Docs: Start of Santa Docs #192
Conversation
Docs/details/events.md
Outdated
| @@ -0,0 +1,154 @@ | |||
| # Events | |||
|
|
|||
| Events are a notion core to how Santa interacts with a sync-server. Events are generated when there is a blocked `exec()` while in lockdown or monitor mode. Events are also generated in monitor mode for an `exec()` that was allowed to run, but would have been blocked in lockdown mode. This allows an admin to roll out Santa to their macOS fleet in monitor mode, but still collect meaningful data. The events collected while in monitor can be used to build a fairly comprehensive whitelist of signing certificates and binaries before switching the fleet to lockdown mode. | |||
There was a problem hiding this comment.
I'd probably change exec() to execve() here as all other exec*() functions call up to execve. It also catches posix_spawn, which is separate.
There was a problem hiding this comment.
sgtm, done throughout
Docs/details/events.md
Outdated
| @@ -0,0 +1,154 @@ | |||
| # Events | |||
|
|
|||
| Events are a notion core to how Santa interacts with a sync-server. Events are generated when there is a blocked `exec()` while in lockdown or monitor mode. Events are also generated in monitor mode for an `exec()` that was allowed to run, but would have been blocked in lockdown mode. This allows an admin to roll out Santa to their macOS fleet in monitor mode, but still collect meaningful data. The events collected while in monitor can be used to build a fairly comprehensive whitelist of signing certificates and binaries before switching the fleet to lockdown mode. | |||
There was a problem hiding this comment.
sync server, 2 words.
There was a problem hiding this comment.
sgtm, done throughout
Docs/deployment/configuration.md
Outdated
| @@ -0,0 +1,113 @@ | |||
| # Configuration | |||
|
|
|||
| There are two types of configurations that can be utilized to control Santa. The first is a local configuration. The second is a sync-server controlled configuration. | |||
There was a problem hiding this comment.
utilized to control Santa. The first is a local configuration. The second is a sync-server
to:
utilized to control Santa: local configuration and a sync server controlled configuration
Docs/deployment/configuration.md
Outdated
| | MachineIDPlist | String | The path to a plist that contains the MachineOwnerKey / value pair. | | ||
| | MachineIDKey | String | The key to use on MachineIDPlist. | | ||
|
|
||
| *protected keys: santad cannot be running to make a change |
There was a problem hiding this comment.
- protected keys: If a sync server is configured, this setting cannot be changed while santad is running as it is assumed the setting will be provided by the sync server.
Docs/details/events.md
Outdated
|
|
||
| ###### Archived Object | ||
|
|
||
| Events are temporarily stored in a sqlite3 database `/var/db/santa/events.db` until they uploaded to the sync server. They are stored in the [NSKeyedArchiver](https://developer.apple.com/documentation/foundation/nskeyedarchiver?language=objc) format. Here is an example of a Firefox event in the events.db awaiting upload. |
There was a problem hiding this comment.
I'm not sure it's worth mentioning the archived object format as this might change in future. It's not generally intended that anyone reads from the event database. Even the format of the database is not fixed, there's a possibility we might switch to LevelDB in future.
There was a problem hiding this comment.
Since we are somewhat conflating dev and user docs I think this is worth keeping. Just added a note explaining the intention of the section.
Docs/details/events.md
Outdated
| ##### Event Lifecycle | ||
|
|
||
| 1. santad will generate a new event | ||
| 2. santad checks / adds the event's SHA-256 file hash to a in memory cache with a timeout of 10 min. If an event with the same SHA-256 file hash has been sent for upload within the past 10 min, the event is dropped. |
There was a problem hiding this comment.
In the markdown, you can leave the items in an ordered list all as 1, the actual numbers will be calculated during rendering. It's less maintenance if they don't need changing :-)
There was a problem hiding this comment.
But that's a pain in Typora :(
Docs/details/events.md
Outdated
| 2. santad checks / adds the event's SHA-256 file hash to a in memory cache with a timeout of 10 min. If an event with the same SHA-256 file hash has been sent for upload within the past 10 min, the event is dropped. | ||
| 3. santad saves the event to `/var/db/santa/events.db`. A unique ID is assigned as a key. | ||
| 4. santad sends an XPC message to the santactl daemon. The messages contains the event with instructions to upload the event immediately. This is non-blocking and is performed on a background thread. | ||
| 5. santad waits for a reply from santactl. Again, this is non-blocking and is performed on a background thread. |
There was a problem hiding this comment.
santad isn't really waiting for a reply, it just happens to receive a message, right?
