Softpedia >Mac >Antivirus >Santa >  Changelog

Santa Changelog

What's new in Santa 2024.4

Apr 12, 2024
  • Fixed:
  • Address issue introduced in v2024.3 where rule information was not displayed in santactl fileinfo output. This also fixes a crash in the santactl fileinfo command if the --json flag was used. (#1318)
  • The default selected button and keyboard shortcut (Cmd+Enter) for the blocked binary window have been restored.
  • What's Changed:
  • [Bug] Restore default button type to MessageWindow for blocked events by @radsec in #1316
  • Bump MOLCodesignChecker tag to latest by @mlw in #1321
  • Fix: Update code to use the new MOLCodesignChecker interfaces for codesigning info by @pmarkowsky in #1322
  • Add macOS-14 to the test matrix by @pmarkowsky in #1323

New in Santa 2024.3 (Apr 8, 2024)

  • Fixed:
  • The FileChangesRegex configuration key now applies to all file modification event types that can be logged. This was inadvertently made to only apply to WRITE log events starting in v2022.9. This will lead to a reduction in the number of logged events depending on how this key is configured. IMPORTANT: If you're using this configuration key, please make sure to test how this change will affect your deployments.
  • Changed:
  • Improved logic on when to flush local caches when new rules are received. Caches should now be flushed less often. This can result in better performance in some deployment setups.
  • Improved transitive rule creation events when tracking RENAME events. This should improve transitive rule creation for some toolchains.
  • Added:
  • CDHash rules are now supported. These are now the highest precedent rule type (ahead of binary hash). This includes adding support in santactl and to the sync protocol for sync servers to send rules to clients. See the Sync Protocol documentation for more details on how to serve CDHash rules.
  • JSON rule import for locally managed deployments now supports the --clean and --clean-all flags (behaving similarly to santactl sync).

New in Santa 2024.2 (Feb 20, 2024)

  • ProcessTree: add core process tree logic (1/4) by @kallsyms in #1236
  • Fix import issues and lint by @kallsyms in #1282
  • Fix automatically denied events with small deadlines by @mlw in #1284
  • Respect fail closed on deadlines by @mlw in #1285
  • Add build dep for internal process by @mlw in #1286
  • Remove proc tree tests for now as the code isn't yet included in builds by @mlw in #1287

New in Santa 2024.1 (Feb 2, 2024)

  • Fixed:
  • Support for the config key EnableForkAndExitLogging was inadvertently removed in v2022.9. This has effectively been treated as if it had a default value of true, but the intention was for the default value to be false. Support for this key and its original default have been added back. If you require FORK and EXIT log events, please update your configuration to set this key appropriately.
  • Configuration documentation was updated to include several supported but previously missing keys.
  • Changed:
  • Clean syncs now remove only non-transitive rules from a host's rules database before applying the newly received rules by default.
  • The clean_sync preflight response key has been deprecated. Sync server maintainers should migrate to using the new sync_type key. If the clean_sync key is used, it will trigger the new default behavior of only removing non-transitive rules.
  • Transitive rule configuration is now printed regardless of whether or not a sync server is configured. The field was also moved to be grouped with the daemon section rather than the sync section.
  • Added:
  • The switch santactl sync --clean-all was added to reproduce the old clean sync behavior of removing all rules (instead of only non-transitive rules).

New in Santa 2023.10 (Dec 8, 2023)

  • Fixed:
  • Fixed USB block mode state not always reporting correctly in santactl status
  • TeamID and SigningID rules are now ignored on execs of binaries signed with development certificates
  • Added:
  • Entitlements are now logged on EXEC events, along with new configuration keys to filter which entitlements are logged
  • What's Changed:
  • Dismiss santa popup after integration tests by @kallsyms in #1226
  • Explicitly cast strings to std::string_view by @Coderlane in #1230
  • Add name for white space check by @pmarkowsky in #1223
  • Add support for logging entitlements in EXEC events by @mlw in #1225
  • Fix internal build issues, minor cleanup. by @mlw in #1231
  • Entitlements logging config options by @mlw in #1233
  • Experimental metrics by @mlw in #1238
  • Ignore TeamID and SigningID rules for dev signed code by @mlw in #1241
  • Bump to C++20 by @mlw in #1243
  • Fix test issue caused by move to C++20 by @mlw in #1245
  • Fix USB state issue in santactl status by @mlw in #1244
  • Revert back to C++17 for now by @mlw in #1246
  • Project: Remove provisioning_profiles attributes from command-line to… by @russellhancox in #1247
  • Expand debug logging for transitive rule failure case by @mlw in #1248

New in Santa 2023.9 (Nov 14, 2023)

  • Fixed:
  • Fixed issue where mount flags were improperly set for APFS formatted drives
  • Changed:
  • santactl sync no longer requires root
  • Several public doc updates (thank you to our external contributors!)
  • Added:
  • Santa can now unmount/remount USB devices on startup
  • New event type supported: CS_INVALIDATED
  • Bundle information can now be printed via santactl fileinfo with the new --bundleinfo flag
  • macOS 14 and USB support for E2E Testing
  • What's Changed:
  • santactl/sync: Drop root requirement by @russellhancox in #1196
  • Minor doc updates. Add missing FAA config options. by @mlw in #1197
  • Update configuration.md to explain EnableDebugLogging by @p-harrison in #1203
  • Remove mention of KEXT from README.md by @pmarkowsky in #1202
  • Update configuration.md that push notifications not widely available by @p-harrison in #1204
  • Update syncing-overview.md with note on push notifications by @p-harrison in #1205
  • Fix issue preventing rule import / export from working by @pmarkowsky in #1199
  • Enable e2e testing on macOS 14 by @kallsyms in #1209
  • Support printing bundle info via santactl fileinfo command by @mlw in #1213
  • Unmount USB on start by @mlw in #1211
  • Additional build deps by @mlw in #1215
  • Add E2E testing for usb by @kallsyms in #1214
  • Add Support for CS_INVALIDATED Events by @pmarkowsky in #1210
  • Support remounting devices at startup with correct flags by @mlw in #1216
  • Record metrics for device manager startup operations by @mlw in #1218
  • Add OnStartUSBOptions to santactl status by @mlw in #1219
  • Fix remount issue for APFS formatted drives by @mlw in #1220
  • Update to the latest hedron_compile_commands by @mlw in #1221
  • Only remount on startup if remount args are set by @mlw in #1222

New in Santa 2023.8 (Oct 8, 2023)

