v2024.4

Notes

Fixed

❗ Address issue introduced in v2024.3 where rule information was not displayed in santactl fileinfo output. This also fixes a crash in the santactl fileinfo command if the --json flag was used. (#1318)
❗ The default selected button and keyboard shortcut (Cmd+Enter) for the blocked binary window have been restored.

What's Changed

• [Bug] Restore default button type to MessageWindow for blocked events by @radsec in #1316
• Bump MOLCodesignChecker tag to latest by @mlw in #1321
• Fix: Update code to use the new MOLCodesignChecker interfaces for codesigning info by @pmarkowsky in #1322
• Add macOS-14 to the test matrix by @pmarkowsky in #1323

Full Changelog: 2024.3...2024.4

v2024.3

WARNING

We were notified about an issue affecting the santactl fileinfo command in this version shortly after this version was released (#1318). For normal output, rule information cannot be obtained. Additionally, JSON output is broken.

We will be releasing a 2024.4 release ahead of schedule to address these issues.

Notes

Fixed

❗ The FileChangesRegex configuration key now applies to all file modification event types that can be logged. This was inadvertently made to only apply to WRITE log events starting in v2022.9. This will lead to a reduction in the number of logged events depending on how this key is configured. IMPORTANT: If you're using this configuration key, please make sure to test how this change will affect your deployments.

Changed

↔️ Improved logic on when to flush local caches when new rules are received. Caches should now be flushed less often. This can result in better performance in some deployment setups.
↔️ Improved transitive rule creation events when tracking RENAME events. This should improve transitive rule creation for some toolchains.

Added

➕ CDHash rules are now supported. These are now the highest precedent rule type (ahead of binary hash). This includes adding support in santactl and to the sync protocol for sync servers to send rules to clients. See the Sync Protocol documentation for more details on how to serve CDHash rules.
➕ JSON rule import for locally managed deployments now supports the --clean and --clean-all flags (behaving similarly to santactl sync).

What's Changed

• ProcessTree: fix missing direct deps by @kallsyms in #1288
• docs: Document that *PathRegex does not work on symlinks by @russellhancox in #1290
• ProcessTree: add macOS specific loader and ES adapter (2/4) by @kallsyms in #1237
• Some more lint fixes by @kallsyms in #1295
• Make FileChangesRegex apply to all file change event types by @mlw in #1294
• Refactor rule and count lookups by @mlw in #1298
• Creating transitive rules for rename events should fallback to destination path by @mlw in #1299
• Added clean flags for JSON rule import by @pmarkowsky in #1300
• Add support for CDHash rule types by @mlw in #1301
• Add required dep for internal builds by @mlw in #1302
• Implement NSSecureCoding for SNTRuleIdentifiers by @pmarkowsky in #1307
• ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) by @kallsyms in #1281
• Tests: Fix SNTRuleTableTest in the presence of local static rules by @russellhancox in #1311
• Fix: Do not flush authcache when receiving duplicate block rules from the sync service by @pmarkowsky in #1310
• Overrides disabled when running tests unless explicitly enabled by @mlw in #1312
• Add CDHash to rule evaluation order documentation by @jasonmc in #1313
• Fix BUILD deps by @kallsyms in #1314
• Add missing EndpointSecurity dylib by @kallsyms in #1315

Full Changelog: 2024.2...2024.3

v2024.2

IMPORTANT: This release includes a fix that can impact some operations for users on macOS 14.4. We encourage all hosts to be upgraded as soon as possible to mitigate potential disruption.

Fixed
❗ Events received with deadlines in the very near future would be automatically denied.

Changed
↔️ The FailClosed configuration key is now respected in Lockdown mode when determining whether automatic fallback responses to events whose deadlines are about to expire should be allowed or denied. In Monitor mode, Santa now fails open similar to other usages of the FailClosed key.

What's Changed

• ProcessTree: add core process tree logic (1/4) by @kallsyms in #1236
• Fix import issues and lint by @kallsyms in #1282
• Fix automatically denied events with small deadlines by @mlw in #1284
• Respect fail closed on deadlines by @mlw in #1285
• Add build dep for internal process by @mlw in #1286
• Remove proc tree tests for now as the code isn't yet included in builds by @mlw in #1287

Full Changelog: 2024.1...2024.2

v2024.1

IMPORTANT: This release includes changes to some default behavior. Please carefully read the release notes for details!

