github northpolesec/santa 2025.3
v2025.3
on GitHub

3 days ago

Notes

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation can be found at northpole.dev.

Announcements

📣 Opt-In Stats Collection

Santa can now collect basic stats on an opt-in basis by setting the EnableStatsCollection configuration key to true. When enabled, some very limited, non-identifying information (such as Santa and macOS versions) is gathered and uploaded to North Pole Security. While not required, this information is extremely useful for us to understand more about our install base to inform the development of new features and drive support/deprecation decisions. For complete details about what is collected, see our Stats documentation.

Please consider opting in your organization to help us better maintain Santa for the whole community!

Fixed

❗ Block messages in the UI dialog were not being properly auto-wrapped.
❗ The DMG path for MOUNT telemetry events was only being populated in certain cases.
❗ Addressed potential crash in the sync service in the unlikely scenario the events database grew extremely large.

Changed

↔️ Events generated by transitive rules are no longer uploaded in the sync protocol.
↔️ Telemetry output for compiler rules now correctly identifies the rule type that triggered them (binary, cdhash, or signingid)

Added

SigningID values in FAA rules now support a single wildcard (*) character.
➕ New telemetry event type, LaunchItem, for when new persistence items are added or removed from macOS's background task management subsystem.
Process-centric FAA rules (beta) received several improvements including better caching, rate limiting, metrics, and handling policy changes that affect processes that are already running and previously matched rules.
➕ FAA telemetry now includes an "operation id". This identifier allows telemetry consumers to identify when a single operation violated multiple FAA rules (e.g. when an OPEN event violated both a Data-centric and a Process-centric FAA policy and two events were emitted).

What's Changed

  • Add missing "break" to switch case in BasicString by @kubalaguna in #280
  • Update config docs for stats key by @mlw in #281
  • Add EnableNotificationSilences key to config docs by @4rm in #286
  • build: Update rules_apple to 3.19.1, rules_swift to 2.4.0 by @russellhancox in #284
  • Add fallback methods for gathering mounted DMG path by @mlw in #282
  • Downloaded rule identifiers now pass thru value validation by @mlw in #283
  • Add update method to SantaCache to update value under lock by @mlw in #288
  • Update docs sidebar colors and link borders by @statico in #289
  • Fix link color in docs by @statico in #290
  • Add and adopt SantaSetCache by @mlw in #291
  • Clarify RuleType version support by @mlw in #293
  • Add reads cache support to the FAA Policy Processor by @mlw in #292
  • Module version updates by @mlw in #294
  • gui: Fix auto-wrapping of multiline text in block message by @russellhancox in #296
  • Add Operation ID / fingerprint hash to FileAccess telemetry events by @mlw in #295
  • Docs: Update warnings about scopes. by @pmarkowsky in #298
  • Add Santa and third party licenses to distribution package by @mlw in #299
  • Route Data FAA client through the FAAPolicyProcessor by @mlw in #297
  • Remove unused OCMExpect from test by @kubalaguna in #301
  • Small docs update by @mlw in #305
  • Add back metrics and rate limiting shared across FAA clients by @mlw in #304
  • Add foreach and clear with block support to SantaCache by @mlw in #306
  • gui: Add localization of client mode switch notifications by @russellhancox in #307
  • gui: localize unblocked app notifications by @russellhancox in #308
  • Stop watching processes when all Proc FAA rules are removed by @mlw in #309
  • Remove inline specifier from some FAAPolicyProcessor methods by @kubalaguna in #310
  • Handle FAA policy changes affecting watched processes by @mlw in #311
  • Rename original FAA client to Data FAA by @mlw in #312
  • Inject necessary WatchItems method instead of full object by @mlw in #314
  • Add proto schema definition for BTM LaunchItems by @mlw in #317
  • Add support for BTM LaunchItem telemetry event by @mlw in #318
  • docs: Correct signing_id format in JSON example by @russellhancox in #321
  • BTM LaunchItems telemetry serialization by @mlw in #322
  • sync: Don't upload transitive events, correct policy for compiler rules by @russellhancox in #324
  • Basic wildcard support for FAA SigningID values by @mlw in #325
  • Fix ISO C++ field designators declaration order by @kubalaguna in #327
  • telemetry/proto: Restore REASON_COMPILER, mark deprecated by @russellhancox in #328
  • Set some additional compiler flags by @mlw in #329
  • Switch event upload implementation from recursive to iterative by @mlw in #331
  • Check for success before final upload by @mlw in #332

New Contributors

Full Changelog: 2025.2...2025.3

Check out latest releases or
releases around northpolesec/santa 2025.3

Don't miss a new santa release

NewReleases is sending notifications on new releases.

Get notifications