v2024.9

Notes

Fixed

❗ Fixed a caching bug preventing static rules from applying immediately
❗ Fixed a rare issue preventing blocking of some platform binaries

What's Changed

• Use runtime platform binary check for exec evals by @mlw in #1424
• static rules: fix cache invalidation on rule change by @tburgin in #1425

Full Changelog: 2024.8...2024.9

v2024.8

Notes

Changed

↔️ Removed spurious debug logging of sync request JSON
↔️ Changed several sync proto fields to uint32 to restore backward compatibility with versions prior to 2024.6

Fixed

❗ Fixed a caching bug affecting bundle version numbers
❗ Fixed a sync bug affecting the Content-Type header sent in requests
❗ Fixed a crash that could occur under certain FAA configurations

What's Changed

• sync: Remove debug logging of request JSON. by @russellhancox in #1410
• file info: switch to CFBundleCopyInfoDictionaryInDirectory by @tburgin in #1411
• sync: Fix Content-Type logic bug, add test by @russellhancox in #1412
• info.plist: length and count check by @tburgin in #1413
• sync: Drop rules_* fields in postflight to uint32 by @russellhancox in #1415
• Project: Update rules_apple to 3.8.0 by @russellhancox in #1417
• infoPlist comment s/NSDictionary/NSBundle/ by @tburgin in #1418
• Use proper CanWrite method to safeguard TTY struct access by @mlw in #1420
• Fix: Change uint64 fields in syncv1.proto to uint32 for backwards compatibility by @pmarkowsky in #1422

Full Changelog: 2024.7...2024.8

v2024.7

Notes

Changed

↔️ Migrated syncservice from SCNetworkReachability to nw_path_monitor as the former is deprecated and occasionally causes crashes.

Fixed

❗ Fixed issue serializing the serial_num field in sync Preflight requests
❗ Fixed a rare crash caused by a race accessing metric callbacks

What's Changed

• sync: Fix serial_num field name by @russellhancox in #1404
• santad: Synchronize access to metric callback array by @russellhancox in #1405
• sync: Upgrade from SCNetworkReachability -> nw_path_monitor by @russellhancox in #1406
• sync: Improve logging when connection restored, avoid retries. by @russellhancox in #1408

Full Changelog: 2024.6...2024.7

v2024.6

⚠️ Warning ⚠️

Shortly after release we were notified that the serial_num field in Preflight sync requests is being sent as serial_number. If this causes issues for your sync service, you may want to hold off on upgrading to this release and wait for 2024.7, which will be released shortly.

Notes

Changed

↔️ Serializing/deserializing of all sync requests and responses is now handled by the protobuf library. If protobuf transfers aren't enabled, the buffers will be converted to/from JSON just-in-time. This should be a transparent change for sync servers. However, it's possible there could be issues with rarely used keys. Please open an issue if you notice any sync keys not working as expected.
↔️ macOS 11 is no longer supported.
↔️ A dock icon now displays for the blocked execution UI and the window is discoverable via Cmd+Tab.
↔️ A blocked execution dialog is now discoverable via Cmd+Tab and a Dock icon will display while the window is open.

Fixed

❗ Addressed issue where santactl fileinfo could fail to get rule status if too many files were evaluated simultaneously.

Added

➕ The Santa daemon now includes signal protection to prevent being killed, even by root users.
➕ You can now configure Santa to communicate with the sync server via binary protobufs.
➕ 10 new event types have been added to the telemetry stream: Loginwindow login/logout/lock/unlock, OpenSSH login/logout, Screensharing attach/detach, and login(1) login/logout
➕ The --filter-inclusive switch was added to santactl fileinfo to support combining multiple --filter predicates as an AND operation as opposed to the default OR operation.
➕ The MachineID configuration value has been added to the requests of all sync protocol stages.
➕ The "Dismiss" button text in the blocked event dialog is now configurable (previously labeled "Ignore")

