Skip to content
This repository has been archived by the owner on Feb 5, 2025. It is now read-only.

Allow access to SCOPE rules in Sync servers #279

Closed
zbuc opened this issue Jun 6, 2018 · 7 comments
Closed

Allow access to SCOPE rules in Sync servers #279

zbuc opened this issue Jun 6, 2018 · 7 comments
Assignees
@russellhancox
Labels
question Any questions related to code / operation of Santa

Comments

@zbuc
Copy link

zbuc commented Jun 6, 2018
edited
Loading

I notice that only binary and certificate rules can be synced from servers:

santa/Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m

Line 146 in b70442e

if ([ruleTypeString isEqual:kRuleTypeBinary]) {

Would it be possible to allow SCOPE rules to be served by Sync servers? Managing them in the properties for the app is additional complexity and difficult because not all rules can be managed in a single location.
@russellhancox
Copy link
Contributor

There aren't really SCOPE rules, just a number of hardcoded checks (see fileIsScopeWhitelisted: and fileIsScopeBlacklisted:. The two regexes can be configured using a sync server.

What specifically were you hoping to block/allow?

@russellhancox russellhancox self-assigned this Jun 6, 2018
@russellhancox russellhancox added the question Any questions related to code / operation of Santa label Jun 6, 2018
@zbuc
Copy link
Author

zbuc commented Jun 6, 2018

I got the idea about SCOPE rules from a snippet in the Upvote docs:

https://github.com/google/upvote/blob/master/docs/santa_sync.md

Policy Syncing
Santa supports three different policy types:

WHITELIST: Allow execution
BLACKLIST: Block execution
REMOVE: Remove any pre-existing policy entry (NOT the file itself)
...and three different Rule types:

BINARY: Apply the policy to a binary.
CERTIFICATE: Apply the policy to any binary signed by the signing certificate.
SCOPE: Apply the policy to any file whose path matches a regex.

Basically I'm looking for an easier way for our analysts to manage path-based whitelist, as they don't have access to our configuration management server which manages the plist used by Santa, but they do have access to our Santa sync server.

@russellhancox
Copy link
Contributor

Gotcha. So, yes, if the sync server fully implements the preflight request the path-based whitelists can be delivered there; Upvote implements this as a per-host setting.

@zbuc
Copy link
Author

zbuc commented Jun 6, 2018

I didn't realize the preflight request had support for delivering path-based whitelists.

How does this interact with the paths defined in the plist?

@russellhancox
Copy link
Contributor

Config pulled from a sync server has higher precedence than local configuration.

@msuozzo
Copy link
Member

msuozzo commented Jun 6, 2018

Hey @zbuc!

Upvote dev here. Given the dubious security proposition of path-based whitelisting, we haven't put much effort into surfacing that feature. Notably, the Upvote documentation is definitely wrong in its description of Santa's sync process. Santa has the notion of a {ALLOW/BLOCK}_SCOPE reason for a decision but not a SCOPE rule.

wrt Upvote-based configuration of these fields, I've filed an issue against Upvote to track the change.

Thanks for reaching out!

@pmarkowsky
Copy link
Contributor

Marking this as closed. Since it's been two years and we support the requested feature via the sync protocol.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@russellhancox russellhancox

Labels
question Any questions related to code / operation of Santa
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@russellhancox @zbuc @msuozzo @pmarkowsky