Issue with agent reading Santa config

[Zehpto]

Hello,

I am trying to do a POC without a sync server and am having issues having the Santa configuration profile rules propagate to the client. I am using Jamf. The system extension and full disk access appear to be working as expected but no matter what I try the custom payload (config with the rules) doesn't seem to correctly apply.

I haven't seen anything obvious in /var/db/santa/santa.log and have been using santactl status and trying to see if the rule count > 0 to see if it has deployed. I do see the custom payload when browsing to the installed configuration profiles so it is reaching the machine.

I am not clear on what step is missing here.

FWIW I have tried to deploy both the default template as well as a few slimmed-down versions I modified--nothing changes the rule count from zero though.

Any help is appreciated.

ps aux | grep santa
username  22962   0.0  0.0 408499936    976 s000  R+   12:44PM   0:00.00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox santa
nobody           21733   0.0  0.0 408828400   7040   ??  Ss   12:25PM   0:00.02 /Applications/Santa.app/Contents/MacOS/santametricservice --syslog
root             20488   0.0  0.2 409978752 107600   ??  Rs   12:00PM   0:04.42 /Library/SystemExtensions/DB955CF8-AFA0-48F8-A287-505C06491F03/com.google.santa.daemon.systemextension/Contents/MacOS/com.google.santa.daemon

santactl status
 Daemon Info
  Mode                      | Monitor
  Log Type                  | file
  File Logging              | No
  USB Blocking              | No
  On Start USB Options      | None
  Watchdog CPU Events       | 0  (Peak: 1.83%)
  Watchdog RAM Events       | 0  (Peak: 105.09MB)

 Cache Info
  Root cache count          | 92
  Non-root cache count      | 0

Database Info
  Binary Rules              | 0
  Certificate Rules         | 0
  TeamID Rules              | 0
  SigningID Rules           | 0
  Compiler Rules            | 0
  Transitive Rules          | 0
  Events Pending Upload     | 0

Watch Items
  Enabled                   | No

[pmarkowsky]

Can you send us the output from log stream --predicate 'sender == "com.google.santa.daemon"?

/var/db/santa/santa.log is the output log where we log execution telemetry.

e.g. [2024-01-27T00:47:59.176Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=417c54bd19c3e02e0b0728eb407b75ce7912e7898585c94ecc8755242a483c61|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=30214|pidversion=67632|ppid=1525|uid=501|user=user|gid=20|group=staff|mode=M|path=/bin/ls|args=ls -F

If you're trying to load rules without a sync server you have a few options.

1. Static rules in your application config

This requires that you update your config and set static rules.

These are set as an array of dicts that describe the rule similarly to the Sync protocol Rules.

<key>StaticRules</key>
<array>
  <dict>
	<!-- Always allow files signed by Google LLC -->
	<key>identifier</key>
	<string>EQHXZ8M8AV</string>
	<key>policy</key>
	<string>ALLOWLIST</string>
	<key>rule_type</key>
	<string>TEAMID</string>
  </dict>
  <dict>
    <!-- Always allow files signed by "Internal Tools Certificate" -->
      <key>identifier</key>
							 
     <string>b2617611fb6c008bfe9e05b7a633d4f21c403a0a1a88b514a04c3e5e111be025</string>
     <key>policy</key>
     <string>ALLOWLIST</string>
     <key>rule_type</key>
     <string>CERTIFICATE</string>
   </dict>  
</array>

2. JSON rules

If you're running without a Sync server you can also import and export a JSON rules file.

The file is expected to contain a single JSON object with a rules key that's an array of JSON objects that describe a rule again similarly to the Sync Protocol.

{"rules": [
    {"policy": "BLOCKLIST",
      "identifier": "84de9c61777ca36b13228e2446d53e966096e78db7a72c632b5c185b2ffe68a6"
      "custom_url" : "",
      "custom_msg": "/bin/ls block for demo"}
]}

This file can be imported using santactl rule --import <path to file> e.g. sudo santactl rule --import rules.json

A rule file can be generated using the santactl rule --export <path to file> command e.g. sudo santactl rule --export ./rules.json

[pmarkowsky]

FWIW I have tried to deploy both the default template as well as a few slimmed-down versions I modified--nothing changes the rule count from zero though.

@Zehpto Since it sounds like you're doing static rules with Jamf can you send us the log output from log show --predicate 'sender == "com.google.santa.daemon"?

[Zehpto]

Hey @pmarkowsky,

Thanks for the response. Yes, you are correct, I am trying to define the rules in the XML statically. When a few test items I added didn't work, I exclusively attempted to use the three that ship with the template in case that I introduce a syntax error or the like. FWIW, I have tried to deploy the system extensions, PPPC, and Santa config as both one configuration profile as well as three different ones--not that I would expect different behavior. Additionally, I have tried to both upload the mobileconfig as well as manually port the configuration over so that a custom payload isn't used in the Jamf configuration profile. I very likely am overlooking something simple...

I have tested in two different Jamf environments and blown everything away a few times in each. To avoid inundating you with multiple disparate issues I will just focus only on one.

log.txt
I do see reference in the log to full-disk access missing so I went ahead and uploaded screenshots of that configuration

One quick follow-up question, hypothetically, if rules were defined via the commandline then rules were also loaded via config profile or JSON, would it overwrite the entire rule.db file or would it just insert additional rules?

Thanks in advance!

[Zehpto]

I went back and verified. Both environments have the same configuration profiles (literal export and import). Environment #2 has nothing other than high CPU warns. What is weird is that adding local rules say the rules.db database is corrupt.

[pmarkowsky]

@Zehpto were you able to sort this out?

Your comments about the database being corrupted seems like something is off environmentally.

[Zehpto]

Hey @pmarkowsky, this got backburned due to issues. I think you are probably right. Is there a clean/preferred way to completely nuke the local instance between experiments? I have been removing the binary and /var/db/santa but I'm not exactly sure where any other cached files might live.