  • Fixed:
  • Fixed issue where client mode was almost always logged as "unknown" (since v2023.5)
  • Fixed issue where TeamID and SigningID rules were evaluated when a binary had codesign issues.
  • Changed:
  • Default button text used in UIs when a Custom URL is set
  • Added:
  • Mount name information added to disk events
  • rules_received and rules_processed fields now sent in postflight request
  • SigningID rules now support transitive allowlisting
  • File Access Authorization now supports UI flows, similar to blocked binary executions
  • File Access Authorization enforcement can now be controlled via sync settings
  • Rules can now be imported/exported as JSON via santactl
  • What's Changed:
  • Added TransitiveWhitelisting explanation to rules.md by @p-harrison in #1150
  • Add support for was_mmaped_writeable to file write monitoring when using macOS 13+ by @pmarkowsky in #1148
  • Fix issue where re config types couldn't be overridden by @mlw in #1151
  • Add mount from name information to disk appear events by @mlw in #1153
  • Remove references to old EnableSystemExtension config key by @mlw in #1155
  • sync: Send rules_received and rules_processed fields in postflight request by @russellhancox in #1156
  • Add SigningID/TeamID to Event definition in sync-protocol.md by @p-harrison in #1158
  • Correction to sync-protocol.md by @p-harrison in #1159
  • Fix new buildifier issues by @mlw in #1162
  • Additional metrics for File Access Authorizer client by @mlw in #1160
  • Use default event detail button text when a custom URL is set by @mlw in #1161
  • Restore file_bundle_hash & file_bundle_binary_count to Sync Protocol Docs by @pmarkowsky in #1164
  • Document SyncExtraHeaders in configuration.md by @p-harrison in #1166
  • Fix issue where client mode was almost always logged as "Unknown" by @mlw in #1165
  • Remove logupload stage from syncing-overview.md by @p-harrison in #1168
  • Fix typo in troubleshooting.md by @kyoshisuki in #1169
  • Update rules.md with more detail on Transitive/Compiler rules by @p-harrison in #1172
  • Add Tests for #1165 Behavior. by @pmarkowsky in #1173
  • Bump bazel and build_bazel_rules_apple versions by @mlw in #1178
  • Make Transitive Allowlisting Work with Signing ID rules by @pmarkowsky in #1177
  • Update Protobuf and Abseil versions by @mlw in #1179
  • UI For Blocked File Access by @mlw in #1174
  • Add ability to override File Access actions via config and sync settings by @mlw in #1175
  • Add basic support for importing and exporting rules to/from JSON by @pmarkowsky in #1170
  • Flatten deps to satisfy internal checkers by @mlw in #1182
  • Internal build fixes by @mlw in #1183
  • Use 'set -xo pipefail' instead for lint.sh by @tnek in #1185
  • Pin GitHub Actions to Specific Versions by @pmarkowsky in #1184
  • Add ability to specify custom event URLs and button text for FAA dialog by @mlw in #1186
  • Remove superfluous import by @mlw in #1188
  • Update sync-protocol.md by @p-harrison in #1187
  • Fix missing Santa block gif by @pmarkowsky in #1193
  • Only eval TID and SID rules when the binary signature is valid by @mlw in #1191

New in Santa 2023.7 (Aug 16, 2023)

  • Fixed:
  • Fixed performance regression that could occur when protobuf logging was configured and the spool directory was full
  • Fixed issue where some daemon settings were being overridden by default values during sync preflight
  • Changed:
  • Rules received now have their case forced to be what is expected during evaluation (e.g. hashes are forced to be lower case, Team IDs are uppercase)
  • Distributed notifications posted by Santa are now delivered immediately
  • All daemon settings sent during sync preflight now take effect during postflight
  • Added:
  • Added support for per-rule custom urls when a binary is blocked
  • Custom headers can now be configured for sync requests
  • What's Changed:
  • Update sync-protocol.md to include SIGNINGID rule type by @p-harrison in #1130
  • Add more file access config options by @mlw in #1128
  • Wire up TTYWriter instance to the file access client by @mlw in #1129
  • Enforce expected case for various rule type identifiers by @mlw in #1132
  • Add additional dep to satisfy import issue by @mlw in #1134
  • Change "exponential" backoff in SNTSyncStage.m to be exponential by @alexgraehl in #1135
  • Check if spool dir has changed before estimating size by @mlw in #1138
  • Have distributed notifications delivered immediately by @mlw in #1141
  • Only update daemon settings when sync settings explicitly set by @mlw in #1142
  • sync: Add SyncExtraHeaders config option. by @russellhancox in #1144
  • sync/UI: Add ability to send custom URLs for blocking rules. by @russellhancox in #1140
  • Add hot cache for targets of read only policies by @mlw in #1145
  • Cast enum to int by @itf in #1146
  • Project: Split integration VM license into its own LICENSE file by @russellhancox in #1147

New in Santa 2023.6 (Jul 12, 2023)

  • Fix missing check for FileChangesRegex by @mlw in #1102
  • Update docs for signing id rules by @mlw in #1105
  • Migrate to new SNTRuleType enum values by @mlw in #1107
  • Abstract TTY writing so multiple writers can be synchronized by @mlw in #1108
  • Basic dialog functionality when access to a watch item is denied by @mlw in #1106
  • Fix build issues due to macOS 13.3 SDK changes by @mlw in #1110
  • Add Support for Logging to JSON (beta feature) by @pmarkowsky in #1112
  • Add macOS 13 to the test matrix by @pmarkowsky in #1113
  • Conf: Update notarization_tool in signing script by @russellhancox in #1116
  • Fix memleak in fsspool by @kallsyms in #1115
  • Use angle brackets for includes by @mlw in #1118
  • Add include for proto status stub by @mlw in #1119
  • Fix rule evaluation for TeamID and SigningID rules when encountering invalid signatures by @pmarkowsky in #1120
  • Fix check to detect changes to StaticRules by @mlw in #1121
  • Fix issue with invalid lengths by @mlw in #1122
  • Add kSyncEnableCleanSyncEventUpload to the _forcedConfigKeyTypes dict by @pmarkowsky in #1123

New in Santa 2023.5 (Jun 2, 2023)

  • Clarify that execution_time is a float64 by @jasonmc in #1080
  • Fix documentation for clean sync field in the preflight request. by @faizanrashid in #1082
  • Switch SNTEventState to uint64_t, reposition flag values and masks by @mlw in #1086
  • Add support to file monitoring config to invert process exceptions by @mlw in #1083
  • Inject additional dependencies into the serializers by @mlw in #1078
  • Docs: Added instructions for how to use config-overrides.plist by @pmarkowsky in #1077
  • santactl/rule: Fix --path argument by @russellhancox in #1089
  • Don't establish the FAA client pre-macOS 13 by @mlw in #1091
  • Return unique_ptr from Enrich instead of shared_ptr by @mlw in #1093
  • Stop unmuting the default mute set unnecessarily. by @mlw in #1095 (fixes: #1094)
  • Add new rule type for Signing IDs by @mlw in #1090
  • docs: Update vulnerability reporting instructions by @russellhancox in #1098
  • Handle database downgrade scenarios gracefully by @mlw in #1099
  • Fix precedence for static rule evaluation, santactl fileinfo output by @mlw in #1100

New in Santa 2023.4 (Apr 28, 2023)

  • Notes:
  • The EnableBackwardsCompatibleContentEncoding config key has been removed. We were not aware of any sync servers requiring this key; please contact us if you were using it and need an equivalent to be added.
  • A new config key, SyncClientContentEncoding has been added to allow switching from the default deflate to gzip. This new option doesn't improve compression but is required for some servers to support compression.
  • A new config key, EnableSilentTTYMode has been added, that allows disabling notifications from Santa to be posted in a user's terminal session.
  • What's Changed:
  • GUI: Device event window, handle empty remount args by @russellhancox in #1066
  • sync: Add more complete XSSI prefix to be stripped. by @russellhancox in #1068
  • Fix string length issues by @mlw in #1070
  • config: Add EnableSilentTTYMode key to disable TTY notifications. by @russellhancox in #1072
  • Ensure unmount always flushes appropriate caches by @mlw in #1073
  • Cache flush metrics by @mlw in #1074
  • README: Add more badges by @russellhancox in #1075
  • Make the sync client content encoding a tunable by @pmarkowsky in #1076
  • One more TSAN fix by @kallsyms in #1079
  • sync: Permit XSRF header between sync stages/sessions by @russellhancox in #1081

