New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need more guidance #69

Closed
CaledoniaProject opened this Issue Aug 27, 2016 · 9 comments

Comments

Projects
None yet
3 participants
@CaledoniaProject

CaledoniaProject commented Aug 27, 2016

The wiki is incomplete.

  1. How can I put santa into a "learning" mode, so that it can add binaries to "allowed" database automatically?
  2. How can I list all programs (blacklisted or whitelisted) with santactl rule command? I'm trying not to open the SQLite file directly ....
  3. You did not provide a uninstallation script in the DMG file, that's critical. Take a look at Little Snitch's installer file perhaps.
  4. Can I change the location of /var/log/santa.log, or disable logging completely? (If everything is I need is whitelisted)
@arubdesu

This comment has been minimized.

Contributor

arubdesu commented Aug 27, 2016

Hey Mr. Lewis, thanks for the feedback.

  1. It already is in learning mode the moment you install it, which it says on the readme - the MONITOR mode is default. It is not adding any binaries it encounters to 'allowed' rulesets, because it anticipates you'd sync/upload those events and evaluate them. Keep in mind, if you're using developers certs for rules, you may only need to add a handful as whitelist rules to cover the majority of software you use, including all updates they use the same signing cert for. Other than that, the current recommendation is to aggregate the logs and add rules based on the certificates identified (as documented in the wiki).
  2. There is currently limited interaction with the rules database, although JSON export is an accepted enhancement request, #56. In the meantime you can stop the santad daemon and use sqlite3 to export the rules.
sudo /bin/launchctl unload /Library/LaunchDaemons/com.google.santad.plist
sudo /usr/bin/sqlite3 /var/db/santa/rules.db ".dump" >> /tmp/rules_playback.sql

You can also look at any binary for if a rule exists for it with santactl fileinfo <path/to/binary>.
3. Good call, it should be added. In the installer is a preinstall script, which you can run as sudo to remove some older versions of files and more importantly stop the services/unload the kernel extension. There is no other funny business in the installer, so on top of that you can just remove the following paths:

/bin/rm -rf /Applications/Santa.app
/bin/rm -rf /Library/Extensions/santa-driver.kext
/bin/rm -f /Library/LaunchAgents/com.google.santagui.plist
/bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
/bin/rm -f /private/etc/asl/com.google.santa.asl.conf
/bin/rm -f /usr/local/santactl # just a symlink
# and to clean out the log config, although it won't write after wiping the binary
/usr/bin/killall -HUP syslog

\4. Yes, by customizing the provided asl.conf as you see fit. No, that's not particularly easy, but it's there in the wiki under logging configuration. We can add instructions on doing so if you feel it'll be valuable.

@arubdesu

This comment has been minimized.

Contributor

arubdesu commented Aug 27, 2016

I think we gave the impression 'allow' rules are being added in MONITOR mode, but on my system after having Santa installed in default mode for a while, santactl status only shows 2 Binary and 2 Certificate rules added (which we mention in the 'Failsafe cert rules' section of the readme as being santa itself and Apple's cert for launchd).

@CaledoniaProject

This comment has been minimized.

CaledoniaProject commented Aug 28, 2016

Hmm, that's weird. I got zero rules add ...

%> santactl status
>>> Daemon Info
  Mode                   | Monitor
  File Logging           | No
  Watchdog CPU Events    | 0  (Peak: 8.47%)
  Watchdog RAM Events    | 0  (Peak: 31.95MB)
>>> Kernel Info
  Kernel cache count     | 222
>>> Database Info
  Binary Rules           | 0
  Certificate Rules      | 2
  Events Pending Upload  | 271

config.plist

screen 2016-08-28 at 09 11 08

@CaledoniaProject

This comment has been minimized.

CaledoniaProject commented Aug 28, 2016

I have a bunch of unsigned homebrew binaries and self-compiled /Applications/XX.app so something might be wrong.

@arubdesu

This comment has been minimized.

Contributor

arubdesu commented Aug 30, 2016

@CaledoniaProject There's now a merged uninstall script and the wiki has been tweaked, were there more things we can try to work with you on?

@CaledoniaProject

This comment has been minimized.

CaledoniaProject commented Aug 31, 2016

I still have problems with "learning" mode. As you say the monitor mode is the learning mode.

However after days of installation, I'm having zero binary rules, weird.
(I even double checked with /var/db/santa/rules.db)

>>> Daemon Info
  Mode                   | Monitor
  File Logging           | No
  Watchdog CPU Events    | 0  (Peak: 10.36%)
  Watchdog RAM Events    | 0  (Peak: 37.15MB)
>>> Kernel Info
  Kernel cache count     | 604
>>> Database Info
  Binary Rules           | 0
  Certificate Rules      | 3
  Events Pending Upload  | 965

Although I have plenty of unsigned binaries, and execute many of them daily (manually or cron), e.g

%> santactl fileinfo /usr/local/homebrew/bin/xz
Path                 : /usr/local/homebrew/Cellar/xz/5.2.2/bin/xz
SHA-256              : 68f6d7d31880ba4d91aa79120a452882ef084659d82ed006f495c50d7b71547a
SHA-1                : b96bea2f704288783b718bef4ab5738fc8ac57b8
Type                 : Executable (x86-64, i386)
Code-signed          : No
Rule                 : None

But these are never added to the database, am I wrong?

@arubdesu

This comment has been minimized.

Contributor

arubdesu commented Aug 31, 2016

Monitor mode does not auto-create whitelisting rules for binaries, assuming everything already running is 'safe'. You learn from the logs what is running, and can then make the correlations and add the rules yourself, either by syncing with a server (like Zentral) or manually adding the rules with santactl.
You are experiencing expected behavior.

@russellhancox

This comment has been minimized.

Collaborator

russellhancox commented Aug 31, 2016

There isn't a learning mode because Santa was developed for enterprises where IT will manage the list of allowed binaries, a mode where users can choose to run things defeats the purpose of such a system.

We have a number of ideas and plans for making Santa a useful tool for personal use with a GUI for managing rules and I could imagine a sort of learning mode being a part of this. It's something we will probably work on in the future once we've reached 1.0 and have all the enterprise features working satisfactorily.

@CaledoniaProject

This comment has been minimized.

CaledoniaProject commented Aug 31, 2016

Thanks. Now I have no further questions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment