github google/santa 2024.3
v2024.3

latest releases: 2024.9, 2024.8, 2024.7...
7 months ago

WARNING

We were notified about an issue affecting the santactl fileinfo command in this version shortly after this version was released (#1318). For normal output, rule information cannot be obtained. Additionally, JSON output is broken.

We will be releasing a 2024.4 release ahead of schedule to address these issues.

Notes

Fixed

❗ The FileChangesRegex configuration key now applies to all file modification event types that can be logged. This was inadvertently made to only apply to WRITE log events starting in v2022.9. This will lead to a reduction in the number of logged events depending on how this key is configured. IMPORTANT: If you're using this configuration key, please make sure to test how this change will affect your deployments.

Changed

↔️ Improved logic on when to flush local caches when new rules are received. Caches should now be flushed less often. This can result in better performance in some deployment setups.
↔️ Improved transitive rule creation events when tracking RENAME events. This should improve transitive rule creation for some toolchains.

Added

➕ CDHash rules are now supported. These are now the highest precedent rule type (ahead of binary hash). This includes adding support in santactl and to the sync protocol for sync servers to send rules to clients. See the Sync Protocol documentation for more details on how to serve CDHash rules.
➕ JSON rule import for locally managed deployments now supports the --clean and --clean-all flags (behaving similarly to santactl sync).

What's Changed

  • ProcessTree: fix missing direct deps by @kallsyms in #1288
  • docs: Document that *PathRegex does not work on symlinks by @russellhancox in #1290
  • ProcessTree: add macOS specific loader and ES adapter (2/4) by @kallsyms in #1237
  • Some more lint fixes by @kallsyms in #1295
  • Make FileChangesRegex apply to all file change event types by @mlw in #1294
  • Refactor rule and count lookups by @mlw in #1298
  • Creating transitive rules for rename events should fallback to destination path by @mlw in #1299
  • Added clean flags for JSON rule import by @pmarkowsky in #1300
  • Add support for CDHash rule types by @mlw in #1301
  • Add required dep for internal builds by @mlw in #1302
  • Implement NSSecureCoding for SNTRuleIdentifiers by @pmarkowsky in #1307
  • ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) by @kallsyms in #1281
  • Tests: Fix SNTRuleTableTest in the presence of local static rules by @russellhancox in #1311
  • Fix: Do not flush authcache when receiving duplicate block rules from the sync service by @pmarkowsky in #1310
  • Overrides disabled when running tests unless explicitly enabled by @mlw in #1312
  • Add CDHash to rule evaluation order documentation by @jasonmc in #1313
  • Fix BUILD deps by @kallsyms in #1314
  • Add missing EndpointSecurity dylib by @kallsyms in #1315

Full Changelog: 2024.2...2024.3

Don't miss a new santa release

NewReleases is sending notifications on new releases.