Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest Allows Blocked Binary in Monitor Mode #878

Closed
eopeter opened this issue Aug 13, 2022 · 11 comments
Closed

Latest Allows Blocked Binary in Monitor Mode #878

eopeter opened this issue Aug 13, 2022 · 11 comments

Comments

@eopeter
Copy link

eopeter commented Aug 13, 2022
edited
Loading

I built off the main branch in ad-hoc mode with SIP disabled and while testing attempted to block the Xcode binary. santactl rule --check --sha256 691d6b3a7bb41ca4042cc30a769d79b4708f6c27ab602a940b0dbb7c529a5071 rule check shows Blocked (Binary) but I am still able to run Xcode.

I am using a static rule in Monitor Mode and expected I should not be able to start Xcode. The file in the plist is:

 <dict>
      <!-- BLOCK xcode for testing -->
      <key>identifier</key>
      <string>691d6b3a7bb41ca4042cc30a769d79b4708f6c27ab602a940b0dbb7c529a5071</string>
      <key>policy</key>
      <string>BLOCKLIST</string>
      <key>rule_type</key>
      <string>BINARY</string>
  </dict>

My version shown below is a dev build and not using the release since I needed to test un released code:

$ santactl version
santad          | 9999.1 (build 1)
santactl        | 9999.1 (build 1)
SantaGUI     | 9999.1 (build 1)

Also found 1 of the unit test is failing with:

bazel test :unit_tests --define=SANTA_BUILD_TYPE=adhoc --test_output=errors

The result of the above shows 1 failing test:

** TEST EXECUTE FAILED **

Testing started
================================================================================
INFO: Elapsed time: 60.570s, Critical Path: 59.92s
INFO: 2 processes: 2 darwin-sandbox.
INFO: Build completed, 1 test FAILED, 2 total actions
//Source/common:SNTFileInfoTest                                 (cached) PASSED in 7.4s
//Source/common:SNTMetricSetTest                                (cached) PASSED in 12.3s
//Source/common:SNTPrefixTreeTest                               (cached) PASSED in 13.8s
//Source/common:SantaCacheTest                                  (cached) PASSED in 10.0s
//Source/gui:SNTNotificationManagerTest                         (cached) PASSED in 7.7s
//Source/santactl:SNTCommandFileInfoTest                        (cached) PASSED in 7.3s
//Source/santactl:SNTCommandMetricsTest                         (cached) PASSED in 7.9s
//Source/santad:SNTApplicationCoreMetricsTest                   (cached) PASSED in 11.3s
//Source/santad:SNTDeviceManagerTest                            (cached) PASSED in 8.8s
//Source/santad:SNTEndpointSecurityManagerTest                  (cached) PASSED in 6.5s
//Source/santad:SNTEventTableTest                               (cached) PASSED in 10.8s
//Source/santad:SNTExecutionControllerTest                      (cached) PASSED in 5.9s
//Source/santad:SNTProtobufEventLogTest                         (cached) PASSED in 6.3s
//Source/santad:SNTRuleTableTest                                (cached) PASSED in 7.4s
//Source/santametricservice:SNTMetricServiceTest                (cached) PASSED in 5.0s
//Source/santametricservice/Formats:SNTMetricMonarchJSONFormatTest (cached) PASSED in 9.5s
//Source/santametricservice/Formats:SNTMetricRawJSONFormatTest  (cached) PASSED in 5.5s
//Source/santametricservice/Writers:SNTMetricFileWriterTest     (cached) PASSED in 6.4s
//Source/santametricservice/Writers:SNTMetricHTTPWriterTest     (cached) PASSED in 6.2s
//Source/santasyncservice:NSDataZlibTest                        (cached) PASSED in 7.0s
//Source/santasyncservice:SNTSyncTest                           (cached) PASSED in 47.9s
//Source/santad:SNTApplicationTest                                       FAILED in 59.6s
  /private/var/tmp/_bazel_eoche/418fe1a0dd8829fc276fd3c03c07a8c4/execroot/santa/bazel-out/darwin-fastbuild/testlogs/Source/santad/SNTApplicationTest/test.log

Executed 1 out of 22 tests: 21 tests pass and 1 fails locally.
INFO: Build completed, 1 test FAILED, 2 total actions
@russellhancox
Copy link
Contributor

This is likely due to the dev build not having correct permissions, like full disk access. What do santactl status and systemextensionsctl list report?.

@eopeter
Copy link
Author

eopeter commented Aug 13, 2022
edited
Loading 

$ santactl status
>>> Daemon Info
  Mode                      | Monitor
  File Logging              | Yes
  USB Blocking              | No
  Watchdog CPU Events       | 0  (Peak: 16.54%)
  Watchdog RAM Events       | 0  (Peak: 58.42MB)
>>> Cache Info
  Root cache count          | 237
  Non-root cache count      | 0
>>> Database Info
  Binary Rules              | 0
  Certificate Rules         | 0
  TeamID Rules              | 0
  Compiler Rules            | 0
  Transitive Rules          | 0
  Events Pending Upload     | 19
>>> Static Rules
  Rules                     | 4

@eopeter
Copy link
Author

eopeter commented Aug 13, 2022 

$ systemextensionsctl list
3 extension(s)
--- com.apple.system_extension.network_extension
enabled	active	teamID	bundleID (version)	name	[state]
*	*	PXPZ95SK77	com.paloaltonetworks.GlobalProtect.client.extension (5.2.11-10/1)	GlobalProtectExtension	[activated enabled]
*	*	DE8Y96K9QP	com.cisco.anyconnect.macos.acsockext (4.10.05111/4.10.05111)	Cisco AnyConnect Socket Filter Extension	[activated enabled]
--- com.apple.system_extension.endpoint_security
enabled	active	teamID	bundleID (version)	name	[state]
*	*	-	com.google.santa.daemon (9999.1/9999.1.1)	santad	[activated enabled]

@russellhancox
Copy link
Contributor

russellhancox commented Aug 19, 2022
edited
Loading

The output looks correct. I'm not able to reproduce the issue of blocked binaries not being blocked but I can reproduce SNTApplicationTest failing and I'm unsure why, even reverting back to the 2022.7 tag and running the test fails where it used to pass. Will need to dig into this a bit more.

@eopeter
Copy link
Author

eopeter commented Aug 23, 2022

This started working.

@eopeter eopeter closed this as completed Aug 23, 2022
@russellhancox
Copy link
Contributor

Hmm, interesting. Did the test also start passing?

@eopeter
Copy link
Author

eopeter commented Aug 23, 2022

No, the test is still failing. I can open another issue on the test.

@eopeter eopeter reopened this Aug 24, 2022
@eopeter
Copy link
Author

eopeter commented Aug 24, 2022

Rule check says binary is allowed but Santa is blocking it as shown:

image

@russellhancox
Copy link
Contributor

We published 2022.8, which allows/blocks binaries as expected (and there have been no significant code changes since the commit that build is based upon). I'm unable to reproduce any errors in an adhoc build too.

The failing SNTApplicationTest we've tracked down to being an issue caused by installed StaticRules in an on-device profile - the test doesn't sufficiently isolate the configuration installed on the host. We don't see this issue in CI because no such configuration profile exists. A fix is on the way.

@pmarkowsky
Copy link
Contributor

Just submitted #885. Let us know if this doesn't solve your issue regarding the tests.

@pmarkowsky
Copy link
Contributor

@eopeter I'm going to mark this closed. Please let us know if this is still an issue you're encountering.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@russellhancox @pmarkowsky @eopeter