There was a problem hiding this comment.
True, I was getting related bundle events mixed up with regular events. Removed 5.
Docs/details/ipc.md
Outdated
|
|
||
| The santad and Santa (GUI) processes are both started and kept alive by launchd as LaunchDaemon and LaunchAgent respectively. This means santad runs as root, and Santa (GUI) runs as the console user. There can be multiple Santa (GUI) process running, one per logged in user. | ||
|
|
||
| When using a sync-server the santactl process is started by santad with a `fork()` and `exec()` of `santactl sync —-daemon`. Before the new process starts, all privileged are dropped. So santactl runs as nobody. |
There was a problem hiding this comment.
the fork+exec stuff is a bit in the weeds.
There was a problem hiding this comment.
also, all privileges
Docs/details/ipc.md
Outdated
|
|
||
| When using a sync-server the santactl process is started by santad with a `fork()` and `exec()` of `santactl sync —-daemon`. Before the new process starts, all privileged are dropped. So santactl runs as nobody. | ||
|
|
||
| The santabs process is started by launchd by way of an XPC service connection from santad. XPC services inherit their initiator's privileges so santabs runs as root. |
There was a problem hiding this comment.
runs as root
Which is necessary to ensure santabs has permission to read all the files.
Docs/deployment/configuration.md
Outdated
| @@ -0,0 +1,113 @@ | |||
| # Configuration | |||
|
|
|||
| There are two types of configurations that can be utilized to control Santa. The first is a local configuration. The second is a sync-server controlled configuration. | |||
There was a problem hiding this comment.
Two configuration methods can be used to control Santa: Local Configuration and Sync-Server Controlled Configuration.
Docs/deployment/configuration.md
Outdated
|
|
||
| | Key | Value Type | Description | | ||
| | ----------------------------- | ---------- | ---------------------------------------- | | ||
| | ClientMode* | Integer | 1 for Monitor or 2 for Lockdown | |
Docs/deployment/configuration.md
Outdated
| | ModeNotificationLockdown | String | The notification text to display when the client goes into lockdown mode. Defaults to "Switching into Lockdown mode". | | ||
| | SyncBaseURL* | String | The base URL of the sync server. | | ||
| | ClientAuthCertificateFile | String | If set, this contains the location of a PKCS#12 certificate to be used for sync authentication. | | ||
| | ClientAuthCertificatePassword | String | Contains the password for the pkcs#12 certificate. | |
Docs/deployment/configuration.md
Outdated
| | Key | Value Type | Description | | ||
| | ------------------------------ | ---------- | ---------------------------------------- | | ||
| | client_mode | String | MONITOR or LOCKDOWN. Defaults to MONITOR. | | ||
| | clean_sync** | Bool | If set to True Santa will clear all local rules and download a fresh copy from the sync-server. Defaults to False. | |
There was a problem hiding this comment.
Can TRUE and FALSE be emphasized as code here, since they're in reference to a boolean variable?
Docs/details/events.md
Outdated
| @@ -0,0 +1,154 @@ | |||
| # Events | |||
|
|
|||
| Events are a notion core to how Santa interacts with a sync-server. Events are generated when there is a blocked `exec()` while in lockdown or monitor mode. Events are also generated in monitor mode for an `exec()` that was allowed to run, but would have been blocked in lockdown mode. This allows an admin to roll out Santa to their macOS fleet in monitor mode, but still collect meaningful data. The events collected while in monitor can be used to build a fairly comprehensive whitelist of signing certificates and binaries before switching the fleet to lockdown mode. | |||
There was a problem hiding this comment.
The events collected while in monitoring
or
The events collected while in monitor mode
There was a problem hiding this comment.
replace fairly with reasonably or nearly?
There was a problem hiding this comment.
