Notes

• Fixed an issue preventing events from being uploaded immediately after a blocked execution
• Fixed a GUI bug that allowed multiple dialogs to be queued for the same execution
• Added option to disable all event logging
• Added option to upload all events
• Added option to upload events during a clean sync
• Added new keys to the EventDetailURL key to differentiate files vs bundles.

What's Changed

• GUI: Add %bundle_or_file_sha% translation key by @russellhancox in https://github.com/google/santa/pull/797
• Sync: Add option to enable event upload despite clean sync. by @russellhancox in https://github.com/google/santa/pull/796
• Created a profiles package so provisioning profiles only need to be in one place. by @pmarkowsky in https://github.com/google/santa/pull/794
• Added macos-12 to the build matrix by @pmarkowsky in https://github.com/google/santa/pull/798
• Add config to allow uploading all events by @russellhancox in https://github.com/google/santa/pull/800
• santad: Add 'null' event logger. Fixes #754 by @russellhancox in https://github.com/google/santa/pull/799
• Fix ES Mock Client Subscription issues by @pmarkowsky in https://github.com/google/santa/pull/801
• santad: remove start and stop options from the sync service queue by @tburgin in https://github.com/google/santa/pull/803
• GUI: Update keys for EventDetailURL. by @russellhancox in https://github.com/google/santa/pull/802
• santasyncservice: handle loading and unloading of the service in the pkg by @tburgin in https://github.com/google/santa/pull/804
• GUI: Fix message queuing by @russellhancox in https://github.com/google/santa/pull/805
• GUI: Switch to UserNotification.framework notifications by @russellhancox in https://github.com/google/santa/pull/806
• SNTConfigurator: remove mutability from sync state dict by @tburgin in https://github.com/google/santa/pull/807
• preflight sync: stop the sync if we cannot communicate with the daemon by @tburgin in https://github.com/google/santa/pull/808
• preflight sync: fix dispatch_group_wait return polarity by @tburgin in https://github.com/google/santa/pull/809
• syncservice: Fix SNTSyncTest by @russellhancox in https://github.com/google/santa/pull/810
• Project: Enable layering check, fix all dependency violations by @russellhancox in https://github.com/google/santa/pull/811
• Project: Layering, missed a dependency by @russellhancox in https://github.com/google/santa/pull/812
• Project: Fix layering for tests by @russellhancox in https://github.com/google/santa/pull/813

Full Changelog: https://github.com/google/santa/compare/2022.4...2022.5

What's Changed

• Project: Show test errors in output from CI by @russellhancox in https://github.com/google/santa/pull/764
• santactl/metrics: Allow filtering metrics by @russellhancox in https://github.com/google/santa/pull/763
• santad: Split ES cache into root/non-root varieties by @russellhancox in https://github.com/google/santa/pull/765
• Project: Make versioning dynamic through bazel's --embed-label. by @russellhancox in https://github.com/google/santa/pull/766
• Exclude bazel-out from test coverage generation by @tnek in https://github.com/google/santa/pull/768
• Project: Fix fallback version by @russellhancox in https://github.com/google/santa/pull/767
• Project: Update apple_rules dep, add .bazelversion for bazelisk users by @russellhancox in https://github.com/google/santa/pull/769
• Project: Fix coverage collection by @russellhancox in https://github.com/google/santa/pull/770
• Update logo image of Santa by @tnek in https://github.com/google/santa/pull/773
• Modified build target names for santa proto by @mlw in https://github.com/google/santa/pull/772
• Fix dead link by @tnek in https://github.com/google/santa/pull/774
• ES_EVENT_TYPE_NOTIFY_UNMOUNT: flush the cache off the ES handler thread by @tburgin in https://github.com/google/santa/pull/778
• Disable layering check for Objective-C by @googlewalt in https://github.com/google/santa/pull/781
• Add "Team ID" to description on AllowedPathRegex by @tnek in https://github.com/google/santa/pull/782
• Fix event team ID decision value by @np5 in https://github.com/google/santa/pull/784
• santad: Use TTY path provided by ES by @russellhancox in https://github.com/google/santa/pull/785
• Disable layering check for Objective-C by @googlewalt in https://github.com/google/santa/pull/787
• Populate critical paths from the ES default mute set by @mlw in https://github.com/google/santa/pull/786
• santa/windows: Update buttons to use push to better stand out by @radsec in https://github.com/google/santa/pull/788
• syncservice: implementation and migration by @tburgin in https://github.com/google/santa/pull/775
• syncservice: sign and package by @tburgin in https://github.com/google/santa/pull/790
• Project: Include syncservice.plist in release builds and loads by @russellhancox in https://github.com/google/santa/pull/792
• Project: Update packaging script to do tarball creation in a scratch dir by @russellhancox in https://github.com/google/santa/pull/793