New in Santa 2023.3 (Apr 7, 2023)

  • santactl/rule: Validate identifier is a valid SHA-256 for binary/cert rules by @russellhancox in #1045
  • Config: Ignore static rules with an invalid identifier by @russellhancox in #1049
  • metrics: Properly report "file access client enabled" metrics by @mlw in #1051
  • chore(ci): Upgrade workflows to non-deprecated runtimes by @dev-slatto in #1052
  • Basic rate limiting for File Access Authorizer by @mlw in #1053
  • config: Support filesystem monitoring config embedded in main Santa config by @mlw in #1054
  • [BUGFIX] Fix SD Card Block not operating on Internal SD Card Readers by @liamn in #1055
  • test: Fix a couple last TSAN failures by @kallsyms in #1056
  • docs: Document SigningID and PlatformBinary exception keys by @mlw in #1059
  • sync: Allow server to override the header for transmitting XSRF tokens by @russellhancox in #1060
  • sync: Fix case of empty header name by @russellhancox in #1062
  • protolog: Change types of repeated args and envs fields by @mlw in #1063

New in Santa 2023.2 (Mar 1, 2023)

  • Notes:
  • Many improvements to the File Access Authorization feature, which remains in BETA.
  • Platform binaries can now be excluded from authorization checks in FAA
  • Several performance improvements
  • What's Changed:
  • GUI: Re-write AboutWindow view in SwiftUI by @russellhancox in #1007
  • shadow rules_python for fuzzing by @kallsyms in #1009
  • GUI: Migrate DeviceMessageWindow to SwiftUI by @russellhancox in #1010
  • Ensure watch item names conform to naming requirements by @mlw in #1011
  • Reduce proto warning severity by @mlw in #1012
  • Reduce calls into configurator by @mlw in #1013
  • Project: Fix module maps for swift libraries and their dependencies by @russellhancox in #1014
  • Remove extra expectation in test by @mlw in #1015
  • Add new continuous test run with various sanitizers by @kallsyms in #1016
  • Log type metrics by @mlw in #1018
  • Initial docs for file access auth feature by @mlw in #1017
  • Fsmon docs table width by @mlw in #1020
  • Try with more vertical space by @mlw in #1021
  • docs: Support wider pages, fix syntax highlighting of plist by @russellhancox in #1022
  • Remove Default column by @mlw in #1024
  • add updated description by @headmin in #1023
  • docs: fix width of sidebar on larger windows by @russellhancox in #1025
  • Fix team ID and signing ID checks by @mlw in #1026
  • Fix: Rewrite the SNTMetricHTTPWriter to avoid potential stack corruption by @pmarkowsky in #1019
  • Perf: Translocate cache, reserve proto repeated fields by @mlw in #1027
  • Use cached sizes when serializing by @mlw in #1028
  • Rework timeout handling in metrics HTTP writer by @mlw in #1029
  • Restart daemon on log type change by @mlw in #1031
  • santactl & syncservice: Use synchronousRemoteObjectProxy where it makes sense by @russellhancox in #1033
  • Configurator: Return an unsafe_unretained pointer to avoid needless retain/release by @russellhancox in #1035
  • Replace SNTDecisionCache dictionary with SantaCache by @mlw in #1034
  • Report log type in santactl status by @mlw in #1036
  • Small test fixes to make sanitizers happy by @kallsyms in #1030
  • Fix: correct sync protocol diagram by @pmarkowsky in #1037
  • Clear ES cache when watch items change by @mlw in #1042
  • Add support for platform binary to process exceptions by @mlw in #1041
  • Add basic metrics to report when the FAM client is enabled by @mlw in #1043

New in Santa 2023.1 (Jan 28, 2023)

  • Notes:
  • Dropped support for macOS 10.15, minimum version is now macOS 11.
  • (BETA) Added file access authorization feature, docs at https://santa.dev/deployment/file-access-auth
  • USB blocking will now also block SD cards (thanks @liamn)
  • sync: Improved debug output when auth fails
  • Improved reliability in reconnecting sync and metrics daemons
  • Several performance improvements
  • What's Changed:
  • docs: Fix typo in sync-protocol, h/t to @maxwbuckley by @russellhancox in #940
  • docs: Update keyserver address in SECURITY by @russellhancox in #941
  • Rename santa_vnode_id_t to SantaVnode by @mlw in #943
  • Switch from task_info to libproc for system resource info by @mlw in #939
  • Drop macOS 10.15 by @mlw in #944
  • Remove SNTCommon by @mlw in #945
  • Include SD Card Mounting in the USB Block Functionality by @liamn in #938
  • Watch items by @mlw in #937
  • Tests: Fix some assertions comparing strings by @russellhancox in #947
  • santad: Change workaround for glob header with blocks by @russellhancox in #948
  • Initial work for File Access Authorizer Client by @mlw in #949
  • Draft proto for new FileAccess log by @mlw in #952
  • FS Access Config Version, Policy decision enums by @mlw in #951
  • Import fix by @mlw in #953
  • pemdas by @mlw in #955
  • Config: In debug builds, allow config to be overridden from a plist file. by @russellhancox in #957
  • Tests: Fix SNTEndpointSecurityFileAccessAuthorizerTest by @russellhancox in #958
  • Dynamically enable/disable FS Access client based on config by @mlw in #959
  • Use the appropriate variable when asynchronously processing auth messages by @mlw in #961
  • Enrich file access events, prepare for logging by @mlw in #962
  • santad: Flush cache when StaticRules are changed by @russellhancox in #963
  • Serialize File Access events by @mlw in #964
  • Introduce end-to-end testing by @kallsyms in #919
  • Lint the E2E start-vm Python script by @kallsyms in #965
  • Fix message lifetime by @mlw in #966
  • Use absl_guarded_by instead of guarded_by by @kallsyms in #967
  • Track path types for current/new watch items by @mlw in #968
  • Fix import issues by @mlw in #969
  • Update LICENSE for VM code by @kallsyms in #970
  • Address policy consistency issues by @mlw in #971
  • sync: Fix deduplication in reachability handler by @russellhancox in #973
  • Fix golden test data for macOS 13 by @mlw in #972
  • Project: Upgrade MOLAuthenticatingURLSession to v3.1 by @russellhancox in #974
  • Adopt new ES APIs to monitor target paths by @mlw in #975
  • Revitalize Fuzzing by @kallsyms in #976
  • Fix import: Add build targets, lint by @mlw in #978
  • Allstar: Add fuzzing artifact by @russellhancox in #980
  • Fix SNTFileInfoTest for macOS 13 by @pmarkowsky in #977
  • Fix loop when no override config is specified by @kallsyms in #981
  • Run fuzzing in a VM by @kallsyms in #982
  • Use new public api for booting VM into recoveryOS by @kallsyms in #983
  • Adopt new ES APIs to watch target paths in tamper client by @mlw in #984
  • Fix SNTFileInfo Fuzzing by @kallsyms in #985
  • Fix nightly run cron specification by @kallsyms in #986
  • Opportunistically use ES cache when possible by @mlw in #989
  • Fuzz embedded plist reading by @kallsyms in #990
  • Add more event coverage in the file access client by @mlw in #991
  • More event type support by @mlw in #992
  • lower fuzz case timeout to 5s by @kallsyms in #993
  • Change name of santa config keys for file access monitoring by @mlw in #995
  • docs: Fix deployment/configuration doc by @russellhancox in #996
  • Add policy version and name to basic string serializer by @mlw in #997
  • Adopt new FS Access Auth config format and policy application logic by @mlw in #994
  • Support configuring signing IDs for process exceptions by @mlw in #998
  • Rename type aliases by @mlw in #999
  • Add watch item state to santactl status by @mlw in #1000
  • Reconnect to santametrics service on failure by @kallsyms in #1001
  • Configurator: Apply config updates in non-daemon processes by @russellhancox in #1003
  • Low hanging fruit perf changes by @mlw in #1004
  • Prevent recursive reconnect attempts by @mlw in #1005
  • Revert "Configurator: Apply config updates in non-daemon processes" by @russellhancox in #1008

