search

google / santa

A binary authorization and monitoring system for macOS
https://santa.dev
Apache License 2.0
4.42k stars 297 forks source link

Latest Allows Blocked Binary in Monitor Mode #878

Closed eopeter closed 2 years ago

eopeter commented 2 years ago

I built off the main branch in ad-hoc mode with SIP disabled and while testing attempted to block the Xcode binary. santactl rule --check --sha256 691d6b3a7bb41ca4042cc30a769d79b4708f6c27ab602a940b0dbb7c529a5071 rule check shows Blocked (Binary) but I am still able to run Xcode.

I am using a static rule in Monitor Mode and expected I should not be able to start Xcode. The file in the plist is:

 <dict>
      <!-- BLOCK xcode for testing -->
      <key>identifier</key>
      <string>691d6b3a7bb41ca4042cc30a769d79b4708f6c27ab602a940b0dbb7c529a5071</string>
      <key>policy</key>
      <string>BLOCKLIST</string>
      <key>rule_type</key>
      <string>BINARY</string>
  </dict>

My version shown below is a dev build and not using the release since I needed to test un released code:

$ santactl version
santad          | 9999.1 (build 1)
santactl        | 9999.1 (build 1)
SantaGUI     | 9999.1 (build 1)

Also found 1 of the unit test is failing with:

bazel test :unit_tests --define=SANTA_BUILD_TYPE=adhoc --test_output=errors

The result of the above shows 1 failing test:

** TEST EXECUTE FAILED **

Testing started
================================================================================
INFO: Elapsed time: 60.570s, Critical Path: 59.92s
INFO: 2 processes: 2 darwin-sandbox.
INFO: Build completed, 1 test FAILED, 2 total actions
//Source/common:SNTFileInfoTest                                 (cached) PASSED in 7.4s
//Source/common:SNTMetricSetTest                                (cached) PASSED in 12.3s
//Source/common:SNTPrefixTreeTest                               (cached) PASSED in 13.8s
//Source/common:SantaCacheTest                                  (cached) PASSED in 10.0s
//Source/gui:SNTNotificationManagerTest                         (cached) PASSED in 7.7s
//Source/santactl:SNTCommandFileInfoTest                        (cached) PASSED in 7.3s
//Source/santactl:SNTCommandMetricsTest                         (cached) PASSED in 7.9s
//Source/santad:SNTApplicationCoreMetricsTest                   (cached) PASSED in 11.3s
//Source/santad:SNTDeviceManagerTest                            (cached) PASSED in 8.8s
//Source/santad:SNTEndpointSecurityManagerTest                  (cached) PASSED in 6.5s
//Source/santad:SNTEventTableTest                               (cached) PASSED in 10.8s
//Source/santad:SNTExecutionControllerTest                      (cached) PASSED in 5.9s
//Source/santad:SNTProtobufEventLogTest                         (cached) PASSED in 6.3s
//Source/santad:SNTRuleTableTest                                (cached) PASSED in 7.4s
//Source/santametricservice:SNTMetricServiceTest                (cached) PASSED in 5.0s
//Source/santametricservice/Formats:SNTMetricMonarchJSONFormatTest (cached) PASSED in 9.5s
//Source/santametricservice/Formats:SNTMetricRawJSONFormatTest  (cached) PASSED in 5.5s
//Source/santametricservice/Writers:SNTMetricFileWriterTest     (cached) PASSED in 6.4s
//Source/santametricservice/Writers:SNTMetricHTTPWriterTest     (cached) PASSED in 6.2s
//Source/santasyncservice:NSDataZlibTest                        (cached) PASSED in 7.0s
//Source/santasyncservice:SNTSyncTest                           (cached) PASSED in 47.9s
//Source/santad:SNTApplicationTest                                       FAILED in 59.6s
  /private/var/tmp/_bazel_eoche/418fe1a0dd8829fc276fd3c03c07a8c4/execroot/santa/bazel-out/darwin-fastbuild/testlogs/Source/santad/SNTApplicationTest/test.log

Executed 1 out of 22 tests: 21 tests pass and 1 fails locally.
INFO: Build completed, 1 test FAILED, 2 total actions
russellhancox commented 2 years ago

This is likely due to the dev build not having correct permissions, like full disk access. What do santactl status and systemextensionsctl list report?.

eopeter commented 2 years ago 
$ santactl status
>>> Daemon Info
  Mode                      | Monitor
  File Logging              | Yes
  USB Blocking              | No
  Watchdog CPU Events       | 0  (Peak: 16.54%)
  Watchdog RAM Events       | 0  (Peak: 58.42MB)
>>> Cache Info
  Root cache count          | 237
  Non-root cache count      | 0
>>> Database Info
  Binary Rules              | 0
  Certificate Rules         | 0
  TeamID Rules              | 0
  Compiler Rules            | 0
  Transitive Rules          | 0
  Events Pending Upload     | 19
>>> Static Rules
  Rules                     | 4
eopeter commented 2 years ago 
$ systemextensionsctl list
3 extension(s)
--- com.apple.system_extension.network_extension
enabled active  teamID  bundleID (version)  name    [state]
*   *   PXPZ95SK77  com.paloaltonetworks.GlobalProtect.client.extension (5.2.11-10/1)   GlobalProtectExtension  [activated enabled]
*   *   DE8Y96K9QP  com.cisco.anyconnect.macos.acsockext (4.10.05111/4.10.05111)    Cisco AnyConnect Socket Filter Extension    [activated enabled]
--- com.apple.system_extension.endpoint_security
enabled active  teamID  bundleID (version)  name    [state]
*   *   -   com.google.santa.daemon (9999.1/9999.1.1)   santad  [activated enabled]
russellhancox commented 2 years ago

The output looks correct. I'm not able to reproduce the issue of blocked binaries not being blocked but I can reproduce SNTApplicationTest failing and I'm unsure why, even reverting back to the 2022.7 tag and running the test fails where it used to pass. Will need to dig into this a bit more.

eopeter commented 2 years ago

This started working.

russellhancox commented 2 years ago

Hmm, interesting. Did the test also start passing?

eopeter commented 2 years ago

No, the test is still failing. I can open another issue on the test.

eopeter commented 2 years ago

Rule check says binary is allowed but Santa is blocking it as shown:

image
russellhancox commented 2 years ago

We published 2022.8, which allows/blocks binaries as expected (and there have been no significant code changes since the commit that build is based upon). I'm unable to reproduce any errors in an adhoc build too.

The failing SNTApplicationTest we've tracked down to being an issue caused by installed StaticRules in an on-device profile - the test doesn't sufficiently isolate the configuration installed on the host. We don't see this issue in CI because no such configuration profile exists. A fix is on the way.

pmarkowsky commented 2 years ago

Just submitted #885. Let us know if this doesn't solve your issue regarding the tests.

pmarkowsky commented 2 years ago

@eopeter I'm going to mark this closed. Please let us know if this is still an issue you're encountering.