Santa should have a way to limit what's logged in santa.log

google / santa

A binary authorization and monitoring system for macOS

https://santa.dev

Apache License 2.0

4.42k stars 296 forks source link

Santa should have a way to limit what's logged in santa.log #1375

Open pmarkowsky opened 3 months ago

pmarkowsky commented 3 months ago

It would be nice to have a filter that allows you to decide which events are / are not logged into the logs in /var/db/santa/.

I propose but am not wedded to the following:

Assign each event a number
Create a bitmask where all ones means all events
Check the bitmask and only log the events that are enabled in the bitmask.
Create a new option in the config LogFilter that by default logs all events.
Create a string mapping of fields to be set in the option similar to the USB options.

mlw commented 3 months ago

Further, when events that are configured to be filtered are not needed for other purposes (e.g. cache invalidation, transitive allowlisting, etc.) then the associated subscriptions should also be removed.