New in Santa 2022.11 (Dec 2, 2022)

  • Docs: Fix type of {allowed,blocked}_path_regex keys in preflight by @russellhancox in #934
  • Prefix tree updates by @mlw in #931
  • GUI: Fix distributed notifications in silent mode by @russellhancox in #936

New in Santa 2022.11 Pre-release (Nov 27, 2022)

  • What's Changed
  • Docs: Fix type of {allowed,blocked}_path_regex keys in preflight by @russellhancox in #934
  • Prefix tree updates by @mlw in #931
  • GUI: Fix distributed notifications in silent mode by @russellhancox in #936

New in Santa 2022.10 (Nov 27, 2022)

  • Notes:
  • Re-added the protobuf value for the EventLogTypeconfiguration key. This key remains a BETA and should not be used in production as changes are still being made.
  • The block_usb_mount and remount_usb_mode keys can now correctly be synchronized from a server.
  • The EnableSilentMode key for the GUI has been fixed. Note: enabling silent mode currently breaks distributed notifications; this is fixed in the 2022.11 release, which should be published within 2 weeks.**
  • What's Changed:
  • Make SNTCommonEnums a textual header by @itf in #896
  • Proto serializer by @mlw in #897
  • Fsspool adopt by @mlw in #900
  • Fix USB config sync by @np5 in #890
  • Machine id proto by @mlw in #907
  • Spool writer by @mlw in #908
  • Proto minimization by @mlw in #909
  • USB: usbBlockMessage is not being used. by @videlanicolas in #915
  • Fix issue with transposed remount/banned block messages by @mlw in #917
  • Fix: duplicates bug in SNTMetricSet when using multiple fields by @pmarkowsky in #920
  • Event metrics by @mlw in #918
  • Fix issue in test that would crash on some platforms by @mlw in #922
  • Change order that ES clients are enabled by @mlw in #923
  • Update Known Limitations for USB Mass Storage Blocking by @pmarkowsky in #924
  • GUI: Fix EnableSilentMode key by @russellhancox in #927
  • metrics and logging cleanup by @mlw in #928
  • Update spool to flush on size thresholds instead of batch counts by @mlw in #930
  • Don't add messages when accumulated bytes exceeds threshold by @mlw in #932
  • Build fixes:
  • Import fixes by @mlw in #902
  • More import fixes by @mlw in #904
  • Update include paths and add include guard by @mlw in #905
  • Update build docs. by @mlw in #911
  • Change include to import by @mlw in #912
  • Various changes to fix import by @mlw in #913
  • Fix some more includes by @mlw in #914
  • More import fixes by @mlw in #921

New in Santa 2022.10 Pre-release (Nov 15, 2022)

  • Notes:
  • Re-added the protobuf value for the EventLogTypeconfiguration key. This key remains a BETA and should not be used in production as changes are still being made.
  • The block_usb_mount and remount_usb_mode keys can now correctly be synchronized from a server.
  • The EnableSilentMode key for the GUI has been fixed
  • What's Changed:
  • Make SNTCommonEnums a textual header by @itf in #896
  • Proto serializer by @mlw in #897
  • Fsspool adopt by @mlw in #900
  • Fix USB config sync by @np5 in #890
  • Machine id proto by @mlw in #907
  • Spool writer by @mlw in #908
  • Proto minimization by @mlw in #909
  • USB: usbBlockMessage is not being used. by @videlanicolas in #915
  • Fix issue with transposed remount/banned block messages by @mlw in #917
  • Fix: duplicates bug in SNTMetricSet when using multiple fields by @pmarkowsky in #920
  • Event metrics by @mlw in #918
  • Fix issue in test that would crash on some platforms by @mlw in #922
  • Change order that ES clients are enabled by @mlw in #923
  • Update Known Limitations for USB Mass Storage Blocking by @pmarkowsky in #924
  • GUI: Fix EnableSilentMode key by @russellhancox in #927
  • metrics and logging cleanup by @mlw in #928
  • Update spool to flush on size thresholds instead of batch counts by @mlw in #930
  • Don't add messages when accumulated bytes exceeds threshold by @mlw in #932
  • Build fixes:
  • Import fixes by @mlw in #902
  • More import fixes by @mlw in #904
  • Update include paths and add include guard by @mlw in #905
  • Update build docs. by @mlw in #911
  • Change include to import by @mlw in #912
  • Various changes to fix import by @mlw in #913
  • Fix some more includes by @mlw in #914
  • More import fixes by @mlw in #921

New in Santa 2022.9 (Oct 13, 2022)

  • Notes:
  • This release includes a major overhaul of Santa internals, primarily its logging subsystem and how it interacts with the EndpointSecurity framework to receive events.
  • The beta protobuf value for the EventLogType configuration key is not supported in this release.
  • The EnableSysxCache configuration key has been removed. There is no longer an option to disable response caching within Santa.
  • What's Changed:
  • README: Fix logo link, remove coverage badge by @russellhancox in #882
  • README: Try again, this time replacing the correct bit by @russellhancox in #883
  • Allstar: Pre-emptively check-in binary_artifacts.yaml to exclude test binaries by @russellhancox in #884
  • Refactor the SNTApplicationTest unit tests to function correctly by @pmarkowsky in #885
  • Project: Update bazel and apple-rules by @russellhancox in #887
  • ES and Logging Interfaces Redesign by @mlw in #888
  • Ingestion fixups by @mlw in #891
  • Linter and BUILD deps fixups by @mlw in #892
  • Build deps by @mlw in #893
  • Return a value from the test block by @mlw in #894
  • Fix crash flushing cache on unmount events by @mlw in #895

New in Santa 2022.8 (Aug 29, 2022)

