Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delayed effect of a BlacklistRegex update via a PreFlight response #142

Closed
np5 opened this issue Jan 31, 2017 · 3 comments
Closed

Delayed effect of a BlacklistRegex update via a PreFlight response #142

np5 opened this issue Jan 31, 2017 · 3 comments
Assignees
@russellhancox

Comments

@np5
Copy link
Contributor

np5 commented Jan 31, 2017

The updated regex is visible using sudo defaults read /var/db/santa/config.plist right after a sync. The previously blocked apps are allowed, as expected, but the apps which are supposed to be blocked by the new regex are still working. If santad is restarted, they are blocked (so, not a regex issue.)
@np5 np5 changed the title Delayed effect of a BlacklistRegex update via a PostFlight response Delayed effect of a BlacklistRegex update via a PrefFlight response Jan 31, 2017
@np5 np5 changed the title Delayed effect of a BlacklistRegex update via a PrefFlight response Delayed effect of a BlacklistRegex update via a PreFlight response Jan 31, 2017
@russellhancox
Copy link
Collaborator

I've spent most of the morning trying to reproduce this and am unable.

What version are you using?
What server are you syncing to?
Is the sync completing successfully?
What mode is Santa running in?
When the binaries are not blocked, how do they appear in the log?
When you restart santad and the files are blocked, do they appear in the log as being blocked by BlacklistRegex?

» defaults read /var/db/santa/config.plist | grep Blacklist

» santactl sync
Sync completed successfully

» defaults read /var/db/santa/config.plist | grep Blacklist
    BlacklistRegex = "^.+/flargleblarg$";

» ./flargleblarg
-bash: ./flargleblarg: Operation not permitted

» grep flargleblarg /var/log/santa.log
[2017-01-31T17:11:22.437Z] I santad: action=EXEC|decision=DENY|reason=SCOPE|explain=Blacklist Regex|sha256=722d1740a49812c67a1b3dad1893613b3615927942fe230189b54dc91525f8b1|path=/Users/rah/src/tmp/flargleblarg|pid=59447|ppid=59174|uid=139567|user=rah|gid=5000|group=eng|mode=M

@russellhancox russellhancox self-assigned this Jan 31, 2017
@np5
Copy link
Contributor Author

np5 commented Feb 2, 2017
edited

Sorry about the delay. Here are the answers:

I am running some test with a Zentral branch that I am working on. Just sending a blacklist regex via the blacklist_regexp attribute of a Preflight response.

Santa is running in MONITOR mode.

$ santactl version
santa-driver    | 0.9.16
santad          | 0.9.16
santactl        | 0.9.16
SantaGUI        | 0.9.16

# first sync

$ santactl sync
Missing Machine Owner.
Added 1 rules
Sync completed successfully

$ defaults read /var/db/santa/config.plist | grep Blacklist
    BlacklistRegex = "^.+/flargleblarg$";

# works as expected

$ ./flargleblarg
-bash: ./flargleblarg: /bin/bash: bad interpreter: Operation not permitted
$
Santa

The following application has been blocked from executing
because it has been deemed malicious.

Path:       /Users/flaco/flargleblarg
Identifier: 0df2d5957dd7583361dcc3a888b2ad9e3fa29a413bbf711a572f65348227d898
Parent:     bash (68840)

# santa.log
[2017-02-02T16:27:09.703Z] I santad: action=EXEC|decision=DENY|reason=SCOPE|explain=Blacklist Regex|sha256=0df2d5957dd7583361dcc3a888b2ad9e3fa29a413bbf711a572f65348227d898|path=/Users/flaco/flargleblarg|pid=69118|ppid=68840|uid=501|user=flaco|gid=20|group=staff|mode=M

# test other exec.

$ cp flargleblarg flargleblarg2

$ ./flargleblarg2
Hello World!

# santa.log
[2017-02-02T16:28:11.098Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=fe162e301556121782e1e5334a023e94f742a3a66434812620ae41a5da5f3360|path=/bin/bash|args=/bin/bash ./flargleblarg2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=69381|ppid=68840|uid=501|user=flaco|gid=20|group=staff|mode=M

# We change what we send in the preflight and do another sync

$ santactl sync
Missing Machine Owner.
Uploaded 2 events
Added 1 rules
Sync completed successfully

# check what we have in the conf

$ defaults read /var/db/santa/config.plist | grep Blacklist
    BlacklistRegex = "^.+/flargleblarg2$";

# ISSUE:

$ ./flargleblarg2
Hello World!