Events are a defined set of data, core to how Santa interacts with a sync-server.
|
|
||
| #### Flow of a full sync | ||
|
|
||
| This is a high level overview of the syncing process end to end. For a more a more detailed account of each part, see the respective documents. The santaclt binary can be run in one of two modes, daemon and non-daemon. The non-daemon mode does one full sync and exits. This is the typical way a user will interact with Santa, mainly to force a full sync. The daemon mode is used by santad to schedule full syncs, listen for push notifications and upload events. |
There was a problem hiding this comment.
This is a high level overview of the syncing process. For a more a more detailed account of each part, see the respective documentation.
|
|
||
| 0. When the santad process starts up, it looks for a `SyncBaseURL` key/value in the config. If one exists it will `fork()` and `exec()` `santactl sync —-daemon`. Before the new process calls `exec()`, all privileges are dropped. All privileged actions are then restricted to the XPC interface made available to santactl by santad. Since this santactl process is running as a daemon it too exports an XPC interface so santad can interact with the process efficiently and securely. To ensure syncing reliability santad will restart the santactl daemon if it is killed or crashes. | ||
| 1. The santactl daemon process now schedules a full sync for 15 sec in the future. The 15 sec is used to let santad settle before santactl starts sending rules from the sync-server to process. | ||
| 2. The full sync starts. There are a number of stages to a full sync. |
There was a problem hiding this comment.
There are a number of stages to a full sync:
| 2. The full sync starts. There are a number of stages to a full sync. | ||
| 1. preflight: The sync-server can set various settings for Santa. | ||
| 2. logupload (optional): The sync-server can request that the Santa logs be uploaded to an endpoint. | ||
| 3. eventupload (optional): If Santa has generated events it will upload them to the sync-server. |
There was a problem hiding this comment.
eventupload (optional): If Santa has generated events, it will upload them to the sync-server.
| 3. eventupload (optional): If Santa has generated events it will upload them to the sync-server. | ||
| 4. ruledownload: Download rules from the sync-server. | ||
| 5. postflight: Updates timestamps for successful syncs. | ||
| 3. After the full sync completes a new full sync will be scheduled, by default this will be 10min. However there are a few ways to manipulate this. |
There was a problem hiding this comment.
However, there are a few ways to manipulate this:
|
|
||
| #### santactl XPC interface | ||
|
|
||
| When running as a daemon the santactl process makes available an XPC interface for use by santad. This allows santad to send blocked binary or bundle events directly to santactl for immediate upload to the sync-server. Doing so makes for a smoother user experience. The binary that was blocked on macOS is immediately available for viewing or handling on the sync-server. |
There was a problem hiding this comment.
When running as a daemon, the santactl process makes available an XPC interface for use by santad. This allows santad to send blocked binary or bundle events directly to santactl for immediate upload to the sync-server, enabling a smoother user experience. The binary that was blocked on macOS is immediately available for viewing or handling on the sync-server.
Docs/details/mode.md
Outdated
|
|
||
| ##### Lockdown mode | ||
|
|
||
| Running Santa in Lockdown mode will stop any unknown binaries from running. Meaning, if the binary has no rules or scopes that apply, it will be blocked. |
There was a problem hiding this comment.
Running Santa in Lockdown Mode will stop all unknown binaries from running. This means that if the binary has no rules or scopes that apply, then it will be blocked.
Q: Lockdown mode is more restrictive than monitor mode right? If this is the case, then I think it would be good to repeat that it still stops blacklisted binaries from running. e.g. Running Santa in Lockdown Mode will stop all blacklisted binaries and additionally will prevent all unknown binaries from running.
Docs/details/rules.md
Outdated
| Whitelisted (Certificate) | ||
| ``` | ||
|
|
||
| ##### Built in rules |
Docs/details/rules.md
Outdated
|
|
||
| ##### Built in rules | ||
|
|
||
| To avoid blocking any Apple system binaries or Santa binaries, santad will create 2 immutable certificate rules at startup. |
Docs/details/santa-driver.md
Outdated
|
|
||
| ##### Kauth | ||
|
|
||
| santa-driver utilizes two Kauth scopes `KAUTH_SCOPE_VNODE` and `KAUTH_SCOPE_FILEOP `. It registers itself with the Kauth API by calling `kauth_listen_scope()` for each scope. This function takes three arguments. |
Docs/details/santabs.md
Outdated
|
|
||
| The santabs process is an XPC service for the santa-driver.kext bundle, meaning only binaries within that bundle can launch santabs. It will be launched with with whatever privileges the calling process is running as. Currently santad is the only caller of santabs, so santabs runs as root. | ||
|
|
||
| #####Events |
There was a problem hiding this comment.