Fixed
❗ Support for the config key EnableForkAndExitLogging was inadvertently removed in v2022.9. This has effectively been treated as if it had a default value of true, but the intention was for the default value to be false. Support for this key and its original default have been added back. If you require FORK and EXIT log events, please update your configuration to set this key appropriately.
❗ Configuration documentation was updated to include several supported but previously missing keys.

Changed
↔️ Clean syncs now remove only non-transitive rules from a host's rules database before applying the newly received rules by default.
↔️ The clean_sync preflight response key has been deprecated. Sync server maintainers should migrate to using the new sync_type key. If the clean_sync key is used, it will trigger the new default behavior of only removing non-transitive rules.
↔️ Transitive rule configuration is now printed regardless of whether or not a sync server is configured. The field was also moved to be grouped with the daemon section rather than the sync section.

Added
➕ The switch santactl sync --clean-all was added to reproduce the old clean sync behavior of removing all rules (instead of only non-transitive rules).

Please refer to the clean sync documentation for a better understanding of the new clean sync behavior!

What's Changed

• reorder e2e tests by @kallsyms in #1249
• Revert "Project: Remove provisioning_profiles attributes from command-line to…" by @mlw in #1251
• Initial support for some scoped types by @mlw in #1250
• GUI: Change default button text to "Open..." by @russellhancox in #1254
• Event drop metrics by @mlw in #1253
• Fix issue with drop count calculations by @mlw in #1256
• Fix santactl rule --check by @mlw in #1262
• Change build target visibility by @mlw in #1264
• Fix wrong srcs paths by @mlw in #1265
• Added documentation to clarify clean sync with zero rule behavior by @pmarkowsky in #1259
• Docs add missing config keys by @mlw in #1270
• Add back support for EnableForkAndExitLogging config key by @mlw in #1271
• chore: Fix multiple typos by @hugo-syn in #1273
• chore: Fix typo s/occured/occurred/ by @hugo-syn in #1274
• Make santactl status always print out transitive rule status if set by @pmarkowsky in #1277
• Sync clean all by @mlw in #1275

New Contributors

• @hugo-syn made their first contribution in #1273

Full Changelog: 2023.10...2024.1

v2023.10

Notes

Fixed

❗ Fixed USB block mode state not always reporting correctly in santactl status
❗ TeamID and SigningID rules are now ignored on execs of binaries signed with development certificates

Added

➕ Entitlements are now logged on EXEC events, along with new configuration keys to filter which entitlements are logged

What's Changed

• Dismiss santa popup after integration tests by @kallsyms in #1226
• Explicitly cast strings to std::string_view by @Coderlane in #1230
• Add name for white space check by @pmarkowsky in #1223
• Add support for logging entitlements in EXEC events by @mlw in #1225
• Fix internal build issues, minor cleanup. by @mlw in #1231
• Entitlements logging config options by @mlw in #1233
• Experimental metrics by @mlw in #1238
• Ignore TeamID and SigningID rules for dev signed code by @mlw in #1241
• Bump to C++20 by @mlw in #1243
• Fix test issue caused by move to C++20 by @mlw in #1245
• Fix USB state issue in santactl status by @mlw in #1244
• Revert back to C++17 for now by @mlw in #1246
• Project: Remove provisioning_profiles attributes from command-line to… by @russellhancox in #1247
• Expand debug logging for transitive rule failure case by @mlw in #1248

New Contributors

• @Coderlane made their first contribution in #1230

Full Changelog: 2023.9...2023.10

v2023.9

Notes

Fixed

❗ Fixed issue where mount flags were improperly set for APFS formatted drives

Changed

↔️ santactl sync no longer requires root
↔️ Several public doc updates (thank you to our external contributors!)

Added

➕ Santa can now unmount/remount USB devices on startup
➕ New event type supported: CS_INVALIDATED
➕ Bundle information can now be printed via santactl fileinfo with the new --bundleinfo flag
➕ macOS 14 and USB support for E2E Testing

What's Changed

• santactl/sync: Drop root requirement by @russellhancox in #1196
• Minor doc updates. Add missing FAA config options. by @mlw in #1197
• Update configuration.md to explain EnableDebugLogging by @p-harrison in #1203
• Remove mention of KEXT from README.md by @pmarkowsky in #1202
• Update configuration.md that push notifications not widely available by @p-harrison in #1204
• Update syncing-overview.md with note on push notifications by @p-harrison in #1205
• Fix issue preventing rule import / export from working by @pmarkowsky in #1199
• Enable e2e testing on macOS 14 by @kallsyms in #1209
• Support printing bundle info via santactl fileinfo command by @mlw in #1213
• Unmount USB on start by @mlw in #1211
• Additional build deps by @mlw in #1215
• Add E2E testing for usb by @kallsyms in #1214
• Add Support for CS_INVALIDATED Events by @pmarkowsky in #1210
• Support remounting devices at startup with correct flags by @mlw in #1216
• Record metrics for device manager startup operations by @mlw in #1218
• Add OnStartUSBOptions to santactl status by @mlw in #1219
• Fix remount issue for APFS formatted drives by @mlw in #1220
• Update to the latest hedron_compile_commands by @mlw in #1221
• Only remount on startup if remount args are set by @mlw in #1222