New Contributors

• @googlewalt made their first contribution in https://github.com/google/santa/pull/781

Full Changelog: https://github.com/google/santa/compare/2022.3...2022.4

Notes

• The kernel extension and all support for it has been fully removed. Santa now requires macOS 10.15 and above.
• Protobuf structured event logging has been added but is still experimental; the format of the logs is subject to change and there is purposefully no documentation on its use. We will announce in a feature release when this feature is stable.
• The Santa daemon is now loaded early during the boot process to better protect against persistent threats.
• Preflight sync requests now include the machine's model identifier.

What's Changed

• Fix: Issue with SNTMetricHTTPWriter Timeouts by @pmarkowsky in https://github.com/google/santa/pull/741
• Fix: uninstall.sh to remove the metric & bundle services. by @pmarkowsky in https://github.com/google/santa/pull/743
• Project: Bump version to 2022.3 by @russellhancox in https://github.com/google/santa/pull/745
• Project: Disable bazel layering_check feature for most rules by @russellhancox in https://github.com/google/santa/pull/742
• Fix: Typo in SNTDeviceManager tests & ensure tests run under CI by @pmarkowsky in https://github.com/google/santa/pull/746
• Protobuf support, maildir format logging by @mlw in https://github.com/google/santa/pull/731
• Remove the Santa kernel extension. by @tnek in https://github.com/google/santa/pull/749
• Made santad an early boot client to prevent racing other processes by @pmarkowsky in https://github.com/google/santa/pull/750
• Add model identifier to preflight request by @np5 in https://github.com/google/santa/pull/751
• Remove code guarded by #ifdef kernel macros by @tnek in https://github.com/google/santa/pull/752
• Project: Remove kext signing/packaging by @russellhancox in https://github.com/google/santa/pull/755
• santactl/status: Re-org output in status re: USB Blocking. by @russellhancox in https://github.com/google/santa/pull/759
• santad: Clear caches when disks are unmounted. by @russellhancox in https://github.com/google/santa/pull/760
• Docs: Remove references to kexts and santa-driver from parts of the docs by @tnek in https://github.com/google/santa/pull/762

Full Changelog: https://github.com/google/santa/compare/2022.2...2022.3

Notes

• USB device blocking mode is now reported in santactl status and configurable GUI notifications have been added.
• Package will no longer prompt to install Rosetta on ARM machines (fixes #732).
• santactl version now reports the build version alongside the product version. This is part of the CFBundleVersion for each component.
• A new fail-closed configuration key has been added that will cause Santa to block execution if it's unable to read a file.

What's Changed

• santad: Add fail-closed mode by @russellhancox in https://github.com/google/santa/pull/722
• Fix additional strlcpy issue, simplify call paths by @mlw in https://github.com/google/santa/pull/723
• Update version of bazel rules_apple to fix broken 12.3 builds by @tnek in https://github.com/google/santa/pull/726
• Report USB blocking status with santactl status by @tnek in https://github.com/google/santa/pull/727
• Fix: remediate a crash in santametricservice by @pmarkowsky in https://github.com/google/santa/pull/729
• santad: Fix fail open tests in SNTExecutionControllerTest by @russellhancox in https://github.com/google/santa/pull/730
• Project: Add arm64 to hostArchitectures for productbuild by @russellhancox in https://github.com/google/santa/pull/733
• Project: Bump version to 2022.2 by @russellhancox in https://github.com/google/santa/pull/734
• Add a USB device blocking popup. by @tnek in https://github.com/google/santa/pull/728
• Project: Add build version to CFBundleVersion by @russellhancox in https://github.com/google/santa/pull/736
• Packaging: Keep package versions simple by @russellhancox in https://github.com/google/santa/pull/737

New Contributors

• @mlw made their first contribution in https://github.com/google/santa/pull/723

Full Changelog: https://github.com/google/santa/compare/2022.1...2022.2

Notes

• Fixed PrinterProxy workaround for Monterey
• More metrics, including an event counter
• Fixed logging of dates when system calendar is not Gregorian.
• Added USB Mass Storage blocking feature, which can be controlled by a sync server
• santad no longer stores events for upload if a sync server is not configured
• Sync can now use a provided proxy configuration separate from the system one (c.f SyncProxyConfiguration)

