10.632 iTerm2[17718:73097] Orphan server adopter: Failed to connect to /Users/user/Library/Application Support/iTerm2/iterm2-daemon-5.socket
2023-05-09 11:24:10.632 iTerm2[17718:73097] Orphan server adopter: Failed to connect to /Users/user/Library/Application Support/iTerm2/iterm2-daemon-3.socket
2023-05-09 11:24:10.632 iTerm2[17718:73097] Orphan server adopter: Failed to connect to /Users/user/Library/Application Support/iTerm2/iterm2-daemon-1.socket
2023-05-09 11:24:10.632 iTerm2[17718:73097] Orphan server adopter: Failed to connect to /Users/user/Library/Application Support/iTerm2/iterm2-daemon-4.socket
2023-05-09 11:24:10.632 iTerm2[17718:73097] Orphan server adopter: Failed to connect to /Users/user/Library/Application Support/iTerm2/iterm2-daemon-6.socket
2023-05-09 11:24:10.632 iTerm2[17718:73097] Orphan server adopter: Failed to connect to /Users/user/Library/Application Support/iTerm2/iterm2-daemon-2.socket
@russellhancox
Copy link
Collaborator

What macOS version are you running on?

@slashnick
Copy link
Author

macOS 13.3.1 (a)

Santa 2023.4

@mlw
Copy link
Member

mlw commented May 9, 2023

Thank you for the report and detailed logs. This has uncovered an issue with how binaries that are originally in the ES default mute set are handled for the file access feature.

Unfortunately it seems the only workaround for now is to ensure that watch paths do not contain binaries that would need to be inspected by critical system daemons. In the given config, the watch path /Users/*/Library/Application Support/iTerm2 contains several iTermServer-* binaries that attempt to be inspected by amfid when launched. These events are getting denied which is leading to the iTerm immediately closing.

In the original comment, you mention that iTerm2 crashes, but that is not the exact behavior I see, instead, it is immediately closing after opening, presumably because of failing to conenct to the iTermServer.... Could you confirm this is your case too? Are you seeing iTerm2 logs in /Library/Logs/DiagnosticReports?

We're looking to get this addressed in the next release.

@mlw
Copy link
Member

mlw commented May 9, 2023

Another suggestion for the config as a workaround is to more specifically target files and subpaths within that directory that would exclude the binaries by using multiple entries within the Paths key.

@slashnick
Copy link
Author

Thanks for taking a look!

Yep, I guess "crash" isn't the right term. When I open iTerm2, it immediately displays an error message in a popup, and closes when I dismiss that message. I don't see any iTerm2 logs in /Library/Logs/DiagnosticReports/.

Just to confirm, the system daemons that cannot access watched files are all the binaries in this list, right?

@mlw
Copy link
Member

mlw commented May 9, 2023

Pretty much (Technically, the list linked is a hardcoded backup of paths in the ES default mute set used as a fallback in the event that the list cannot be dynamically gathered via es_muted_paths_events. ES treats a subset of these paths as "critical" due to interactions with watchdogd and vends out AUTH events for these processes with very small deadlines. It is this subset with small deadlines that Santa is not handling properly.)

In case you were thinking about creating exceptions for these processes in the watch config - that unfortunately will not help as a workaround. The issue with how Santa responds to these events with small deadlines prevents that exception mechanism as being a viable alternative.

@mlw mlw mentioned this issue May 10, 2023
Merged
@mlw mlw closed this as completed in #1095 May 10, 2023
@pmarkowsky pmarkowsky added the bug label May 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Stop unmuting the default mute set unnecessarily. mlw/santa
4 participants
@russellhancox @mlw @slashnick @pmarkowsky