  • Notes:
  • Sync state plist is no longer world-readable
  • GUI now shows team ID for App Store apps
  • Added EnableSilentMode configuration option to disable GUI notifications
  • Santa now posts NSDistributedNotificationCenter notifications for block events
  • What's Changed:
  • Sync state plist | only allow santad read+write permissions by @bfreezy in #858
  • Docs: Add recommended rollout doc by @kathancox in #861
  • syncservice: Add tests for NSData+Zlib and Postflight by @russellhancox in #864
  • Sync Protocol Docs by @pmarkowsky in #860
  • Docs: Add StaticRules to example mobileconfig by @russellhancox in #866
  • add link to GitHub in docs by @headmin in #868
  • GUI: For App Store published apps, include team ID. by @russellhancox in #872
  • GUI: Add silent mode configuration option. by @russellhancox in #871
  • Santa: Post distributed notification when showing block UI by @russellhancox in #870
  • GUI: Improve signing chain key reporting in distributed notifications. by @russellhancox in #874
  • Project: Add a GH action to prevent trailing whitespace by @russellhancox in #873
  • GUI: Expose SNTNotificationManager.h for the test. by @russellhancox in #875
  • GUI: Missed a required dependency by @russellhancox in #876
  • Project: Rename Source/santa -> Source/gui by @russellhancox in #877
  • Fix up endTimestamp to be Monarch compliant by @pmarkowsky in #879

New in Santa 2022.7 (Jul 28, 2022)

  • Notes:
  • This release adds Static Rules, which can be used to either manage rules using an MDM or for managing a fallback set of rules in case an issue occurs with a configured sync server.
  • Event uploads and logs now include the team ID
  • An option to disable event uploads for unknown binaries was added
  • What's Changed:
  • Readme: http -> https link by @case in #829
  • Add team ID to synced events by @np5 in #827
  • Project: Upgrade bazel rules_apple to 1.0.1 release by @russellhancox in #830
  • Docs: Add gemfile for running jekyll locally. by @russellhancox in #834
  • Use the message copy in the dispatch blocks by @mlw in #839
  • adhoc build and run santa by @tburgin in #840
  • Docs: Updated home page with README files & nav changes by @kathancox in #841
  • CI: Make CI workflow only run on source changes by @russellhancox in #843
  • Project: Delete tulsiproj, add basic doc about hedron by @russellhancox in #845
  • santad: Allow configuring a static set of rules via configuration profile by @russellhancox in #846
  • santad: Improve caching of static rules by @russellhancox in #847
  • santasyncservice: Keep XSRF token in memory, don't send to daemon by @russellhancox in #851
  • santad: Fix re-establishment of syncservice connection by @russellhancox in #849
  • santactl/status: Fix printing of static rules by @russellhancox in #848
  • santad: Add DisableUnknownEventUpload option. by @russellhancox in #852
  • santad: Log team ID in execution logs, where available by @russellhancox in #850
  • Ensure KVO works for USB config options by @pmarkowsky in #853
  • Added quick getting started page for deployments by @kathancox in #855
  • Add sync server list by @kathancox in #856
  • Tests: Fix un-needed expectation in SNTExecutionControllerTest.allEve… by @russellhancox in #857

New in Santa 2022.6 (Jul 8, 2022)

  • Improve logging when file cannot be read. by @Safrout1 in #817
  • Remove unused testing scripts by @mlw in #816
  • Copy new PrinterProxy file instead of overwriting by @mlw in #819
  • Mute self to reduce message volume. Remove noisy log message. by @mlw in #820
  • santad: Copy/retain ES message for use in deadline handler. by @russellhancox in #822
  • Added handling for Remount events to USB mass storage blocking by @pmarkowsky in #818
  • santad: Fix some style nits by @russellhancox in #824
  • santad: Update assert usage to avoid a string-to-bool conversion by @russellhancox in #825
  • santactl/status: Remove driver connected, re-org USB blocking status by @russellhancox in #826

New in Santa 2022.5 (May 20, 2022)

  • Notes:
  • Fixed an issue preventing events from being uploaded immediately after a blocked execution
  • Fixed a GUI bug that allowed multiple dialogs to be queued for the same execution
  • Added option to disable all event logging
  • Added option to upload all events
  • Added option to upload events during a clean sync
  • Added new keys to the EventDetailURL key to differentiate files vs bundles.
  • What's Changed:
  • GUI: Add %bundle_or_file_sha% translation key by @russellhancox in #797
  • Sync: Add option to enable event upload despite clean sync. by @russellhancox in #796
  • Created a profiles package so provisioning profiles only need to be in one place. by @pmarkowsky in #794
  • Added macos-12 to the build matrix by @pmarkowsky in #798
  • Add config to allow uploading all events by @russellhancox in #800
  • santad: Add 'null' event logger. Fixes #754 by @russellhancox in #799
  • Fix ES Mock Client Subscription issues by @pmarkowsky in #801
  • santad: remove start and stop options from the sync service queue by @tburgin in #803
  • GUI: Update keys for EventDetailURL. by @russellhancox in #802
  • santasyncservice: handle loading and unloading of the service in the pkg by @tburgin in #804
  • GUI: Fix message queuing by @russellhancox in #805
  • GUI: Switch to UserNotification.framework notifications by @russellhancox in #806
  • SNTConfigurator: remove mutability from sync state dict by @tburgin in #807
  • preflight sync: stop the sync if we cannot communicate with the daemon by @tburgin in #808
  • preflight sync: fix dispatch_group_wait return polarity by @tburgin in #809
  • syncservice: Fix SNTSyncTest by @russellhancox in #810
  • Project: Enable layering check, fix all dependency violations by @russellhancox in #811
  • Project: Layering, missed a dependency by @russellhancox in #812
  • Project: Fix layering for tests by @russellhancox in #813

New in Santa 2022.4 (May 4, 2022)

  • Project: Show test errors in output from CI by @russellhancox in #764
  • santactl/metrics: Allow filtering metrics by @russellhancox in #763
  • santad: Split ES cache into root/non-root varieties by @russellhancox in #765
  • Project: Make versioning dynamic through bazel's --embed-label. by @russellhancox in #766
  • Exclude bazel-out from test coverage generation by @tnek in #768
  • Project: Fix fallback version by @russellhancox in #767
  • Project: Update apple_rules dep, add .bazelversion for bazelisk users by @russellhancox in #769
  • Project: Fix coverage collection by @russellhancox in #770
  • Update logo image of Santa by @tnek in #773
  • Modified build target names for santa proto by @mlw in #772
  • Fix dead link by @tnek in #774
  • ES_EVENT_TYPE_NOTIFY_UNMOUNT: flush the cache off the ES handler thread by @tburgin in #778
  • Disable layering check for Objective-C by @googlewalt in #781
  • Add "Team ID" to description on AllowedPathRegex by @tnek in #782
  • Fix event team ID decision value by @np5 in #784
  • santad: Use TTY path provided by ES by @russellhancox in #785
  • Disable layering check for Objective-C by @googlewalt in #787
  • Populate critical paths from the ES default mute set by @mlw in #786
  • santa/windows: Update buttons to use push to better stand out by @radsec in #788
  • syncservice: implementation and migration by @tburgin in #775
  • syncservice: sign and package by @tburgin in #790
  • Project: Include syncservice.plist in release builds and loads by @russellhancox in #792
  • Project: Update packaging script to do tarball creation in a scratch dir by @russellhancox in #793