missing space between ##### and Events
Docs/details/santactl.md
Outdated
|
|
||
| The sync command is covered in the [syncing.md](syncing.md) document. | ||
|
|
||
| #####Debug Commands |
There was a problem hiding this comment.
Missing space between ##### and Debug
Docs/details/santactl.md
Outdated
|
|
||
| This may be the most complex part of Santa. It really has two types of work that is does. Firstly it contains all of the code and functionality for syncing with a sync-server. The details of which are covered in the [syncing.md](syncing.md) document. This document will cover the status work that santactl performs. | ||
|
|
||
| The santactl binary can be used to view the state and configuration of Santa as a whole. It can also inspect individual files. When running without a sync-server it also a supported method of managing the rules database. |
There was a problem hiding this comment.
It does two types of work:
- It contains all of the code and functionality for syncing with a sync-server.
- It can be used to view the state and configuration of Santa as a whole. (...)
The details of santactl's syncing functionality are covered in the syncing.md document. This document will cover the status work that santactl performs.
Docs/details/santad.md
Outdated
|
|
||
| At this point santa-driver is loaded and running in the kernel but is allowing all executions and not sending any messages to santad. Before santad tells santa-driver it is ready to receive messages it needs to setup a few more things. | ||
|
|
||
| The rule and event databases are now initialized. Followed by connection establishment to the Santa (GUI) and santactl sync daemon. The config file is processed and now santad knows what mode it is running in. |
There was a problem hiding this comment.
initialized, followed by
Docs/development/building.md
Outdated
| @@ -0,0 +1,104 @@ | |||
|
|
|||
|
|
|||
| #Building | |||
There was a problem hiding this comment.
missing space between # and Building
Docs/development/building.md
Outdated
|
|
||
| #### Running | ||
|
|
||
| On macOS 10.11+ System Integrity Protection (SIP) prevents loading of kernel extensions that are not signed by an Apple KEXT signing certificate. To be able to load and test a non-release version of Santa, SIP will have to configured to allow non Apple KEXT signing certificates. |
There was a problem hiding this comment.
missing "be" and hyphen:
.. SIP will have to be configured to allow non-Apple KEXT signing certificates.
Docs/development/building.md
Outdated
|
|
||
| #### Debugging | ||
|
|
||
| Xcode and lldb can be used to debug Santa, just like any other project. Instead of clicking the play button to launch and attach to a process, you can attach to an already running, or soon to by running, component of Santa. To do this select the Debug menu and choose `Attach to Process by PID or Name… ` . Below are the four components of Santa and who to debug the process as. Note, santa-driver (the kernel extension) cannot be debugged by attaching with Xcode. |
There was a problem hiding this comment.
Note: santa-driver ...
or
Note that santa-driver ...
Docs/development/building.md
Outdated
|
|
||
| Xcode will then wait for the process to start. Issue this command to restart all the Santa processes in debug mode. | ||
|
|
||
| *The Santa (GUI) process is the only component of Santa that can be launched and debugged from Xcode directly. All the other components are launched with privileges and/or are scoped to a XPC service that launchd scopes to hosting bundle. Thus the need for the `Attach to Process by PID or Name…` technique. See the [ipc](../details/ipc.md) document for for details. |
There was a problem hiding this comment.
a XPC --> an XPC
to hosting bundle. --> to a hosting bundle.
Docs/index.md
Outdated
|
|
||
| For those who want even more details on how Santa works under the hood, this section is for you. | ||
|
|
||
| ######Binaries |
There was a problem hiding this comment.
Missing space between ###### and Binaries
Docs/index.md
Outdated
| * [santa-gui](details/santa-gui.md): A user-land GUI daemon that displays notifications when an `exec()` is blocked. | ||
| * [santabs](details/santabs.md): A user-land root daemon that finds Mach-O binaries within a bundle and creates events for them. | ||
|
|
||
| ######Concepts |
There was a problem hiding this comment.
