Open eopeter opened 7 months ago
@eopeter can you share the block logline? This is usually in /var/db/santa/santa.log if you're using text logs.
Also if there's a temporary file being generated by the debugserver can you share the fileinfo for that?
If you have EnableDebugLogging
set to <true/>
in your config profile. Then the output from
sudo log stream --level debug --style compact --predicate 'sender == "com.google.santa.daemon"'
would also be helpful.
Also #1299 might help here.
@pmarkowsky this is the block log line:
[2024-03-08T21:32:59.120Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=af414908e47473f9aa1447541fe2198188d0db2ce798b806859f787669969156|pid=16571|pidversion=7889775|ppid=16570|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main|args=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main
For the following Log Line
[2024-03-08T21:49:36.208Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=af414908e47473f9aa1447541fe2198188d0db2ce798b806859f787669969156|pid=54767|pidversion=7967827|ppid=54766|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main|args=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main
I got the following logstream around the same time
2024-03-08 16:49:36.004 Df com.google.santa.daemon[398:a07a6d] D com.google.santa.daemon: Watching compiler pid=54763
2024-03-08 16:49:59.660 Df com.google.santa.daemon[398:a08476] D com.google.santa.daemon: No changes to set of watched paths
2024-03-08 16:58:10.815 Df com.google.santa.daemon[398:a12cb3] I com.google.santa.daemon: Flushing caches
2024-03-08 16:59:39.252 Df com.google.santa.daemon[398:a14ee5] D com.google.santa.daemon: Watching compiler pid=75687
2024-03-08 16:59:59.666 Df com.google.santa.daemon[398:a15750] D com.google.santa.daemon: No changes to set of watched paths.
happened with
[2024-03-08T21:59:39.461Z] I santad: action=EXEC|decision=DENY|reason=UNKNOWN|explain=Signature ignored due to error: -67062|sha256=af414908e47473f9aa1447541fe2198188d0db2ce798b806859f787669969156|pid=75693|pidversion=8009807|ppid=75691|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main|args=/Users/XXXX/Library/Caches/JetBrains/Idea/tmp/GoLand/___main
The stream log entries only happens after the cache is flushed. Not on all DENY
@pmarkowsky does this logs provide any insight?
Running into a situation where when I am running a debugger in IntelliJ in lockdown mode, the output gets blocked. I added a compiler rule as below for the debugserver binary but no dice