New in Santa 2022.3 (Mar 23, 2022)

  • Notes:
  • The kernel extension and all support for it has been fully removed. Santa now requires macOS 10.15 and above.
  • Protobuf structured event logging has been added but is still experimental; the format of the logs is subject to change and there is purposefully no documentation on its use. We will announce in a feature release when this feature is stable.
  • The Santa daemon is now loaded early during the boot process to better protect against persistent threats.
  • Preflight sync requests now include the machine's model identifier.
  • What's Changed:
  • Fix: Issue with SNTMetricHTTPWriter Timeouts by @pmarkowsky in #741
  • Fix: uninstall.sh to remove the metric & bundle services. by @pmarkowsky in #743
  • Project: Bump version to 2022.3 by @russellhancox in #745
  • Project: Disable bazel layering_check feature for most rules by @russellhancox in #742
  • Fix: Typo in SNTDeviceManager tests & ensure tests run under CI by @pmarkowsky in #746
  • Protobuf support, maildir format logging by @mlw in #731
  • Remove the Santa kernel extension. by @tnek in #749
  • Made santad an early boot client to prevent racing other processes by @pmarkowsky in #750
  • Add model identifier to preflight request by @np5 in #751
  • Remove code guarded by #ifdef kernel macros by @tnek in #752
  • Project: Remove kext signing/packaging by @russellhancox in #755
  • santactl/status: Re-org output in status re: USB Blocking. by @russellhancox in #759
  • santad: Clear caches when disks are unmounted. by @russellhancox in #760
  • Docs: Remove references to kexts and santa-driver from parts of the docs by @tnek in #762

New in Santa 2022.2 (Mar 8, 2022)

  • santad: Add fail-closed mode by @russellhancox in #722
  • Fix additional strlcpy issue, simplify call paths by @mlw in #723
  • Update version of bazel rules_apple to fix broken 12.3 builds by @tnek in #726
  • Report USB blocking status with santactl status by @tnek in #727
  • Fix: remediate a crash in santametricservice by @pmarkowsky in #729
  • santad: Fix fail open tests in SNTExecutionControllerTest by @russellhancox in #730
  • Project: Add arm64 to hostArchitectures for productbuild by @russellhancox in #733
  • Project: Bump version to 2022.2 by @russellhancox in #734
  • Add a USB device blocking popup. by @tnek in #728
  • Project: Add build version to CFBundleVersion by @russellhancox in #736
  • Packaging: Keep package versions simple by @russellhancox in #737

New in Santa 2022.1 (Feb 8, 2022)

  • Notes:
  • Fixed PrinterProxy workaround for Monterey
  • More metrics, including an event counter
  • Fixed logging of dates when system calendar is not Gregorian.
  • Added USB Mass Storage blocking feature, which can be controlled by a sync server
  • santad no longer stores events for upload if a sync server is not configured
  • Sync can now use a provided proxy configuration separate from the system one (c.f SyncProxyConfiguration)
  • What's Changed:
  • Project: Add bazel commands extractor for VSCode integration by @russellhancox in #690
  • Ignore VSCode directories by @pmarkowsky in #692
  • Fix: SNTMetricSet reregistering metrics returns wrong metric by @pmarkowsky in #693
  • Update the Santa version number to 2021.9 by @tnek in #695
  • Add a simple event counter to SNTExecutionController by @pmarkowsky in #694
  • santasyncservice: move sync code to the santasyncservice dir by @tburgin in #696
  • Fix: santactl metrics command behavior by @pmarkowsky in #697
  • santad: Fix PrinterProxy workaround for Monterey+ by @russellhancox in #698
  • Project: Bump version to 2022.1 by @russellhancox in #700
  • Update misleading santactl rule text to have accurate text for team IDs by @tnek in #701
  • USB mass storage blocking and remounting by @tnek in #685
  • Update hedron_compile_commands by @cpsauer in #704
  • Project: Explicitly set calendar on ISO8601 dates by @russellhancox in #706
  • Add test coverage for syncing USB mounting options by @tnek in #711
  • santad: Don't use proc_pidpath when using ES by @russellhancox in #707
  • Add clang annotation for fallthrough by @tnek in #712
  • Sync: Allow configuring proxies by @russellhancox in #708
  • Support rule downloading of Team ID rules by @tnek in #709
  • santactl/fileinfo: Update --cert-index usage by @russellhancox in #713
  • santactl/fileinfo: Clarify valid index for cert-index by @russellhancox in #714
  • Fix off-by one error in strlcpy by @pmarkowsky in #715
  • Create test suites for each component by @pmarkowsky in #702
  • Conf: Delete and clean-up ASL conf, enable signaling on newsyslog.conf. by @russellhancox in #716
  • Add clang_analyzer report generation script by @tnek in #717
  • rule download: return early on daemon timeout by @tburgin in #718
  • santactl/fileinfo: Switch certIndex to an NSNumber by @russellhancox in #719
  • Add DiskArbitrationTestUtil to shim out DiskArbitration for unit testing by @tnek in #720
  • santad: only store events if there is a sync server configured by @tburgin in #721

New in Santa 2021.8 (Dec 9, 2021)

  • Added a system for collecting and exporting metrics to monitoring systems and a metrics subcommand to santactl for viewing the current state. More metrics will be added in future releases.
  • EnableSysxCache is now enabled by default - we've found this significantly improves performance when other EndpointSecurity extensions are in use.
  • Added TeamID as a rule type - you can now allow/block by team ID instead of individual certificates. Support is included in santactl rule.
  • Added AboutText configuration key to configure the text displayed when Santa.app is opened while it's running (thanks @np5!)

New in Santa 2021.7 (Oct 6, 2021)

  • Santactl/sync: Fixed a rare crash from reachability checks
  • Santactl/sync: Fixed a rare crash when using FCM
  • Santad: Improved prevention of database overwrites

New in Santa 2021.5 (May 6, 2021)

  • Updates MOLAuthenticatingURLSession to v3.0, which will now pick the most recently issued cert if multiple certs match the filters specified in the configuration. Fixes #553

New in Santa 2021.3 (Mar 9, 2021)

  • Fixes an issue in santactl fileinfo where bundles were misappropriated (issue #536)
  • Fixes transitive allowlisting when EnableSysCache is true (issue #539)

New in Santa 2021.2 (Jan 31, 2021)

  • Notes:
  • santad: Fixes caching of blocked executions when EnableSysxCache is in use.
  • santactl: Retry individual requests to continue a long sync through minor network blips

New in Santa 2021.1 (Jan 14, 2021)

  • Added an optional self-managed cache for decision responses, which should help improve performance when running Santa as a system extension alongside another system extension (#510). To enable this cache, set EnableSysxCache to in your Santa config profile.
  • Fixed santactl/fileinfo pulling embedded Info.plist files from 32-bit sections of fat binaries.
  • The versioning scheme has also changed to YYYY.X

New in Santa 1.17 (Dec 24, 2020)

  • santad: log pidversion along with pid. (#512 - thanks @avanzini!)
  • santactl/sync: Use deflate as the default Content-Encoding instead of zlib. (#511 - thanks @radsec!)
  • To re-enable zlib set the EnableBackwardsCompatibleContentEncoding config option to true. If syncing with Upvote deployed at commit 0b4477d or below, set this option to true.
  • Santa now ships as a Universal app (arm64, x86_64). Notably santa-driver.kext will continue to only ship as x86_64. We have no plans to support Santa's kext on Apple Silicon Macs.