What's Changed

• Project: Add bazel commands extractor for VSCode integration by @russellhancox in https://github.com/google/santa/pull/690
• Ignore VSCode directories by @pmarkowsky in https://github.com/google/santa/pull/692
• Fix: SNTMetricSet reregistering metrics returns wrong metric by @pmarkowsky in https://github.com/google/santa/pull/693
• Update the Santa version number to 2021.9 by @tnek in https://github.com/google/santa/pull/695
• Add a simple event counter to SNTExecutionController by @pmarkowsky in https://github.com/google/santa/pull/694
• santasyncservice: move sync code to the santasyncservice dir by @tburgin in https://github.com/google/santa/pull/696
• Fix: santactl metrics command behavior by @pmarkowsky in https://github.com/google/santa/pull/697
• santad: Fix PrinterProxy workaround for Monterey+ by @russellhancox in https://github.com/google/santa/pull/698
• Project: Bump version to 2022.1 by @russellhancox in https://github.com/google/santa/pull/700
• Update misleading santactl rule text to have accurate text for team IDs by @tnek in https://github.com/google/santa/pull/701
• USB mass storage blocking and remounting by @tnek in https://github.com/google/santa/pull/685
• Update hedron_compile_commands by @cpsauer in https://github.com/google/santa/pull/704
• Project: Explicitly set calendar on ISO8601 dates by @russellhancox in https://github.com/google/santa/pull/706
• Add test coverage for syncing USB mounting options by @tnek in https://github.com/google/santa/pull/711
• santad: Don't use proc_pidpath when using ES by @russellhancox in https://github.com/google/santa/pull/707
• Add clang annotation for fallthrough by @tnek in https://github.com/google/santa/pull/712
• Sync: Allow configuring proxies by @russellhancox in https://github.com/google/santa/pull/708
• Support rule downloading of Team ID rules by @tnek in https://github.com/google/santa/pull/709
• santactl/fileinfo: Update --cert-index usage by @russellhancox in https://github.com/google/santa/pull/713
• santactl/fileinfo: Clarify valid index for cert-index by @russellhancox in https://github.com/google/santa/pull/714
• Fix off-by one error in strlcpy by @pmarkowsky in https://github.com/google/santa/pull/715
• Create test suites for each component by @pmarkowsky in https://github.com/google/santa/pull/702
• Conf: Delete and clean-up ASL conf, enable signaling on newsyslog.conf. by @russellhancox in https://github.com/google/santa/pull/716
• Add clang_analyzer report generation script by @tnek in https://github.com/google/santa/pull/717
• rule download: return early on daemon timeout by @tburgin in https://github.com/google/santa/pull/718
• santactl/fileinfo: Switch certIndex to an NSNumber by @russellhancox in https://github.com/google/santa/pull/719
• Add DiskArbitrationTestUtil to shim out DiskArbitration for unit testing by @tnek in https://github.com/google/santa/pull/720
• santad: only store events if there is a sync server configured by @tburgin in https://github.com/google/santa/pull/721

New Contributors

• @cpsauer made their first contribution in https://github.com/google/santa/pull/704

Full Changelog: https://github.com/google/santa/compare/2021.8...2022.1

Notes

• Added a system for collecting and exporting metrics to monitoring systems and a metrics subcommand to santactl for viewing the current state. More metrics will be added in future releases.
• EnableSysxCache is now enabled by default - we've found this significantly improves performance when other EndpointSecurity extensions are in use.
• Added TeamID as a rule type - you can now allow/block by team ID instead of individual certificates. Support is included in santactl rule.
• Added AboutText configuration key to configure the text displayed when Santa.app is opened while it's running (thanks @np5!)

WARNING (2021-10-06)

Shortly after release we noticed that the code signature on the released binaries was missing some required entitlements. We have updated the release package and tarball attached to this release and added .ORIG to the original files.

If you have attempted to deploy the original broken release you should try again with the updated files. As there are no code changes we have not bumped the version number.

Notes

• santactl/sync: Fixed a rare crash from reachability checks
• santactl/sync: Fixed a rare crash when using FCM
• santad: Improved prevention of database overwrites

Notes

• Updates MOLAuthenticatingURLSession to v3.0, which will now pick the most recently issued cert if multiple certs match the filters specified in the configuration. Fixes #553

Notes

• Fixes an issue in santactl fileinfo where bundles were misappropriated (issue #536)
• Fixes transitive allowlisting when EnableSysCache is true (issue #539)

Notes

• santad: Fixes caching of blocked executions when EnableSysxCache is in use.
• santactl: Retry individual requests to continue a long sync through minor network blips