Missing space between ###### and Concepts
|
|
||
| #### Flow of a full sync | ||
|
|
||
| This is a high level overview of the syncing process end to end. For a more a more detailed account of each part, see the respective documents. The santaclt binary can be run in one of two modes, daemon and non-daemon. The non-daemon mode does one full sync and exits. This is the typical way a user will interact with Santa, mainly to force a full sync. The daemon mode is used by santad to schedule full syncs, listen for push notifications and upload events. |
There was a problem hiding this comment.
santaclt --> santactl
add oxford comma? --> .. push notifications, and upload events.
|
|
||
| This is a high level overview of the syncing process end to end. For a more a more detailed account of each part, see the respective documents. The santaclt binary can be run in one of two modes, daemon and non-daemon. The non-daemon mode does one full sync and exits. This is the typical way a user will interact with Santa, mainly to force a full sync. The daemon mode is used by santad to schedule full syncs, listen for push notifications and upload events. | ||
|
|
||
| 0. When the santad process starts up, it looks for a `SyncBaseURL` key/value in the config. If one exists it will `fork()` and `exec()` `santactl sync —-daemon`. Before the new process calls `exec()`, all privileges are dropped. All privileged actions are then restricted to the XPC interface made available to santactl by santad. Since this santactl process is running as a daemon it too exports an XPC interface so santad can interact with the process efficiently and securely. To ensure syncing reliability santad will restart the santactl daemon if it is killed or crashes. |
There was a problem hiding this comment.
insert comma: Since this santactl process is running as a daemon, it too exports ...
| 3. eventupload (optional): If Santa has generated events it will upload them to the sync-server. | ||
| 4. ruledownload: Download rules from the sync-server. | ||
| 5. postflight: Updates timestamps for successful syncs. | ||
| 3. After the full sync completes a new full sync will be scheduled, by default this will be 10min. However there are a few ways to manipulate this. |
There was a problem hiding this comment.
10min --> 10 minutes (here and in rest of document)
|
@russellhancox PTAL for technical accuracy |
.gitignore
Outdated
| @@ -1,6 +1,8 @@ | |||
| .DS_Store | |||
| Build | |||
| santa-* | |||
| !santa-*.md | |||
There was a problem hiding this comment.
Any reason not to just exclude *.md?
Docs/deployment/configuration.md
Outdated
| @@ -0,0 +1,118 @@ | |||
| # Configuration | |||
|
|
|||
| Two configuration methods can be used to control Santa: local configuration and a sync server controlled configuration. | |||
There was a problem hiding this comment.
I'm not entirely sure how to word it but this isn't 100% accurate - even with a sync server some configuration is only available locally (we don't sync down any of the GUI options, though maybe we should).
There was a problem hiding this comment.
Added some clarification.
Docs/deployment/configuration.md
Outdated
| | FileChangesRegex* | String | The regex of paths to log file changes. Regexes are specified in ICU format. | | ||
| | WhitelistRegex* | String | A regex to whitelist if the binary or certificate scopes did not allow execution. Regexes are specified in ICU format. | | ||
| | BlacklistRegex* | String | A regex to blacklist if the binary or certificate scopes did not block an execution. Regexes are specified in ICU format. | | ||
| | EnablePageZeroProtection | Bool | Enable `__PAGEZERO` protection, defaults to YES. If this flag is set to NO, 32-bit binaries that are missing the `__PAGEZERO` segment will not be blocked. | |
There was a problem hiding this comment.
Reverse the description and mention that this can be over-riden by rules.
If this flag is set to YES, 32-bit binaries that are missing the
__PAGEZEROsegment will be blocked even in MONITOR mode, unless the binary is whitelisted by an explicit rule.
Docs/deployment/configuration.md
Outdated
| | BlacklistRegex* | String | A regex to blacklist if the binary or certificate scopes did not block an execution. Regexes are specified in ICU format. | | ||
| | EnablePageZeroProtection | Bool | Enable `__PAGEZERO` protection, defaults to YES. If this flag is set to NO, 32-bit binaries that are missing the `__PAGEZERO` segment will not be blocked. | | ||
| | MoreInfoURL | String | The URL to open when the user clicks "More Info..." when opening Santa.app. If unset, the button will not be displayed. | | ||
| | EventDetailURL | String | See the Event URL Info section below. | |
There was a problem hiding this comment.