New in Santa 1.15 (Oct 23, 2020)

  • The Santa system extension now prevents santa-driver.kext from being loaded, to prevent the two systems from dueling, which can happen if an old version of Santa is installed after a sysx version has been enabled.
  • Add support for %hostname%, %uuid%, %serial% to EventDetailURL (thanks to @hughneale!)
  • Allow a sync server to remotely set FullSyncInterval during preflight (thanks to @hughneale!)
  • Add a config key (IgnoreOtherEndpointSecurityClients) to ignore events generated by other EndpointSecurity clients, which may cause increased CPU usage.
  • Add a config key (EnableDebugLogging) to enable debug logging for all Santa components
  • Fix a bug in santactl/sync that can cause infinite recursion discovering identities from self-signed roots (issue #497).

New in Santa 1.14 (Oct 21, 2020)

  • Added FORK/EXIT logging, can be enabled with the EnableForkAndExitLogging configuration key.
  • Made logging around rule downloads clearer

New in Santa 1.13 (Apr 9, 2020)

  • Security Fixes:
  • This release contains some important security fixes to Santa's kernel extension component. The bugs that were fixed could allow an attacker with local code execution as root to gain kernel access. Machines using the system extension on 10.15 are not affected.
  • Many thanks to Drew Yao of Apple SEAR Red Team for reporting these bugs to us.
  • Off-by-one array access in SantaDriverClient::externalMethod
  • Integer overflow/underflow in SantaCache::bucket_counts
  • Race condition & use-after-free in SantaDriverClient::clientMemoryForType

New in Santa 1.12 (Mar 18, 2020)

  • This release of Santa contains bug fixes:
  • Sync server communication is interrupted on cold boot #453
  • Installing new versions of Santa results in odd SystemExtension behavior, such as multiple active extensions and invalid state #454

New in Santa 1.10 (Mar 17, 2020)

  • The v1.x versions of Santa include many architectural changes. Including the usage of EndpointSecurity and SystemExtensions for systems running macOS 10.15+.
  • Once Santa's SystemExtension is installed, it cannot be removed without promoting the user.
  • Notes:
  • This release of Santa:
  • Contains a feature to manage the transition from KernelExtension to SystemExtension. See the EnableSystemExtension section of SNTConfigurator for details.

New in Santa 1.0.3 Beta (Dec 23, 2019)

  • This release of Santa:
  • Uses EndpointSecurity with a SystemExtension on macOS 10.15+
  • Uses Kauth with a kext on macOS < 10.15

New in Santa 0.9.33 Pre-release (Aug 6, 2019)

  • Bug Fixes:
  • santactl: Sync will now authenticate correctly to servers that only provide the root of a certificate chain for determining allowable credentials.

New in Santa 0.9.32 Pre-release (Jul 24, 2019)

  • Bug Fixes:
  • santad: Fixed a deadlock scenario reported in #375 (#376) (Thanks @colavitam and @ameyah)
  • santactl: Fixed a crash in fileinfo when using the --filter without --key (#376 )
  • SantaGUI: Fixed a crash in invalidation handling of the bundle service (#373 )

New in Santa 0.9.31 Pre-release (May 13, 2019)

  • Features:
  • santa-driver: Add in-kenel file modification filter (#313)
  • Config: Add FileChangesPrefixFilters configuration option. See the header comments for more details.

New in Santa 0.9.29 Pre-release (Sep 23, 2018)

  • Mojave Bug Fixes:
  • santa-driver: Add an IOMatchCategory to fix a load / unload bug (#292)
  • santa-driver: Fix cache invalidation (#298)
  • santad: Add critical system binaries (#296)
  • Features:
  • Project: Add transitive whitelisting to Santa (#224)
  • Transitive whitelisting is disabled by default. Documentation is still being generated.

New in Santa 0.9.27 Pre (Jun 21, 2018)

  • Bug Fixes:
  • santad: Only get code signing information for Mach-O binaries #277
  • santa-driver: Switch to a struct for vnode IDs, holding both the filesystem ID and vnode ID #262 #276
  • santa-driver: Drop the separate caches for root/non-root file systems as this doesn't offer any benefit anymore #276
  • santa-driver: Stop catching vnode_hasdirtyblks() #260 #280
  • Docs: s/precendence/precedence/ #283 Thanks @dgw!
  • Features:
  • Logs: Optional MachineID for event logs #256 Thanks @obelisk!
  • Implementation Features:
  • santa-driver: Templatize key types in SantaCache #271
  • santa-driver: Make ACTION CAS operations in SantaCache more readable #272
  • santa-driver: Add SantaCache distribution tests #273
  • KernelTests: Simplify kernel tests #282
  • santa-driver / santad: Refractor kext load / unload and connect / disconnect #278 #281
  • santactl: Add cachehistogram debug command #275

New in Santa 0.9.26 Pre (May 30, 2018)

  • Bug Fixes:
  • santabs: Only allow bundle events on ancestor bundles of type: .app .bundle .framework .kext .xctest .xpc #257
  • santa-driver: Do not invalidate cached decisions on KAUTH_VNODE_ACCESS #266
  • Features:
  • Project: Add codesign flags kill library-validation to all components #264
  • santa-driver: Log the file path of dirty vnode execution attempts #267

New in Santa 0.9.25 Pre (Apr 25, 2018)

  • Bug Fixes:
  • santad: validates all architectures within universal binaries attempting to execute (#249) Big thanks to @secretsquirrel for the PoC.
  • Features:
  • santactl fileinfo: displays signing information for all architectures if they are not all consistently signed (#249)
  • event logs: Event logs can now be stored in a file or ULS. See the keys EventLogTypeand EventLogPath in the configuration document configuration.