Full Changelog: 2023.8...2023.9

v2023.8

Notes

Fixed

❗ Fixed issue where client mode was almost always logged as "unknown" (since v2023.5)
❗ Fixed issue where TeamID and SigningID rules were evaluated when a binary had codesign issues.

Changed

↔️ Default button text used in UIs when a Custom URL is set

Added

➕ Mount name information added to disk events
➕ rules_received and rules_processed fields now sent in postflight request
➕ SigningID rules now support transitive allowlisting
➕ File Access Authorization now supports UI flows, similar to blocked binary executions
➕ File Access Authorization enforcement can now be controlled via sync settings
➕ Rules can now be imported/exported as JSON via santactl

What's Changed

• Added TransitiveWhitelisting explanation to rules.md by @p-harrison in #1150
• Add support for was_mmaped_writeable to file write monitoring when using macOS 13+ by @pmarkowsky in #1148
• Fix issue where re config types couldn't be overridden by @mlw in #1151
• Add mount from name information to disk appear events by @mlw in #1153
• Remove references to old EnableSystemExtension config key by @mlw in #1155
• sync: Send rules_received and rules_processed fields in postflight request by @russellhancox in #1156
• Add SigningID/TeamID to Event definition in sync-protocol.md by @p-harrison in #1158
• Correction to sync-protocol.md by @p-harrison in #1159
• Fix new buildifier issues by @mlw in #1162
• Additional metrics for File Access Authorizer client by @mlw in #1160
• Use default event detail button text when a custom URL is set by @mlw in #1161
• Restore file_bundle_hash & file_bundle_binary_count to Sync Protocol Docs by @pmarkowsky in #1164
• Document SyncExtraHeaders in configuration.md by @p-harrison in #1166
• Fix issue where client mode was almost always logged as "Unknown" by @mlw in #1165
• Remove logupload stage from syncing-overview.md by @p-harrison in #1168
• Fix typo in troubleshooting.md by @kyoshisuki in #1169
• Update rules.md with more detail on Transitive/Compiler rules by @p-harrison in #1172
• Add Tests for #1165 Behavior. by @pmarkowsky in #1173
• Bump bazel and build_bazel_rules_apple versions by @mlw in #1178
• Make Transitive Allowlisting Work with Signing ID rules by @pmarkowsky in #1177
• Update Protobuf and Abseil versions by @mlw in #1179
• UI For Blocked File Access by @mlw in #1174
• Add ability to override File Access actions via config and sync settings by @mlw in #1175
• Add basic support for importing and exporting rules to/from JSON by @pmarkowsky in #1170
• Flatten deps to satisfy internal checkers by @mlw in #1182
• Internal build fixes by @mlw in #1183
• Use 'set -xo pipefail' instead for lint.sh by @tnek in #1185
• Pin GitHub Actions to Specific Versions by @pmarkowsky in #1184
• Add ability to specify custom event URLs and button text for FAA dialog by @mlw in #1186
• Remove superfluous import by @mlw in #1188
• Update sync-protocol.md by @p-harrison in #1187
• Fix missing Santa block gif by @pmarkowsky in #1193
• Only eval TID and SID rules when the binary signature is valid by @mlw in #1191

New Contributors

• @kyoshisuki made their first contribution in #1169

Full Changelog: 2023.7...2023.8

v2023.7

Notes

Fixed

❗ Fixed performance regression that could occur when protobuf logging was configured and the spool directory was full

❗ Fixed issue where some daemon settings were being overridden by default values during sync preflight

Changed

↔️ Rules received now have their case forced to be what is expected during evaluation (e.g. hashes are forced to be lower case, Team IDs are uppercase)

↔️ Distributed notifications posted by Santa are now delivered immediately

↔️ All daemon settings sent during sync preflight now take effect during postflight

