v0.9.28

Important

The command santactl sync now requires root privileges. Use sudo santactl sync.

Notes

This release contains a new feature.

Implementation Features

• Project: Add support for unprivileged XPC interfaces #287 Thanks @alessandrogario @trailofbits!

Commit History

v0.9.27

Notes

This release contains some bug fixes and new features.

Bug Fixes

• santad: Only get code signing information for Mach-O binaries #277
• santa-driver: Switch to a struct for vnode IDs, holding both the filesystem ID and vnode ID #262 #276
• santa-driver: Drop the separate caches for root/non-root file systems as this doesn't offer any benefit anymore #276
• santa-driver: Stop catching vnode_hasdirtyblks() #260 #280
• Docs: s/precendence/precedence/ #283 Thanks @dgw!

Features

• Logs: Optional MachineID for event logs #256 Thanks @obelisk!

Implementation Features

• santa-driver: Templatize key types in SantaCache #271
• santa-driver: Make ACTION CAS operations in SantaCache more readable #272
• santa-driver: Add SantaCache distribution tests #273
• KernelTests: Simplify kernel tests #282
• santa-driver / santad: Refractor kext load / unload and connect / disconnect #278 #281
• santactl: Add cachehistogram debug command #275

Commit History

v0.9.26

Notes

This release contains some bug fixes and new features.

Bug Fixes

• santabs: Only allow bundle events on ancestor bundles of type: .app .bundle .framework .kext .xctest .xpc #257
• santa-driver: Do not invalidate cached decisions on KAUTH_VNODE_ACCESS #266

Features

• Project: Add codesign flags kill library-validation to all components #264
• santa-driver: Log the file path of dirty vnode execution attempts #267

Commit History

v0.9.25

Important

The Type field in santactl fileinfo will now display x86-64 as x86_64.
Non-event logs are now stored in ULS. You can stream or view them with the /usr/bin/log command.

Notes

This release contains some bug fixes and new features.

Bug Fixes

• santad: validates all architectures within universal binaries attempting to execute (#249) Big thanks to @secretsquirrel for the PoC.

Features

• santactl fileinfo: displays signing information for all architectures if they are not all consistently signed (#249)
• event logs: Event logs can now be stored in a file or ULS. See the keys EventLogType and EventLogPath in the configuration document configuration.

Commit History

v0.9.24

Notes

This release contains some bug fixes.

Bug Fixes

• santad: Stop watching /var/db/santa/sync-state.plist to fix a race condition by deleting the racy code (#242)
• santabs: Serialize calls to -[SNTBundleService createConnection] to prevent over resuming an XPC connection (#244)
• santactl sync: Update to MOLFCMClient v1.7 to prevent scheduling a task on an invalidated session (#245)

Commit History

v0.9.23

Notes

This release contains some bug fixes.

Bug Fixes

• santactl sync: Use MOLFCMClient v1.5 - this contains exponential backoff logic (#238)
• codesign verification: Use MOLCodesignChecker v1.8 - this will now verify the code signature for all architectures within universal binaries (#239)

Commit History

v0.9.22

Notes

This release contains some bug fixes.

Bug Fixes

• config: Fixed a client mode flapping issue when changing unrelated mobileconfigs (#234) (Fixes #174 #203)
• santa-driver: Added an acknowledge feature to binary requests (#220) (Fixes #215)
• santabs: Fixed nil bundle path lookup (#233)

Commit History

v0.9.21

Important

/var/db/santa/config.plist is no longer used for configuration. In this release Santa has moved to using an Apple Configuration Profile to manage its configuration. See the configuration document for more details on using a configuration profile to manage Santa.

Notes

This release contains some bug fixes and a new way of configuring Santa.

Bug Fixes

• santa-driver: now denies execs with names over MAXPATHLEN 1031374. Thanks to @codido for the report
• santactl rule: --check now returns proper scope 0c39342
• santactl sync: reachability threads are now property released 57213ee
• santa.log: log the events that are generated by bundle hashing now have a action=BUNDLE tag 6973dd0
• santactl: -h and --help are now synonyms for help 6973dd0. Thanks to @groob for the report

New

• config: configuration is now done with configuration profiles 8e57e37. Thanks to @jesseendahl for the report and keeping on us to get this done!

Commit History

v0.9.20

Notes

This release contains a few bug fixes and a few new items.

Bug Fixes

• santad: Removed /private/tmp/PKInstallSandbox.* ignore scope
• santad: Removed CSInfoPlistFailed ignore scope
• santa-driver: Split kernel cache for root/non-root volumes
• santa-driver: Fix possible race condition in SDM::AddToCache
• santactl sync: Bundle events and notifications are now properly handled

New

• common: Removed EventDetailBundleURL key
• logs: Modified execution log format to show path & args last
• santactl fileinfo: Added --recursive and --filter flags

Commit History

v0.9.19

Notes

This is a small release containing mainly bug fixes for bundle events.

Bug Fixes

• SantaGUI: Don't show pop-up notifications for empty filenames
• santactl/sync: fixed exception when file_name is None / NSNull
• santactl/sync: upload file bundle executable relative path
• santabs: De-dupe generated events before upload

New

• logs: add DAAppearanceTime to the DISKAPPEAR logs

[2017-07-10T19:07:29.708Z] I santad: action=DISKAPPEAR|mount=/|volume=Macintosh HD|bsdname=disk1|fs=hfs|model=APPLE SSD SM0512G|serial=***|bus=PCI|dmgpath=|appearance=2017-06-22T16:13:02.294Z

Commit History