New in Santa 0.9.24 Pre (Apr 25, 2018)

  • Bug Fixes:
  • santad: Stop watching /var/db/santa/sync-state.plist to fix a race condition by deleting the racy code (#242)
  • santabs: Serialize calls to -[SNTBundleService createConnection] to prevent over resuming an XPC connection (#244)
  • santactl sync: Update to MOLFCMClient v1.7 to prevent scheduling a task on an invalidated session (#245)

New in Santa 0.9.23 Pre (Feb 23, 2018)

  • Bug Fixes:
  • santactl sync: Use MOLFCMClient v1.5 - this contains exponential backoff logic (#238)
  • codesign verification: Use MOLCodesignChecker v1.8 - this will now verify the code signature for all architectures within universal binaries (#239)

New in Santa 0.9.22 Pre (Feb 9, 2018)

  • Bug Fixes:
  • config: Fixed a client mode flapping issue when changing unrelated mobileconfigs (#234) (Fixes #174 #203)
  • santa-driver: Added an acknowledge feature to binary requests (#220) (Fixes #215)
  • santabs: Fixed nil bundle path lookup (#233)

New in Santa 0.9.22 Pre (Feb 8, 2018)

  • config: atomically update config
  • config: add an explanation for sleep usage
  • config: use mobileconfig in the getters
  • config: cleanup file watcher
  • config: spell
  • config: clear or reload sync state on sync base url change
  • config: Use KVO and Dependent Keys
  • config: remove debug log
  • config: review updates
  • config: update rule sync getter and setter names
  • config: get logical

New in Santa 0.9.21 Pre (Jan 27, 2018)

  • Bug Fixes:
  • santa-driver: now denies execs with names over MAXPATHLEN 1031374. Thanks to @codido for the report
  • santactl rule: --check now returns proper scope 0c39342
  • santactl sync: reachability threads are now property released 57213ee
  • santa.log: log the events that are generated by bundle hashing now have a action=BUNDLE tag 6973dd0
  • santactl: -h and --help are now synonyms for help 6973dd0. Thanks to @groob for the report
  • New:
  • config: configuration is now done with configuration profiles 8e57e37. Thanks to @jesseendahl for the report and keeping on us to get this done!

New in Santa 0.9.20 Pre (Sep 17, 2017)

  • Bug Fixes:
  • santad: Removed /private/tmp/PKInstallSandbox.* ignore scope
  • santad: Removed CSInfoPlistFailed ignore scope
  • santa-driver: Split kernel cache for root/non-root volumes
  • santa-driver: Fix possible race condition in SDM::AddToCache
  • santactl sync: Bundle events and notifications are now properly handled
  • New:
  • common: Removed EventDetailBundleURL key
  • logs: Modified execution log format to show path & args last
  • santactl fileinfo: Added --recursive and --filter flags

New in Santa 0.9.19 Pre (Jul 11, 2017)

  • Bug fixes:
  • SantaGUI: Don't show pop-up notifications for empty filenames
  • santactl/sync: fixed exception when file_name is None / NSNull
  • santactl/sync: upload file bundle executable relative path
  • santabs: De-dupe generated events before upload
  • New:
  • logs: add DAAppearanceTime to the DISKAPPEAR logs

New in Santa 0.9.18 Pre (Jun 10, 2017)

  • santad/santabs/santactl/SantaGUI: Bundles: A new feature to create events for all mach-o binaries within a bundle. This feature is disabled by default. It can be enabled by a sync server that supports receiving bundle events.
  • santa-driver: Refactor cache expiration calculation.
  • santa-driver: Protect wakeup() from being called with 0.
  • SantaGUI: Fixed SantaGUI headline not being centered #159
  • santactl rule: Add the ability to check the status of arbitrary SHA256 hashes (binary and certificate) without on-disk artifacts. #103
  • Important: As of this release Santa's logs are moving to a new default location: /var/db/santa/santa.log. This is done in the ASL configuration so anyone packaging the binaries are free to move it back. ab33de2

New in Santa 0.9.17 Pre (Mar 22, 2017)

  • santad/SantaGUI: Fixes a bug in SNTFileWatcher that calls fileSystemRepresentation every 200ms when a config doesn't exist. Fixes #151
  • santad: Create default config if one does not exist.
  • santad: Clear cache when regexes change. Fixes #142
  • santactl sync: Use the new fcm-stream format.
  • santactl sync: Use hostname for reachability.
  • santactl sync: Disable sync server bundle scan requests. Proper bundle support coming in #145
  • SNTXPCConnection: Allow redefining invalidationHandler after connections are established.
  • Project: Add DevelopmentTeam configuration for Xcode 8 support.

New in Santa 0.9.16 Pre (Jan 13, 2017)

  • Notes:
  • santactl sync: post a notification for every matching rule and FCM message
  • santactl sync: if full sync fails, retry when reachable
  • santad: only allow one syncd connection at any given time
  • santactl status: add last successful rule sync date
  • Note there is a change to the santactl status --json api under the sync key.
  • Change last_successful --> last_successful_full
  • Add last_successful_rule

New in Santa 0.9.15 Pre (Jan 4, 2017)

  • Notes:
  • santad: Drop AUTOINCREMENT on event table
  • santactl status: Check non-boxed vars when building json output
  • santactl fileinfo: Fix resolving path issues
  • santactl sync: Add an option to run santactl sync as a daemon
  • santactl sync: Add push notification functionality for common sync tasks
  • package/conf: Fix typo in uninstall.sh

New in Santa 0.9.14 Pre (Oct 15, 2016)

  • santa-driver: Fix potential deadlock in Sierra
  • santa-driver: Stop filtering advisory file writes
  • santad: Ignore Info.plist error when checking code signatures
  • santad: Fix config file watcher
  • santad: Don't initialize database tables multiple times
  • santad: Properly handle UTF-8 values in process arguments
  • santad: Handle multiple whitelist rules being received for protected certificates
  • santad: Fix workaround for PrinterProxy.app
  • santad: Don't crash if ClientMode config value is not an integer.
  • santactl fileinfo: Handle rules for all possible reasons. Fixes #73
  • santactl fileinfo: Don't include ANSI codes in JSON or non-TTY output. Fixes #112
  • santactl fileinfo: Don't include ANSI codes in JSON or non-TTY output. Fixes #112
  • santactl sync: Fix self-signed certificate handling
  • santactl sync: Fix bundle scanning, make concurrent.
  • Package: Several fixes for install/uninstall scripts

New in Santa 0.9.13 Pre (Aug 23, 2016)

  • santa-driver: Use msleep/wakeup instead of IOSleep. Less time wasted sleeping.
  • santa-driver: Prevent repeated requests for same binary.
  • santa-driver: Reduce log spam when dropping log queue messages.
  • santad: Limit log queue to 15 threads, reducing max CPU load.
  • santad: Cache user/group id-> name lookups.
  • santad: Rename CERTIFICATE to CERT in logs when binary is allowed.
  • santad: Include client mode in execution logs.
  • santad: Make binary/cert rule lookups in a single call.
  • santactl: Add --json, --key and --cert-index options to fileinfo command.
  • santactl: Add multiple file processing and multi-threading to fileinfo command.
  • santactl: Recognize bundle/plugin Mach-O files in fileinfo.
  • santactl: Send current client mode in sync preflight.
  • SantaGUI: Fix bundle version URLs
  • SantaGUI: Rename Dismiss button to Ignore

New in Santa 0.9.12 Pre (Aug 18, 2016)

  • santad: Lots of performance improvements in critical paths. Thanks to @georgekola for help and suggestions.
  • santad: Remove hashes for small files in write logs.
  • santad: Fix crash on 10.10 caused by an unavailable function.
  • santad: Increase detail level in messages printed to TTY
  • santad: Change watchdog thread to update every 30s instead of 60.
  • santa-driver: Remove uses of OSDictionary in kernel, replaced with a linked-list hash-table with per-bucket locking.
  • santa-driver: Change method of detecting file writes to catch descriptors auto-closed by the kernel
  • santactl: Add checkcache command to see if a file is in the kernel cache (only available in DEBUG builds).
  • santactl: Make fileinfo command wait longer for a rule query from daemon.