search

google / santa

A binary authorization and monitoring system for macOS
https://santa.dev
Apache License 2.0
4.37k stars 295 forks source link

Unexpected santactl fileinfo output when using --filter #1382

Open macjustice opened 1 week ago

macjustice commented 1 week ago

I am working on a way of reporting what binaries on a device are blocked by rule.

Per the usage text for santactl fileinfo, it looked like the --filter option would be the way to go. However, providing --filter Type=Executable --filter Rule=Blocked returned output that included executables without block rules.

To reproduce:

  1. Block an arbitrary binary: sudo santactl rule --block --path /usr/bin/yes
  2. Validate: sudo santactl rule --check --path /usr/bin/yes
  3. Try listing blocked binaries: santactl fileinfo --recursive --filter Type=Executable --filter Rule=Blocked --key Path --key Rule /usr/bin/
    1. output includes every binary in /usr/bin, with Rule: Could not communicate with daemon
    2. Expected output would be just /usr/bin/yes with Rule: Blocked (Binary)
tburgin commented 1 week ago

1383 fixes the issues with handling a path with a lot of files, but the issue with multiple --filter still exists.

The problem is that --filter checks are not currently implemented as inclusive. Currently if any --filter matches then the item will be included :/

We will fix this.