v2021.8

Notes

• Added a system for collecting and exporting metrics to monitoring systems and a metrics subcommand to santactl for viewing the current state. More metrics will be added in future releases.
• EnableSysxCache is now enabled by default - we've found this significantly improves performance when other EndpointSecurity extensions are in use.
• Added TeamID as a rule type - you can now allow/block by team ID instead of individual certificates. Support is included in santactl rule.
• Added AboutText configuration key to configure the text displayed when Santa.app is opened while it's running (thanks @np5!)

v2021.7

WARNING (2021-10-06)

Shortly after release we noticed that the code signature on the released binaries was missing some required entitlements. We have updated the release package and tarball attached to this release and added .ORIG to the original files.

If you have attempted to deploy the original broken release you should try again with the updated files. As there are no code changes we have not bumped the version number.

Notes

• santactl/sync: Fixed a rare crash from reachability checks
• santactl/sync: Fixed a rare crash when using FCM
• santad: Improved prevention of database overwrites

v2021.5

Notes

• Updates MOLAuthenticatingURLSession to v3.0, which will now pick the most recently issued cert if multiple certs match the filters specified in the configuration. Fixes #553

v2021.3

Notes

• Fixes an issue in santactl fileinfo where bundles were misappropriated (issue #536)
• Fixes transitive allowlisting when EnableSysCache is true (issue #539)

v2021.2

Notes

• santad: Fixes caching of blocked executions when EnableSysxCache is in use.
• santactl: Retry individual requests to continue a long sync through minor network blips

v2021.1

Notes

• Added an optional self-managed cache for decision responses, which should help improve performance when running Santa as a system extension alongside another system extension (#510). To enable this cache, set EnableSysxCache to <true/> in your Santa config profile.
• Fixed santactl/fileinfo pulling embedded Info.plist files from 32-bit sections of fat binaries.

The versioning scheme has also changed to YYYY.X

v1.17

Notes

• santad: log pidversion along with pid. (#512 - thanks @avanzini!)
• santactl/sync: Use deflate as the default Content-Encoding instead of zlib. (#511 - thanks @radsec!)
  • To re-enable zlib set the EnableBackwardsCompatibleContentEncoding config option to true. If syncing with Upvote deployed at commit 0b4477d or below, set this option to true.
• Santa now ships as a Universal app (arm64, x86_64). Notably santa-driver.kext will continue to only ship as x86_64. We have no plans to support Santa's kext on Apple Silicon Macs.

Important

The v1.x versions of Santa include many architectural changes. Including the usage of EndpointSecurity and SystemExtensions for systems running macOS 10.15+.

Once Santa's SystemExtension is installed, it cannot be removed without prompting the user.

See the notes for the v1.0.3 release regarding SystemExtension and TCC permissions required to run this release on 10.15+.

v1.15

Notes

• The Santa system extension now prevents santa-driver.kext from being loaded, to prevent the two systems from dueling, which can happen if an old version of Santa is installed after a sysx version has been enabled.
• Add support for %hostname%, %uuid%, %serial% to EventDetailURL (thanks to @hughneale!)
• Allow a sync server to remotely set FullSyncInterval during preflight (thanks to @hughneale!)
• Add a config key (IgnoreOtherEndpointSecurityClients) to ignore events generated by other EndpointSecurity clients, which may cause increased CPU usage.
• Add a config key (EnableDebugLogging) to enable debug logging for all Santa components
• Fix a bug in santactl/sync that can cause infinite recursion discovering identities from self-signed roots (issue #497).

Important

The v1.x versions of Santa include many architectural changes. Including the usage of EndpointSecurity and SystemExtensions for systems running macOS 10.15+.

Once Santa's SystemExtension is installed, it cannot be removed without prompting the user.

See the notes for the v1.0.3 release regarding SystemExtension and TCC permissions required to run this release on 10.15.

v1.14

Notes

• Added FORK/EXIT logging, can be enabled with the EnableForkAndExitLogging configuration key.
• Made logging around rule downloads clearer

Important

The v1.x versions of Santa include many architectural changes. Including the usage of EndpointSecurity and SystemExtensions for systems running macOS 10.15+.

Once Santa's SystemExtension is installed, it cannot be removed without prompting the user.

See the notes for the v1.0.3 release regarding SystemExtension and TCC permissions required to run this release on 10.15.

v1.13

Security Fixes

This release contains some important security fixes to Santa's kernel extension component. The bugs that were fixed could allow an attacker with local code execution as root to gain kernel access. Machines using the system extension on 10.15 are not affected.

Many thanks to Drew Yao of Apple SEAR Red Team for reporting these bugs to us.

• Off-by-one array access in SantaDriverClient::externalMethod
• Integer overflow/underflow in SantaCache::bucket_counts
• Race condition & use-after-free in SantaDriverClient::clientMemoryForType

Important

The v1.x versions of Santa include many architectural changes. Including the usage of EndpointSecurity and SystemExtensions for systems running macOS 10.15+.

Once Santa's SystemExtension is installed, it cannot be removed without prompting the user.

See the notes for the v1.0.3 release regarding SystemExtension and TCC permissions required to run this release on 10.15.