See the EventDetailURL section below. Also link to the section (#eventdetailurl)
Docs/deployment/configuration.md
Outdated
| | EventDetailURL | String | See the Event URL Info section below. | | ||
| | EventDetailText | String | Related to the above property, this string represents the text to show on the button. | | ||
| | UnknownBlockMessage | String | In lockdown mode this is the message shown to the user when an unknown binary is blocked. If this message is not configured, a reasonable default is provided. | | ||
| | BannedBlockMessage | String | This is the message shown to the user when a binary is blocked because of a rule, if that rule doesn't provide a custom message. If this is not configured, a reasonable default is provided. | |
There was a problem hiding this comment.
Remove the comma before "if that rule doesn't" and after "if this is not configured"
Docs/development/building.md
Outdated
|
|
||
| # Building | ||
|
|
||
| Santa makes use of [rake](https://ruby.github.io/rake/) for building and testing Santa. All of the [releases](https://github.com/google/santa/releases) are made using this same process. Santa's releases are codesigned with Google's KEXT signing certificate. This allows Santa to be loaded with SIP fully enabled. macOS 10.13+ will most likely require user consent, even when signed with Google's KEXT signing certificate. |
There was a problem hiding this comment.
Remove the 10.13 note until we know more.
Docs/development/building.md
Outdated
|
|
||
| #### Debugging | ||
|
|
||
| Xcode and lldb can be used to debug Santa, just like any other project. Instead of clicking the play button to launch and attach to a process, you can attach to an already running, or soon to by running, component of Santa. To do this select the Debug menu and choose `Attach to Process by PID or Name… ` . Below are the four components of Santa and who to debug the process as. Note: santa-driver (the kernel extension) cannot be debugged by attaching with Xcode. |
There was a problem hiding this comment.
If someone connects lldb to santad they'll deadlock their machine 😃
|
|
||
| #### Background | ||
|
|
||
| The decision flow starts in the kernel. The macOS kernel is extensible by way of a kernel extension (KEXT). macOS makes available kernel programming interfaces (KPIs) to be used by a KEXT. Santa utilizes of the Kernel Authorization (Kauth) KPI.. This is a very powerful and verbose interface that gives Santa the ability to listen in on most vnode and file systems operations and to take actions, directly or indirectly, on the operations being performed. Still, there are some limitations to Kauth which are pointed out in the santa-driver document. For more information on the santa-driver KEXT see the [santa-driver.md](../details/santa-driver.md) document. |
There was a problem hiding this comment.
Santa utilizes of the Kernel Authorization (Kauth) KPI..
to:
Santa utilizes the Kernel Authorization (Kauth) KPI.
| * If Kauth receives a deny, it will stop the `execve()` from taking place. | ||
| * If Kauth receives an allow, it will defer the decision. If there are other Kauth listeners, they also have a chance deny or defer. | ||
| 3. If there is no entry for the `vnode_id` in the cache a few actions occur: | ||
| * Santa-driver hands off the decision making to santad. |
There was a problem hiding this comment.
s/Santa-driver/santa-driver/
| * If Kauth receives an allow, it will defer the decision. If there are other Kauth listeners, they also have a chance deny or defer. | ||
| 3. If there is no entry for the `vnode_id` in the cache a few actions occur: | ||
| * Santa-driver hands off the decision making to santad. | ||
| * A new entry is created in the cache for the `vnode_id` with a special value of `ACTION_REQUEST_BINARY`. This is used as a placeholder until the decision from santad comes back. If another process tries to `execve()` the same `vnode_id`, santa-driver will have that thread wait for the in-flight decision from santad. All subsequent `execve()`s for the same `vnode_id` will use the decision in the cache as explained in #2, until the cache is invalidated. See the [santa-driver.md](../details/santa-driver.md) document for more details on the cache invalidation. |
There was a problem hiding this comment.
