Russell Hancox
Russell Hancox
We don't have anything like this but it certainly is a good idea. I'd prefer to see it added as a command to santactl, using the SNTFileInfo class to grab...
Santa actually keeps a database of blocked or allowed-but-unknown binaries in a second SQLite database called events.db, these events are intended to be uploaded to a central server where you...
The events in the database are archived Objective-C objects, you can extract them with: `sqlite3 /var/db/santa/events.db "SELECT writefile(idx || '.plist', eventdata) FROM events;"` And read them with `plutil -convert xml1...
Sorry, I'd meant to respond to this sooner but got sidetracked. The class that is serialized into the database is actually `SNTStoredEvent` (`SNTFileInfo` gathers the data as you identified but...
Reinstalling the OS will remove Santa. The only reason that wouldn't work is if the machine is MDM-managed by an organization and auto-enrollment is reinstalling that organization's management tools. If...
We've looked into this before for a different feature; unfortunately unlike code signature verification, Apple doesn't provide a public API for verifying package signatures. Signature verification in packages is handled...
Sorry for the delayed response, I've been trying to reproduce this with no luck. Do you see log lines matching `action=WRITE` for the binary that's being executed? It's odd that...
There aren't really _SCOPE_ rules, just a number of hardcoded checks (see [fileIsScopeWhitelisted:](https://github.com/google/santa/blob/master/Source/santad/SNTPolicyProcessor.m#L134) and [fileIsScopeBlacklisted:](https://github.com/google/santa/blob/master/Source/santad/SNTPolicyProcessor.m#L151). The two regexes [can be](https://github.com/google/santa/blob/b70442e483887ed2368003dbe5f736931401d535/Source/santactl/Commands/sync/SNTCommandSyncPreflight.m#L108) configured using a sync server. What specifically were you hoping...
Gotcha. So, yes, if the sync server fully implements the preflight request the path-based whitelists can be delivered there; Upvote implements this as a per-host setting.
Config pulled from a sync server has higher precedence than local configuration.