Merge remote-tracking branch 'origin/master' into compiler

.gitignore

@@ -9,3 +9,4 @@ Santa.xcodeproj/project.xcworkspace
 Santa.xcworkspace/xcuserdata
 Santa.xcworkspace/xcshareddata
 Source/DevelopmentTeam.xcconfig
+default.profraw

.travis.yml

@@ -4,7 +4,7 @@ cache:
   - bundler
   - cocoapods
 sudo: false
-osx_image: xcode7
+osx_image: xcode9.3
 
 before_install:
  - gem install cocoapods xcpretty

Conf/Package/Makefile

@@ -32,6 +32,7 @@ PACKAGE_VERSION:=$(shell curl -fs https://api.github.com/repos/google/santa/rele
 #         |    |-- com.google.santad.plist
 #         |    |-- com.google.santagui.plist
 #         |    +-- com.google.santa.asl.conf
+#         |    +-- com.google.santa.newsyslog.conf
 #         +--dsym
 #              |-- santa-driver.kext.dSYM
 #              |-- Santa.app.dSYM
@@ -44,6 +45,7 @@ PAYLOAD:=pack-Library-Extensions-santa-driver.kext \
 	pack-Library-LaunchDaemons-com.google.santad.plist \
 	pack-Library-LaunchAgents-com.google.santagui.plist \
 	pack-etc-asl-com.google.santa.asl.conf \
+	pack-etc-newsyslog.d-com.google.santa.newsyslog.conf \
 	pack-script-preinstall \
 	pack-script-postinstall
 
@@ -52,6 +54,7 @@ Santa.app: download
 com.google.santad.plist: download
 com.google.santagui.plist: download
 com.google.santa.asl.conf: download
+com.google.santa.newsyslog.conf: download
 
 download:
 	$(if $(PACKAGE_VERSION),, $(error GitHub API returned unexpected result. Wait a while and try again))
@@ -65,6 +68,12 @@ pack-etc-asl-com.google.santa.asl.conf: com.google.santa.asl.conf l_private_etc
 	@sudo chmod 755 ${WORK_D}/private/etc/asl
 	@sudo install -m 644 -o root -g wheel com.google.santa.asl.conf ${WORK_D}/private/etc/asl
 
+pack-etc-newsyslog.d-com.google.santa.newsyslog.conf: com.google.santa.newsyslog.conf l_private_etc
+	@sudo mkdir -p ${WORK_D}/private/etc/newsyslog.d
+	@sudo chown root:wheel ${WORK_D}/private/etc/newsyslog.d
+	@sudo chmod 755 ${WORK_D}/private/etc/newsyslog.d
+	@sudo install -m 644 -o root -g wheel com.google.santa.newsyslog.conf ${WORK_D}/private/etc/newsyslog.d
+
 pack-Library-Extensions-santa-driver.kext: santa-driver.kext l_Library
 	@sudo mkdir -p ${WORK_D}/Library/Extensions
 	@sudo ${DITTO} --noqtn santa-driver.kext ${WORK_D}/Library/Extensions/santa-driver.kext
@@ -79,6 +88,7 @@ myclean:
 	@rm -rf santa-driver.kext
 	@rm -f config.plist
 	@rm -f com.google.santa.asl.conf
+	@rm -f com.google.santa.newsyslog.conf
 	@rm -f com.google.santad.plist
 	@rm -f com.google.santagui.plist
 	@rm -f install.sh

Conf/com.google.santa.newsyslog.conf

@@ -0,0 +1,2 @@
+# logfilename             [owner:group]       mode   count size(KiB) when   flags [/pid_file] # [sig_num]
+/var/db/santa/santa.log   root:wheel          644    10    25000     *      NZ

Conf/install.sh

@@ -42,6 +42,7 @@ mkdir -p /usr/local/bin
 /bin/cp ${SOURCE}/conf/com.google.santad.plist /Library/LaunchDaemons
 /bin/cp ${SOURCE}/conf/com.google.santagui.plist /Library/LaunchAgents
 /bin/cp ${SOURCE}/conf/com.google.santa.asl.conf /etc/asl/
+/bin/cp ${SOURCE}/conf/com.google.santa.newsyslog.conf /etc/newsyslog.d/
 
 # Reload syslogd to pick up ASL configuration change.
 /usr/bin/killall -HUP syslogd

Conf/uninstall.sh

@@ -19,6 +19,7 @@ user=$(/usr/bin/stat -f '%u' /dev/console)
 /bin/rm -f /Library/LaunchAgents/com.google.santagui.plist
 /bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
 /bin/rm -f /private/etc/asl/com.google.santa.asl.conf
+/bin/rm -f /private/etc/newsyslog.d/com.google.santa.newsyslog.conf
 /bin/rm -f /usr/local/bin/santactl # just a symlink
 #uncomment to remove the config file and all databases, log files
 #/bin/rm -rf /var/db/santa

