A binary authorization and monitoring system for macOS
❗ The FileChangesRegex configuration key now applies to all file modification event types that can be logged. This was inadvertently made to only apply to WRITE log events starting in v2022.9. This will lead to a reduction in the number of logged events depending on how this key is configured. IMPORTANT: If you're using this configuration key, please make sure to test how this change will affect your deployments.
↔️ Improved logic on when to flush local caches when new rules are received. Caches should now be flushed less often. This can result in better performance in some deployment setups.
↔️ Improved transitive rule creation events when tracking RENAME events. This should improve transitive rule creation for some toolchains.
➕ CDHash rules are now supported. These are now the highest precedent rule type (ahead of binary hash). This includes adding support in santactl and to the sync protocol for sync servers to send rules to clients. See the Sync Protocol documentation for more details on how to serve CDHash rules.
➕ JSON rule import for locally managed deployments now supports the --clean and --clean-all flags (behaving similarly to santactl sync).
Full Changelog: https://github.com/google/santa/compare/2024.2...2024.3
IMPORTANT: This release includes a fix that can impact some operations for users on macOS 14.4. We encourage all hosts to be upgraded as soon as possible to mitigate potential disruption.
Fixed ❗ Events received with deadlines in the very near future would be automatically denied.
Changed
↔️ The FailClosed configuration key is now respected in Lockdown mode when determining whether automatic fallback responses to events whose deadlines are about to expire should be allowed or denied. In Monitor mode, Santa now fails open similar to other usages of the FailClosed key.
Full Changelog: https://github.com/google/santa/compare/2024.1...2024.2
IMPORTANT: This release includes changes to some default behavior. Please carefully read the release notes for details!
Fixed
❗ Support for the config key EnableForkAndExitLogging was inadvertently removed in v2022.9. This has effectively been treated as if it had a default value of true, but the intention was for the default value to be false. Support for this key and its original default have been added back. If you require FORK and EXIT log events, please update your configuration to set this key appropriately.
❗ Configuration documentation was updated to include several supported but previously missing keys.
Changed
↔️ Clean syncs now remove only non-transitive rules from a host's rules database before applying the newly received rules by default.
↔️ The clean_sync preflight response key has been deprecated. Sync server maintainers should migrate to using the new sync_type key. If the clean_sync key is used, it will trigger the new default behavior of only removing non-transitive rules.
↔️ Transitive rule configuration is now printed regardless of whether or not a sync server is configured. The field was also moved to be grouped with the daemon section rather than the sync section.
Added
➕ The switch santactl sync --clean-all was added to reproduce the old clean sync behavior of removing all rules (instead of only non-transitive rules).
Please refer to the clean sync documentation for a better understanding of the new clean sync behavior!
santactl rule --check by @mlw in https://github.com/google/santa/pull/1262
Full Changelog: https://github.com/google/santa/compare/2023.10...2024.1
❗ Fixed USB block mode state not always reporting correctly in santactl status
❗ TeamID and SigningID rules are now ignored on execs of binaries signed with development certificates
➕ Entitlements are now logged on EXEC events, along with new configuration keys to filter which entitlements are logged
Full Changelog: https://github.com/google/santa/compare/2023.9...2023.10
❗ Fixed issue where mount flags were improperly set for APFS formatted drives
↔️ santactl sync no longer requires root
↔️ Several public doc updates (thank you to our external contributors!)
➕ Santa can now unmount/remount USB devices on startup
➕ New event type supported: CS_INVALIDATED
➕ Bundle information can now be printed via santactl fileinfo with the new --bundleinfo flag
➕ macOS 14 and USB support for E2E Testing
Full Changelog: https://github.com/google/santa/compare/2023.8...2023.9
❗ Fixed issue where client mode was almost always logged as "unknown" (since v2023.5) ❗ Fixed issue where TeamID and SigningID rules were evaluated when a binary had codesign issues.
↔️ Default button text used in UIs when a Custom URL is set
➕ Mount name information added to disk events
➕ rules_received and rules_processed fields now sent in postflight request
➕ SigningID rules now support transitive allowlisting
➕ File Access Authorization now supports UI flows, similar to blocked binary executions
➕ File Access Authorization enforcement can now be controlled via sync settings
➕ Rules can now be imported/exported as JSON via santactl
rules_received and rules_processed fields in postflight request by @russellhancox in https://github.com/google/santa/pull/1156
Full Changelog: https://github.com/google/santa/compare/2023.7...2023.8
❗ Fixed performance regression that could occur when protobuf logging was configured and the spool directory was full
❗ Fixed issue where some daemon settings were being overridden by default values during sync preflight
↔️ Rules received now have their case forced to be what is expected during evaluation (e.g. hashes are forced to be lower case, Team IDs are uppercase)
↔️ Distributed notifications posted by Santa are now delivered immediately
↔️ All daemon settings sent during sync preflight now take effect during postflight
➕ Added support for per-rule custom urls when a binary is blocked
➕ Custom headers can now be configured for sync requests
Full Changelog: https://github.com/google/santa/compare/2023.6...2023.7
❗ The FileChangesRegex configuration key has inadvertently been ignored since 2022.9. This functionality has been added back in this release. This may cause some expected changes to logging if this configuration isn't properly set for your use cases.
❗ Team ID and Signing ID rules will now only be considered when evaluating an execution if the the code signature for a binary is valid.
❗ The SyncEnableCleanSyncEventUpload configuration key wasn't being properly read. This would prevent event uploads during a sync when a clean sync was requested by the server.
➕ Beta support has been added for JSON logging. Setting the EventLogType configuration key to json will cause the data in the santa.proto schema to be logged as JSON instead of binary protobuf. It is important to note that encoding to JSON will incur a performance penalty and deployments should appropriately measure cost to endpoints to ensure it is acceptable.
Full Changelog: https://github.com/google/santa/compare/2023.5...2023.6
➕ Santa now supports Signing ID rule types. See full documentation on santa.dev.
➕ File Access Authorization configuration now supports inverting the exception list in order to specify the processes that should be denied (or audited) instead of allowed.
Full Changelog: https://github.com/google/santa/compare/2023.4...2023.5
❗ The EnableBackwardsCompatibleContentEncoding config key has been removed. We were not aware of any sync servers requiring this key; please contact us if you were using it and need an equivalent to be added.
➕ A new config key, SyncClientContentEncoding has been added to allow switching from the default deflate to gzip. This new option doesn't improve compression but is required for some servers to support compression.
➕ A new config key, EnableSilentTTYMode has been added, that allows disabling notifications from Santa to be posted in a user's terminal session.
Full Changelog: https://github.com/google/santa/compare/2023.3...2023.4