# But the former rule doesn't apply anymore

$ ./flargleblarg
Hello World!

# santa.log

[2017-02-02T16:28:32.742Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=fe162e301556121782e1e5334a023e94f742a3a66434812620ae41a5da5f3360|path=/bin/bash|args=/bin/bash ./flargleblarg2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=69397|ppid=68840|uid=501|user=flaco|gid=20|group=staff|mode=M
[2017-02-02T16:28:45.913Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=fe162e301556121782e1e5334a023e94f742a3a66434812620ae41a5da5f3360|path=/bin/bash|args=/bin/bash ./flargleblarg|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=69404|ppid=68840|uid=501|user=flaco|gid=20|group=staff|mode=M

# We try another sync with the same settings

$ santactl sync
Missing Machine Owner.
Added 1 rules
Sync completed successfully

# Same results

$ ./flargleblarg2
Hello World!

$ ./flargleblarg
Hello World!

# santa.log
[2017-02-02T16:28:55.752Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=fe162e301556121782e1e5334a023e94f742a3a66434812620ae41a5da5f3360|path=/bin/bash|args=/bin/bash ./flargleblarg2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=69411|ppid=68840|uid=501|user=flaco|gid=20|group=staff|mode=M
[2017-02-02T16:28:58.107Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=fe162e301556121782e1e5334a023e94f742a3a66434812620ae41a5da5f3360|path=/bin/bash|args=/bin/bash ./flargleblarg|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=69413|ppid=68840|uid=501|user=flaco|gid=20|group=staff|mode=M

# We restart the santa daemon

$ sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist
$ sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist

# The expected behaviour is observed

$ ./flargleblarg2
-bash: ./flargleblarg2: /bin/bash: bad interpreter: Operation not permitted
$
Santa

The following application has been blocked from executing
because it has been deemed malicious.

Path:       /Users/flaco/flargleblarg2
Identifier: 0df2d5957dd7583361dcc3a888b2ad9e3fa29a413bbf711a572f65348227d898
Parent:     bash (68840)

# santa.log

[2017-02-02T16:29:10.964Z] I santad: action=EXEC|decision=DENY|reason=SCOPE|explain=Blacklist Regex|sha256=0df2d5957dd7583361dcc3a888b2ad9e3fa29a413bbf711a572f65348227d898|path=/Users/flaco/flargleblarg2|pid=69427|ppid=68840|uid=501|user=flaco|gid=20|group=staff|mode=M

@russellhancox
Copy link
Collaborator

Ah, that makes sense: the exec after the regex changes is unaffected because it's cached (in the kernel) so the regex is never consulted.

We handle this situation for blacklist rules by clearing the cache when a new blacklist rule arrives. We could probably fix this by clearing the cache whenever the whitelist/blacklist regexes are changed also.

russellhancox added a commit that referenced this issue Feb 3, 2017
@russellhancox
santad: Clear cache when regexes change.
3d83fc2 
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes #142
@russellhancox russellhancox mentioned this issue Feb 3, 2017
Merged
russellhancox added a commit that referenced this issue Feb 3, 2017
@russellhancox
santad: Clear cache when regexes change. (#143)
5e735aa 
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes #142
russellhancox added a commit to russellhancox/santa that referenced this issue Feb 3, 2017
@russellhancox
santad: Clear cache when regexes change. (google#143)
bf1cbf6 
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes google#142
tburgin pushed a commit to tburgin/santa that referenced this issue Mar 7, 2017
@russellhancox @tburgin
santad: Clear cache when regexes change. (google#143)
72f5ef6 
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes google#142
dskfh pushed a commit to dskfh/santa that referenced this issue Jul 17, 2020
@russellhancox @dskfh
santad: Clear cache when regexes change. (google#143)
84f5fc3 
When white/black-list regexes are changed clear the kernel cache so the regexes are able to take effect immediately. Fixes google#142
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@russellhancox russellhancox

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@russellhancox @np5