Docs/deployment/com.google.santa.example.mobileconfig

@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadContent</key>
+			<dict>
+				<key>com.google.santa</key>
+				<dict>
+					<key>Forced</key>
+					<array>
+						<dict>
+							<key>mcx_preference_settings</key>
+							<dict>
+								<key>BannedBlockMessage</key>
+								<string>This application has been banned</string>
+								<key>ClientMode</key>
+								<integer>1</integer>
+								<key>EnablePageZeroProtection</key>
+								<false/>
+								<key>EventDetailText</key>
+								<string>Open sync server</string>
+								<key>EventDetailURL</key>
+								<string>https://sync-server-hostname/blockables/%file_sha%</string>
+								<key>FileChangesRegex</key>
+								<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
+								<key>MachineIDKey</key>
+								<string>MachineUUID</string>
+								<key>MachineIDPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>MachineOwnerKey</key>
+								<string>Owner</string>
+								<key>MachineOwnerPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>ModeNotificationLockdown</key>
+								<string>Entering Lockdown mode</string>
+								<key>ModeNotificationMonitor</key>
+								<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
+								<key>MoreInfoURL</key>
+								<string>https://sync-server-hostname/moreinfo</string>
+								<key>SyncBaseURL</key>
+								<string>https://sync-server-hostname/api/santa/</string>
+								<key>UnknownBlockMessage</key>
+								<string>This application has been blocked from executing.</string>
+							</dict>
+						</dict>
+					</array>
+				</dict>
+			</dict>
+			<key>PayloadEnabled</key>
+			<true/>
+			<key>PayloadIdentifier</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadType</key>
+			<string>com.apple.ManagedClient.preferences</string>
+			<key>PayloadUUID</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>com.google.santa</string>
+	<key>PayloadDisplayName</key>
+	<string>com.google.santa</string>
+	<key>PayloadIdentifier</key>
+	<string>com.google.santa</string>
+	<key>PayloadOrganization</key>
+	<string></string>
+	<key>PayloadRemovalDisallowed</key>
+	<true/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>

Docs/deployment/configuration.md

@@ -1,8 +1,12 @@
+# Important
+
+Santa v0.9.21 has moved to using an Apple [Configuration Profile](https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html) to manage the local configuration. The old config file (`/var/db/santa/config.plist`) is no longer used.
+
 # Configuration
 
-Two configuration methods can be used to control Santa: local configuration and a sync server controlled configuration. There are certain options that can only be controlled with a local configuration and others that can only be controlled with a sync server controlled configuration. Additionally, there are options that can be controlled by both.
+Two configuration methods can be used to control Santa: a local configuration profile and a sync server controlled configuration. There are certain options that can only be controlled with a local configuration profile and others that can only be controlled with a sync server controlled configuration. Additionally, there are options that can be controlled by both.
 
-## Local Configuration
+## Local Configuration Profile
 
 | Key                           | Value Type | Description                              |
 | ----------------------------- | ---------- | ---------------------------------------- |
@@ -31,8 +35,10 @@ Two configuration methods can be used to control Santa: local configuration and
 | MachineOwnerKey               | String     | The key to use on MachineOwnerPlist.     |
 | MachineIDPlist                | String     | The path to a plist that contains the MachineOwnerKey / value pair. |
 | MachineIDKey                  | String     | The key to use on MachineIDPlist.        |
+| EventLogType                  | String     | Defines how event logs are stored. Options are 1) syslog: Sent to ASL or ULS (if built with the 10.12 SDK or later). 2) filelog: Sent to a file on disk. Use EventLogPath to specify a path. Defaults to filelog      |
+| EventLogPath                  | String     | If EventLogType is set to filelog, EventLogPath will provide the path to save logs. Defaults to /var/db/santa/santa.log. If you change this value ensure you also update com.google.santa.newsyslog.conf with the new path.        |
 
-*protected keys: If a sync server is configured, this setting cannot be changed while santad is running as it is assumed the setting will be provided by the sync server.
+*overridable by the sync server: run `santactl status` to check the current running config
 
 ##### EventDetailURL
 
@@ -50,49 +56,108 @@ This property contains a kind of format string to be turned into the URL to send
 
 For example: `https://sync-server-hostname/%machine_id%/%file_sha%`
 
-##### Example Config
+##### Example Configuration Profile
+
+Here is an example of a configuration profile that could be set. It was generated with Tim Sutton's great [mcxToProfile](https://github.com/timsutton/mcxToProfile) tool. A copy is also available [here](com.google.santa.example.mobileconfig).
+
+A few key points to when creating your configuration profile:
 