What's Changed

• sync: Add a protobuf for the existing sync protocol by @russellhancox in #1359
• Update check-markdown workflow to use Lychee by @pmarkowsky in #1362
• docs: Document new EventDetailURL keys by @russellhancox in #1361
• santad: Add signal auth to tamper resistence. by @russellhancox in #1360
• sync: Add option to sync using binary protos by @russellhancox in #1364
• Modernize docs (Round 1) by @mlw in #1363
• Add a Signing ID Format Helper by @pmarkowsky in #1365
• docs(ISSUE-1325): Add Identifier Conventions by @toastsec in #1366
• Use new Apple docs link for global proxy settings constants by @mlw in #1367
• Fix santd title in docs by @bugos in #1368
• docs: Update references to SNTXPCConnection by @russellhancox in #1372
• santad: Fix metrics for AuthSignal events by @russellhancox in #1373
• Add tests to ensure EventTypeToString handles all subscriptions by @mlw in #1374
• Proto tests min version support by @mlw in #1376
• Drop macos 11 by @mlw in #1377
• Project: Update several bazel modules by @russellhancox in #1378
• Login/logout events by @mlw in #1371
• Add string serialization for new login/logout events by @mlw in #1379
• Add protobuf serialization for new login/logout events by @mlw in #1380
• Use class member access operator for underlying ES message by @mlw in #1381
• fileinfo: cap the number of concurrent operations by @tburgin in #1383
• Adopt namespace naming guidelines - part 1 by @mlw in #1384
• Namespace simplification pt2 by @mlw in #1385
• Namespace simplification pt3 by @mlw in #1386
• Namespace simplification pt4 (final) by @mlw in #1387
• fileinfo: add --filter-inclusive by @tburgin in #1388
• sync: Handle parse errors, make some preflight fields optional by @russellhancox in #1389
• sync: Parse response as proto when SyncEnableProtoTransfer enabled by @russellhancox in #1391
• Add machine_id to facilitate a GRPC version of the sync protocol by @pmarkowsky in #1390
• Handle non-200 HTTP responses in SNTSyncStage performRequest by @bugos in #1392
• common: Remove debug log when signing ID is missing. by @russellhancox in #1393
• Allow empty data for 200 responses by @mlw in #1394
• Improve handling of sync response default values by @mlw in #1395
• GUI: Update activation policy for binary blocks by @russellhancox in #1396
• Fix check for deprecated clean sync key by @mlw in #1397
• GUI: Make dismiss button configurable, change default text back to dismiss by @russellhancox in #1399
• Docs: Add DismissText key to configuration.md by @russellhancox in #1400
• sync: Handle missing error string for abnormal statuses by @russellhancox in #1402

New Contributors

• @toastsec made their first contribution in #1366
• @bugos made their first contribution in #1368

Full Changelog: 2024.5...2024.6

v2024.5

Notes

Fixed

❗ Fixed issue rendering unicode in popup dialog messages

Changed

↔️ The scheduling priority for some Santa tasks (such as enrichment and logging) was slightly increased
↔️ santactl fileinfo output for Signing ID now uses standardized TeamID / platform prefix

Added

➕ More template options are now supported for the EventDetailURL configuration key
➕ Bundle events now include cdhash, Team ID and Signing ID values
➕ santactl rule now supports adding Signing ID and Team ID rules by file path

What's Changed

• ProcessTree: add the first annotation, originator (4/4) by @kallsyms in #1296
• Bump protobuf to v26.1 by @mlw in #1317
• Project: Migrate to bazel modules by @russellhancox in #1324
• Slight Grammar fix in README by @Mpro256 in #1329
• More grammar fixes by @Mpro256 in #1330
• Fix typo in landing page by @rohan-persona in #1332
• Grammar + Typo in syncing-overview.md for docs by @Mpro256 in #1333
• Testing: update E2E to use JIT runners by @kallsyms in #1335
• lint.sh set -e by @tburgin in #1338
• SNTBlockMessage: add more template options by @tburgin in #1337
• Project: Move fuzzing rules to bzlmod, fix santa_unit_test by @russellhancox in #1339
• Update to Abseil 20240116.1. Fix includes. by @mlw in #1341
• Update SNTPolicyProcessor to use a map by @pmarkowsky in #1304
• Project: Disable layering_check in all BUILD files by @russellhancox in #1344
• Add necessary dep for SNTPolicyProcessorTest by @pmarkowsky in #1343
• santad: Bump QoS of notify handling queue by @russellhancox in #1342
• Adopt --preserve-metadata flag to simplify resigning with entitlements by @mlw in #1346
• Update Minor Grammar & Correctness issues within known-limitations file of docs. by @Mpro256 in #1345
• santad: Drop QoS of notify handling queue by @russellhancox in #1349
• Project: Re-enable layering_checks by @russellhancox in #1350
• GUI: Fix unicode rendering of attributed messages by @russellhancox in #1351
• Add metric for when the file on disk is not the file being evaluated by @mlw in #1348
• Fix stat metrics accounting. by @mlw in #1354
• Add cdhash, teamID, signingID to the bundle events by @np5 in #1353
• Fix NSSecureCoding adoption in SNTFileAccessEvent by @mlw in #1358
• santactl/rule: Allow adding signing ID and team ID rules by file path by @russellhancox in #1357
• santactl/fileinfo: Include teamID/platform prefix in signing ID by @russellhancox in #1356