Probably also worth pointing out that if the file is written to while any of the threads are waiting for a response the request_binary entry is removed, forcing the decision-making process to be restarted
.gitignore
Outdated
| @@ -1,6 +1,8 @@ | |||
| .DS_Store | |||
| Build | |||
| santa-* | |||
| !santa-*.md | |||
Docs/deployment/configuration.md
Outdated
| @@ -0,0 +1,118 @@ | |||
| # Configuration | |||
|
|
|||
| Two configuration methods can be used to control Santa: local configuration and a sync server controlled configuration. | |||
There was a problem hiding this comment.
Added some clarification.
Docs/deployment/configuration.md
Outdated
| | FileChangesRegex* | String | The regex of paths to log file changes. Regexes are specified in ICU format. | | ||
| | WhitelistRegex* | String | A regex to whitelist if the binary or certificate scopes did not allow execution. Regexes are specified in ICU format. | | ||
| | BlacklistRegex* | String | A regex to blacklist if the binary or certificate scopes did not block an execution. Regexes are specified in ICU format. | | ||
| | EnablePageZeroProtection | Bool | Enable `__PAGEZERO` protection, defaults to YES. If this flag is set to NO, 32-bit binaries that are missing the `__PAGEZERO` segment will not be blocked. | |
Docs/deployment/configuration.md
Outdated
| | BlacklistRegex* | String | A regex to blacklist if the binary or certificate scopes did not block an execution. Regexes are specified in ICU format. | | ||
| | EnablePageZeroProtection | Bool | Enable `__PAGEZERO` protection, defaults to YES. If this flag is set to NO, 32-bit binaries that are missing the `__PAGEZERO` segment will not be blocked. | | ||
| | MoreInfoURL | String | The URL to open when the user clicks "More Info..." when opening Santa.app. If unset, the button will not be displayed. | | ||
| | EventDetailURL | String | See the Event URL Info section below. | |
Docs/deployment/configuration.md
Outdated
| | EventDetailURL | String | See the Event URL Info section below. | | ||
| | EventDetailText | String | Related to the above property, this string represents the text to show on the button. | | ||
| | UnknownBlockMessage | String | In lockdown mode this is the message shown to the user when an unknown binary is blocked. If this message is not configured, a reasonable default is provided. | | ||
| | BannedBlockMessage | String | This is the message shown to the user when a binary is blocked because of a rule, if that rule doesn't provide a custom message. If this is not configured, a reasonable default is provided. | |
Docs/development/building.md
Outdated
|
|
||
| # Building | ||
|
|
||
| Santa makes use of [rake](https://ruby.github.io/rake/) for building and testing Santa. All of the [releases](https://github.com/google/santa/releases) are made using this same process. Santa's releases are codesigned with Google's KEXT signing certificate. This allows Santa to be loaded with SIP fully enabled. macOS 10.13+ will most likely require user consent, even when signed with Google's KEXT signing certificate. |
Docs/development/building.md
Outdated
|
|
||
| #### Debugging | ||
|
|
||
| Xcode and lldb can be used to debug Santa, just like any other project. Instead of clicking the play button to launch and attach to a process, you can attach to an already running, or soon to by running, component of Santa. To do this select the Debug menu and choose `Attach to Process by PID or Name… ` . Below are the four components of Santa and who to debug the process as. Note: santa-driver (the kernel extension) cannot be debugged by attaching with Xcode. |
|
|
||
| #### Background | ||
|
|
||
| The decision flow starts in the kernel. The macOS kernel is extensible by way of a kernel extension (KEXT). macOS makes available kernel programming interfaces (KPIs) to be used by a KEXT. Santa utilizes of the Kernel Authorization (Kauth) KPI.. This is a very powerful and verbose interface that gives Santa the ability to listen in on most vnode and file systems operations and to take actions, directly or indirectly, on the operations being performed. Still, there are some limitations to Kauth which are pointed out in the santa-driver document. For more information on the santa-driver KEXT see the [santa-driver.md](../details/santa-driver.md) document. |
| * If Kauth receives a deny, it will stop the `execve()` from taking place. | ||
| * If Kauth receives an allow, it will defer the decision. If there are other Kauth listeners, they also have a chance deny or defer. | ||