-Here is an example of a configuration that could be set.
+* `com.google.santa` needs to be the key inside `PayloadContent`
+* The `PayloadScope` needs to be `System`
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>BannedBlockMessage</key>
-	<string>This application has been banned</string>
-	<key>ClientMode</key>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadContent</key>
+			<dict>
+				<key>com.google.santa</key>
+				<dict>
+					<key>Forced</key>
+					<array>
+						<dict>
+							<key>mcx_preference_settings</key>
+							<dict>
+								<key>BannedBlockMessage</key>
+								<string>This application has been banned</string>
+								<key>ClientMode</key>
+								<integer>1</integer>
+								<key>EnablePageZeroProtection</key>
+								<false/>
+								<key>EventDetailText</key>
+								<string>Open sync server</string>
+								<key>EventDetailURL</key>
+								<string>https://sync-server-hostname/blockables/%file_sha%</string>
+								<key>FileChangesRegex</key>
+								<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
+								<key>MachineIDKey</key>
+								<string>MachineUUID</string>
+								<key>MachineIDPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>MachineOwnerKey</key>
+								<string>Owner</string>
+								<key>MachineOwnerPlist</key>
+								<string>/Library/Preferences/com.company.machine-mapping.plist</string>
+								<key>ModeNotificationLockdown</key>
+								<string>Entering Lockdown mode</string>
+								<key>ModeNotificationMonitor</key>
+								<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
+								<key>MoreInfoURL</key>
+								<string>https://sync-server-hostname/moreinfo</string>
+								<key>SyncBaseURL</key>
+								<string>https://sync-server-hostname/api/santa/</string>
+								<key>UnknownBlockMessage</key>
+								<string>This application has been blocked from executing.</string>
+							</dict>
+						</dict>
+					</array>
+				</dict>
+			</dict>
+			<key>PayloadEnabled</key>
+			<true/>
+			<key>PayloadIdentifier</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadType</key>
+			<string>com.apple.ManagedClient.preferences</string>
+			<key>PayloadUUID</key>
+			<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>com.google.santa</string>
+	<key>PayloadDisplayName</key>
+	<string>com.google.santa</string>
+	<key>PayloadIdentifier</key>
+	<string>com.google.santa</string>
+	<key>PayloadOrganization</key>
+	<string></string>
+	<key>PayloadRemovalDisallowed</key>
+	<true/>
+	<key>PayloadScope</key>
+	<string>System</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
+	<key>PayloadVersion</key>
 	<integer>1</integer>
-	<key>EnablePageZeroProtection</key>
-	<false/>
-	<key>EventDetailText</key>
-	<string>Open sync server</string>
-	<key>EventDetailURL</key>
-	<string>https://sync-server-hostname/blockables/%file_sha%</string>
-	<key>FileChangesRegex</key>
-	<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
-	<key>MachineIDKey</key>
-	<string>MachineUUID</string>
-	<key>MachineIDPlist</key>
-	<string>/Library/Preferences/com.company.machine-mapping.plist</string>
-	<key>MachineOwnerKey</key>
-	<string>Owner</string>
-	<key>MachineOwnerPlist</key>
-	<string>/Library/Preferences/com.company.machine-mapping.plist</string>
-	<key>ModeNotificationLockdown</key>
-	<string>Entering Lockdown mode</string>
-	<key>ModeNotificationMonitor</key>
-	<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
-	<key>MoreInfoURL</key>
-	<string>https://sync-server-hostname/moreinfo</string>
-	<key>SyncBaseURL</key>
-	<string>https://sync-server-hostname/api/santa/</string>
-	<key>UnknownBlockMessage</key>
-	<string>This application has been blocked from executing.</string>
 </dict>
 </plist>
+
 ```
 
+Configuration profiles have a `.mobileconfig` file extension. There are many ways to install configuration profiles:
+
+* Double click them in Finder
+* Use the `/usr/bin/profiles` tool
+* Use an MDM
+
 ## Sync server Provided Configuration
 
 | Key                            | Value Type | Description                              |

Docs/details/mode.md

@@ -35,28 +35,19 @@ Running Santa in Lockdown Mode will stop all blacklisted binaries and additional
 
 ##### Changing Modes
 
-There are two ways to change the running mode: changing the config.plist and with a sync server configuration.
+There are two ways to change the running mode: changing the configuration profile and with a sync server configuration.
 
-###### Change modes with the config.plist
+###### Change modes with the configuration profile
 
-The `ClientMode` config key is protected while santad is running and will revert any attempt to change it.
+Set the `ClientMode` in your configuration profile to the integer value `1` for MONITOR or `2` for LOCKDOWN.
 
-Change to Monitor mode:
-
-```sh
-sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist
-sudo defaults write /var/db/santa/config.plist ClientMode -int 1
-sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
+```xml
+<key>ClientMode</key>
+<integer>1</integer>
 ```
 
-Change to Lockdown mode:
-
-```sh
-sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist
-sudo defaults write /var/db/santa/config.plist ClientMode -int 2
-sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
-```
+Install your new configuration profile, it will overwrite any old `com.google.santa` profiles you may have already install. See the [configuration](../deployment/configuration.md) document for more details.
 
-######Change modes with a sync server
+###### Change modes with a sync server
 
 The mode is set in the preflight sync stage. Use the key `client_mode` and a value of `MONITOR` or `LOCKDOWN`.