New Contributors

• @Mpro256 made their first contribution in #1329
• @rohan-persona made their first contribution in #1332

Full Changelog: 2024.4...2024.5

v2024.4

Notes

Fixed

❗ Address issue introduced in v2024.3 where rule information was not displayed in santactl fileinfo output. This also fixes a crash in the santactl fileinfo command if the --json flag was used. (#1318)
❗ The default selected button and keyboard shortcut (Cmd+Enter) for the blocked binary window have been restored.

What's Changed

• [Bug] Restore default button type to MessageWindow for blocked events by @radsec in #1316
• Bump MOLCodesignChecker tag to latest by @mlw in #1321
• Fix: Update code to use the new MOLCodesignChecker interfaces for codesigning info by @pmarkowsky in #1322
• Add macOS-14 to the test matrix by @pmarkowsky in #1323

Full Changelog: 2024.3...2024.4

v2024.3

WARNING

We were notified about an issue affecting the santactl fileinfo command in this version shortly after this version was released (#1318). For normal output, rule information cannot be obtained. Additionally, JSON output is broken.

We will be releasing a 2024.4 release ahead of schedule to address these issues.

Notes

Fixed

❗ The FileChangesRegex configuration key now applies to all file modification event types that can be logged. This was inadvertently made to only apply to WRITE log events starting in v2022.9. This will lead to a reduction in the number of logged events depending on how this key is configured. IMPORTANT: If you're using this configuration key, please make sure to test how this change will affect your deployments.

Changed

↔️ Improved logic on when to flush local caches when new rules are received. Caches should now be flushed less often. This can result in better performance in some deployment setups.
↔️ Improved transitive rule creation events when tracking RENAME events. This should improve transitive rule creation for some toolchains.

Added

➕ CDHash rules are now supported. These are now the highest precedent rule type (ahead of binary hash). This includes adding support in santactl and to the sync protocol for sync servers to send rules to clients. See the Sync Protocol documentation for more details on how to serve CDHash rules.
➕ JSON rule import for locally managed deployments now supports the --clean and --clean-all flags (behaving similarly to santactl sync).

What's Changed

• ProcessTree: fix missing direct deps by @kallsyms in #1288
• docs: Document that *PathRegex does not work on symlinks by @russellhancox in #1290
• ProcessTree: add macOS specific loader and ES adapter (2/4) by @kallsyms in #1237
• Some more lint fixes by @kallsyms in #1295
• Make FileChangesRegex apply to all file change event types by @mlw in #1294
• Refactor rule and count lookups by @mlw in #1298
• Creating transitive rules for rename events should fallback to destination path by @mlw in #1299
• Added clean flags for JSON rule import by @pmarkowsky in #1300
• Add support for CDHash rule types by @mlw in #1301
• Add required dep for internal builds by @mlw in #1302
• Implement NSSecureCoding for SNTRuleIdentifiers by @pmarkowsky in #1307
• ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) by @kallsyms in #1281
• Tests: Fix SNTRuleTableTest in the presence of local static rules by @russellhancox in #1311
• Fix: Do not flush authcache when receiving duplicate block rules from the sync service by @pmarkowsky in #1310
• Overrides disabled when running tests unless explicitly enabled by @mlw in #1312
• Add CDHash to rule evaluation order documentation by @jasonmc in #1313
• Fix BUILD deps by @kallsyms in #1314
• Add missing EndpointSecurity dylib by @kallsyms in #1315

Full Changelog: 2024.2...2024.3

v2024.2

IMPORTANT: This release includes a fix that can impact some operations for users on macOS 14.4. We encourage all hosts to be upgraded as soon as possible to mitigate potential disruption.