Added

➕ Added support for per-rule custom urls when a binary is blocked

➕ Custom headers can now be configured for sync requests

What's Changed

• Update sync-protocol.md to include SIGNINGID rule type by @p-harrison in #1130
• Add more file access config options by @mlw in #1128
• Wire up TTYWriter instance to the file access client by @mlw in #1129
• Enforce expected case for various rule type identifiers by @mlw in #1132
• Add additional dep to satisfy import issue by @mlw in #1134
• Change "exponential" backoff in SNTSyncStage.m to be exponential by @alexgraehl in #1135
• Check if spool dir has changed before estimating size by @mlw in #1138
• Have distributed notifications delivered immediately by @mlw in #1141
• Only update daemon settings when sync settings explicitly set by @mlw in #1142
• sync: Add SyncExtraHeaders config option. by @russellhancox in #1144
• sync/UI: Add ability to send custom URLs for blocking rules. by @russellhancox in #1140
• Add hot cache for targets of read only policies by @mlw in #1145
• Cast enum to int by @itf in #1146
• Project: Split integration VM license into its own LICENSE file by @russellhancox in #1147

New Contributors

• @p-harrison made their first contribution in #1130
• @alexgraehl made their first contribution in #1135

Full Changelog: 2023.6...2023.7

v2023.6

Notes

❗ The FileChangesRegex configuration key has inadvertently been ignored since 2022.9. This functionality has been added back in this release. This may cause some expected changes to logging if this configuration isn't properly set for your use cases.

❗ Team ID and Signing ID rules will now only be considered when evaluating an execution if the the code signature for a binary is valid.

❗ The SyncEnableCleanSyncEventUpload configuration key wasn't being properly read. This would prevent event uploads during a sync when a clean sync was requested by the server.

➕ Beta support has been added for JSON logging. Setting the EventLogType configuration key to json will cause the data in the santa.proto schema to be logged as JSON instead of binary protobuf. It is important to note that encoding to JSON will incur a performance penalty and deployments should appropriately measure cost to endpoints to ensure it is acceptable.

What's Changed

• Fix missing check for FileChangesRegex by @mlw in #1102
• Update docs for signing id rules by @mlw in #1105
• Migrate to new SNTRuleType enum values by @mlw in #1107
• Abstract TTY writing so multiple writers can be synchronized by @mlw in #1108
• Basic dialog functionality when access to a watch item is denied by @mlw in #1106
• Fix build issues due to macOS 13.3 SDK changes by @mlw in #1110
• Add Support for Logging to JSON (beta feature) by @pmarkowsky in #1112
• Add macOS 13 to the test matrix by @pmarkowsky in #1113
• Conf: Update notarization_tool in signing script by @russellhancox in #1116
• Fix memleak in fsspool by @kallsyms in #1115
• Use angle brackets for includes by @mlw in #1118
• Add include for proto status stub by @mlw in #1119
• Fix rule evaluation for TeamID and SigningID rules when encountering invalid signatures by @pmarkowsky in #1120
• Fix check to detect changes to StaticRules by @mlw in #1121
• Fix issue with invalid lengths by @mlw in #1122
• Add kSyncEnableCleanSyncEventUpload to the _forcedConfigKeyTypes dict by @pmarkowsky in #1123

Full Changelog: 2023.5...2023.6

v2023.5

Notes

➕ Santa now supports Signing ID rule types. See full documentation on santa.dev.

➕ File Access Authorization configuration now supports inverting the exception list in order to specify the processes that should be denied (or audited) instead of allowed.

What's Changed

• Clarify that execution_time is a float64 by @jasonmc in #1080
• Fix documentation for clean sync field in the preflight request. by @faizanrashid in #1082
• Switch SNTEventState to uint64_t, reposition flag values and masks by @mlw in #1086
• Add support to file monitoring config to invert process exceptions by @mlw in #1083
• Inject additional dependencies into the serializers by @mlw in #1078
• Docs: Added instructions for how to use config-overrides.plist by @pmarkowsky in #1077
• santactl/rule: Fix --path argument by @russellhancox in #1089
• Don't establish the FAA client pre-macOS 13 by @mlw in #1091
• Return unique_ptr from Enrich instead of shared_ptr by @mlw in #1093
• Stop unmuting the default mute set unnecessarily. by @mlw in #1095 (fixes: #1094)
• Add new rule type for Signing IDs by @mlw in #1090
• docs: Update vulnerability reporting instructions by @russellhancox in #1098
• Handle database downgrade scenarios gracefully by @mlw in #1099
• Fix precedence for static rule evaluation, santactl fileinfo output by @mlw in #1100

New Contributors

• @jasonmc made their first contribution in #1080
• @faizanrashid made their first contribution in #1082

Full Changelog: 2023.4...2023.5