russellhancox
commented
3 years ago Did you install using the pkg file? Does /Applications/Santa.app/Contents/MacOS/Santa exist?
Closed dvickery closed 3 years ago
russellhancox
commented
3 years ago Did you install using the pkg file? Does /Applications/Santa.app/Contents/MacOS/Santa exist?
dvickery
commented
3 years ago Hi, thanks for the quick response. Yes, I did install with the pkg file, and I can see Santa in that location, along with santactl and santabundleservice.
dvickery
commented
3 years ago Hmm. Not sure if this is relevant, but a code 78 error may be an inability to write to a log file?
https://stackoverflow.com/questions/54503366/launchctl-cant-run-the-binary-and-exits-with-a-code-78
I am a local admin, but could this still be an issue?
russellhancox
commented
3 years ago The com.google.santa launchd job is a LaunchAgent and at least in the provided config doesn't have any log file outputs defined. What is the content of /Library/LaunchAgents/com.google.santa.plist?
dvickery
commented
3 years ago Hi, contents follow. <> replaced with [] for the forum software.
[?xml version="1.0" encoding="UTF-8"?] [!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"] [plist version="1.0"] [dict] [key]Label[/key] [string]com.google.santa[/string] [key]ProgramArguments[/key] [array] [string]/Applications/Santa.app/Contents/MacOS/Santa[/string] [string]--syslog[/string] [/array] [key]RunAtLoad[/key] [true/] [key]KeepAlive[/key] [true/] [/dict] [/plist]
dvickery
commented
3 years ago Also this command was in other articles, not sure if the output is helpful:
kextstat | grep santa-driver
Executing: /usr/bin/kmutil showloaded
No variant specified, falling back to release
russellhancox
commented
3 years ago The plist looks correct and kextstat is not expected to show anything anymore as we're using system extensions instead. Could you provide the output of the following commands:
ls -al /Applications/Santa.app/Contents/MacOS
file /Applications/Santa.app/Contents/MacOS/Santa
shasum -a 256 /Applications/Santa.app/Contents/MacOS/Santa
launchctl list com.google.santa
launchctl print gui/$UID/com.google.santa | grep state
launchctl kickstart gui/$UID/com.google.santaNote: you can paste the output in a code block to avoid the need for escaping, start and finish a code block with 3 backticks.
dvickery
commented
3 years ago OK, commands and results follow. The last command gave no output.
ls -al /Applications/Santa.app/Contents/MacOS
total 6136 drwxr-xr-x 5 root wheel 160 4 May 18:32 . drwxr-xr-x 10 root wheel 320 4 May 18:32 .. -rwxr-xr-x 1 root wheel 719584 4 May 18:32 Santa -rwxr-xr-x 1 root wheel 888912 4 May 18:32 santabundleservice -rwxr-xr-x 1 root wheel 1524224 4 May 18:32 santactl
file /Applications/Santa.app/Contents/MacOS/Santa
/Applications/Santa.app/Contents/MacOS/Santa: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64:Mach-O 64-bit executable arm64]
/Applications/Santa.app/Contents/MacOS/Santa (for architecture x86_64):Mach-O 64-bit executable x86_64
/Applications/Santa.app/Contents/MacOS/Santa (for architecture arm64):Mach-O 64-bit executable arm64
shasum -a 256 /Applications/Santa.app/Contents/MacOS/Santa 6b8764ffcfe001ef031694b3f4f7ce16a09c8eb20fda68b4bbebc9792972e1b2 /Applications/Santa.app/Contents/MacOS/Santa
launchctl list com.google.santa
{
"LimitLoadToSessionType" = "Aqua";
"Label" = "com.google.santa";
"OnDemand" = false;
"LastExitStatus" = 0;
"PID" = 823;
"Program" = "/Applications/Santa.app/Contents/MacOS/Santa";
"ProgramArguments" = (
"/Applications/Santa.app/Contents/MacOS/Santa";
"--syslog";
);
"PerJobMachServices" = {
"com.apple.tsm.portname" = mach-port-object;
"com.apple.coredrag" = mach-port-object;
"com.apple.axserver" = mach-port-object;
};
};
launchctl print gui/$UID/com.google.santa | grep state state = running job state = running
Thanks for the ongoing help, I appreciate it.
russellhancox
commented
3 years ago OK, that all looks correct. How about these?
systemextensionsctl list
ps -ef | grep santathe first only lists my VPN client, no Santa related entries.
ps -ef | grep santa 501 5258 795 0 6:30pm ttys000 0:00.00 grep santa
russellhancox
commented
3 years ago OK try this and paste any output
/Applications/Santa.app/Contents/MacOS/Santa --load-system-extensionOK, here goes:
/Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
2021-09-15 18:36:01.666 Santa[5382:81595] Using your own bundle identifier as an NSUserDefaults suite name does not make sense and will not work. Break on _NSUserDefaults_Log_Nonsensical_Suites to find this 2021-09-15 18:36:01.667 Santa[5382:81595] Requesting SystemExtension activation 2021-09-15 18:36:01.729 Santa[5382:81596] SystemExtension "com.google.santa.daemon" request did fail: Error Domain=OSSystemExtensionErrorDomain Code=10 "(null)"
russellhancox
commented
3 years ago OSSystemExtensionErrorForbiddenBySystemPolicy = 10Have you used an MDM to install a system extension policy profile to allow Santa to load? Has Santa ever loaded on this machine?
dvickery
commented
3 years ago Ah. We do have an MDM solution. I didn't realise I would need a policy to allow Santa to load. It's never been used before so I'll talk to the MDM team and look at getting a policy put in place. We're testing the solution for the first time and I'm unfamiliar with the Mac platform.
Thanks for your help, that sounds likely as it is affecting both machines we're testing on. I don't know how long it will take so I'll close this thread as I believe you've identified the cause.
russellhancox
commented
3 years ago Our deployment docs could do with some updates. You'll need to deploy 2 profiles to support loading Santa without users having to do anything:
A com.apple.system-extension-policy to allow loading the extension itself.
A com.apple.TCC.configuration-profile-policy profile to give SystemPolicyAllFiles access to com.google.santa.daemon
dvickery
commented
3 years ago That's really helpful. I'll pass that on. Much appreciated.
I've just done a new installation of Santa: santactl version santa-driver | un-needed (SystemExtension being used) santad | 2021.5 santactl | 2021.5 SantaGUI | 2021.5 But I get the "is it running" message in the title for santactl status. This link has not helped: https://github.com/google/santa/issues/460
In system.log I get these two entries:
Sep 14 12:14:29 [machinename] com.apple.xpc.launchd[1] (com.google.santa[684]): Missing executable detected. Job: 'com.google.santa' Executable: '/Applications/Santa.app/Contents/MacOS/Santa' Sep 14 12:14:29 [machinename] com.apple.xpc.launchd[1] (com.google.santa[684]): Service exited with abnormal code: 78
I can't find anything relevant online, I've removed/reinstalled several times, and my colleague has the same issue on his Mac. Both machines are corporate devices running Big Sur. Can anyone give any pointers where to look?