Fixed
❗ Events received with deadlines in the very near future would be automatically denied.

Changed
↔️ The FailClosed configuration key is now respected in Lockdown mode when determining whether automatic fallback responses to events whose deadlines are about to expire should be allowed or denied. In Monitor mode, Santa now fails open similar to other usages of the FailClosed key.

What's Changed

• ProcessTree: add core process tree logic (1/4) by @kallsyms in #1236
• Fix import issues and lint by @kallsyms in #1282
• Fix automatically denied events with small deadlines by @mlw in #1284
• Respect fail closed on deadlines by @mlw in #1285
• Add build dep for internal process by @mlw in #1286
• Remove proc tree tests for now as the code isn't yet included in builds by @mlw in #1287

Full Changelog: 2024.1...2024.2

v2024.1

IMPORTANT: This release includes changes to some default behavior. Please carefully read the release notes for details!

Fixed
❗ Support for the config key EnableForkAndExitLogging was inadvertently removed in v2022.9. This has effectively been treated as if it had a default value of true, but the intention was for the default value to be false. Support for this key and its original default have been added back. If you require FORK and EXIT log events, please update your configuration to set this key appropriately.
❗ Configuration documentation was updated to include several supported but previously missing keys.

Changed
↔️ Clean syncs now remove only non-transitive rules from a host's rules database before applying the newly received rules by default.
↔️ The clean_sync preflight response key has been deprecated. Sync server maintainers should migrate to using the new sync_type key. If the clean_sync key is used, it will trigger the new default behavior of only removing non-transitive rules.
↔️ Transitive rule configuration is now printed regardless of whether or not a sync server is configured. The field was also moved to be grouped with the daemon section rather than the sync section.

Added
➕ The switch santactl sync --clean-all was added to reproduce the old clean sync behavior of removing all rules (instead of only non-transitive rules).

Please refer to the clean sync documentation for a better understanding of the new clean sync behavior!

What's Changed

• reorder e2e tests by @kallsyms in #1249
• Revert "Project: Remove provisioning_profiles attributes from command-line to…" by @mlw in #1251
• Initial support for some scoped types by @mlw in #1250
• GUI: Change default button text to "Open..." by @russellhancox in #1254
• Event drop metrics by @mlw in #1253
• Fix issue with drop count calculations by @mlw in #1256
• Fix santactl rule --check by @mlw in #1262
• Change build target visibility by @mlw in #1264
• Fix wrong srcs paths by @mlw in #1265
• Added documentation to clarify clean sync with zero rule behavior by @pmarkowsky in #1259
• Docs add missing config keys by @mlw in #1270
• Add back support for EnableForkAndExitLogging config key by @mlw in #1271
• chore: Fix multiple typos by @hugo-syn in #1273
• chore: Fix typo s/occured/occurred/ by @hugo-syn in #1274
• Make santactl status always print out transitive rule status if set by @pmarkowsky in #1277
• Sync clean all by @mlw in #1275

New Contributors

• @hugo-syn made their first contribution in #1273

Full Changelog: 2023.10...2024.1

v2023.10

Notes

Fixed

❗ Fixed USB block mode state not always reporting correctly in santactl status
❗ TeamID and SigningID rules are now ignored on execs of binaries signed with development certificates

Added

➕ Entitlements are now logged on EXEC events, along with new configuration keys to filter which entitlements are logged

What's Changed

• Dismiss santa popup after integration tests by @kallsyms in #1226
• Explicitly cast strings to std::string_view by @Coderlane in #1230
• Add name for white space check by @pmarkowsky in #1223
• Add support for logging entitlements in EXEC events by @mlw in #1225
• Fix internal build issues, minor cleanup. by @mlw in #1231
• Entitlements logging config options by @mlw in #1233
• Experimental metrics by @mlw in #1238
• Ignore TeamID and SigningID rules for dev signed code by @mlw in #1241
• Bump to C++20 by @mlw in #1243
• Fix test issue caused by move to C++20 by @mlw in #1245
• Fix USB state issue in santactl status by @mlw in #1244
• Revert back to C++17 for now by @mlw in #1246
• Project: Remove provisioning_profiles attributes from command-line to… by @russellhancox in #1247
• Expand debug logging for transitive rule failure case by @mlw in #1248

New Contributors

• @Coderlane made their first contribution in #1230

Full Changelog: 2023.9...2023.10