| 3. If there is no entry for the `vnode_id` in the cache a few actions occur: | ||
| * Santa-driver hands off the decision making to santad. |
| * If Kauth receives an allow, it will defer the decision. If there are other Kauth listeners, they also have a chance deny or defer. | ||
| 3. If there is no entry for the `vnode_id` in the cache a few actions occur: | ||
| * Santa-driver hands off the decision making to santad. | ||
| * A new entry is created in the cache for the `vnode_id` with a special value of `ACTION_REQUEST_BINARY`. This is used as a placeholder until the decision from santad comes back. If another process tries to `execve()` the same `vnode_id`, santa-driver will have that thread wait for the in-flight decision from santad. All subsequent `execve()`s for the same `vnode_id` will use the decision in the cache as explained in #2, until the cache is invalidated. See the [santa-driver.md](../details/santa-driver.md) document for more details on the cache invalidation. |
Docs/details/rules.md
Outdated
| @@ -8,7 +8,7 @@ Binary rules use the SHA-256 hash of the entire binary as an identifier. This is | |||
|
|
|||
| ##### Certificate Rules | |||
|
|
|||
| Certificate rules are formed from the SHA-256 fingerprint of an x509 leaf signing certificate. This is a powerful rule type that has a much broader reach than an individual binary rule . A signing certificate can sign any number of binaries. Whitelisting or blacklisting just a few key signing certificates can cover the bulk of an average user's binaries. The leaf signing certificate is the only part of the chain that is evaluated. Though the whole chain is available for viewing. | |||
| Certificate rules are formed from the SHA-256 fingerprint of an x.509 leaf signing certificate. This is a powerful rule type that has a much broader reach than an individual binary rule . A signing certificate can sign any number of binaries. Whitelisting or blacklisting just a few key signing certificates can cover the bulk of an average user's binaries. The leaf signing certificate is the only part of the chain that is evaluated. Though the whole chain is available for viewing. | |||
Docs/details/ipc.md
Outdated
|
|
||
|  | ||
|
|
||
| #####SNTXPCConnection and two way communication |
There was a problem hiding this comment.
Missing space after the ######
Docs/deployment/configuration.md
Outdated
| | MoreInfoURL | String | The URL to open when the user clicks "More Info..." when opening Santa.app. If unset, the button will not be displayed. | | ||
| | EventDetailURL | String | See the Event URL Info section below. | | ||
| | EventDetailURL | String | See the [EventDetailURL](#EventDetailURL) section below. | |
There was a problem hiding this comment.
The capitalization of the anchor matters, it's #eventdetailurl
Docs/development/building.md
Outdated
|
|
||
| Note: santa-driver (the kernel extension) cannot be debugged by attaching with Xcode. | ||
|
|
||
| Note: Attaching to santad with breakpoints in the decision making codepath will deadlock your machine. |
There was a problem hiding this comment.
Not even setting breakpoints, just attaching will deadlock. Attaching 'interrupts' the process, stopping all threads from proceeding and dropping you into interactive mode, but now now thing is processing, the terminal will freeze and you won't be able to resume.
There was a problem hiding this comment.
Only when using lldb directly. When using Xcode to attach it let's the process continue and only stops threads with breakpoints.
Docs/details/ipc.md
Outdated
|
|
||
|  | ||
|
|
||
| #####SNTXPCConnection and two way communication |
Docs/development/building.md
Outdated
|
|
||
| Note: santa-driver (the kernel extension) cannot be debugged by attaching with Xcode. | ||
|
|
||
| Note: Attaching to santad with breakpoints in the decision making codepath will deadlock your machine. |
There was a problem hiding this comment.
Only when using lldb directly. When using Xcode to attach it let's the process continue and only stops threads with breakpoints.
* Docs: Start of Santa Docs * Docs: /exec()/execve()/ * Docs: /sync-server/sync server/ * Docs: review updates
* Docs: Start of Santa Docs * Docs: /exec()/execve()/ * Docs: /sync-server/sync server/ * Docs: review updates
* Docs: Start of Santa Docs * Docs: /exec()/execve()/ * Docs: /sync-server/sync server/ * Docs: review updates
The start of Santa Docs
What is good
What is not good