Update moroz based on latest santa client

cmd/moroz/main.go

@@ -59,7 +59,7 @@ func main() {
 	}
 
 	if _, err := os.Stat(*flTLSCert); *flUseTLS && os.IsNotExist(err) {
-		fmt.Println(openSSLBash)
+		fmt.Printf(openSSLBash)
 		os.Exit(2)
 	}
 

configs/global.toml

@@ -1,42 +1,56 @@
 client_mode = "MONITOR"
-# blocklist_regex = "^(?:/Users)/.*"
-# allowlist_regex = "^(?:/Users)/.*"
+# blocked_path_regex = "^(?:/Users)/.*"
+# allowed_path_regex = "^(?:/Users)/.*"
 batch_size = 100
 enable_bundles = false
-enabled_transitive_allowlisting = true
+enable_transitive_rules = true
+clean_sync = true
+full_sync_interval = 600
 
 [[rules]]
 rule_type = "BINARY"
 policy = "BLOCKLIST"
-sha256 = "2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda"
+identifier = "2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda"
 custom_msg = "blocklist firefox"
 
 [[rules]]
-rule_type = "CERTIFICATE"
+rule_type = "TEAMID"
+policy = "ALLOWLIST"
+identifier = "EQHXZ8M8AV"
+custom_msg = "allow google team id"
+
+[[rules]]
+rule_type = "SIGNINGID"
+policy = "ALLOWLIST"
+identifier = "EQHXZ8M8AV:com.google.Chrome"
+custom_msg = "allow google chrome signing id"
+
+[[rules]]
+rule_type = "SIGNINGID"
 policy = "BLOCKLIST"
-sha256 = "e7726cf87cba9e25139465df5bd1557c8a8feed5c7dd338342d8da0959b63c8d"
-custom_msg = "blocklist dash app certificate"
+identifier = "platform:com.apple.BluetoothFileExchange"
+custom_msg = "block bluetooth file exchange.app"
 
 [[rules]]
 rule_type = "BINARY"
 policy = "ALLOWLIST_COMPILER"
-sha256 = "60d79d1763fefb56716e4a36284300523eb4335c3726fb9070fa83074b02279e"
+identifier = "60d79d1763fefb56716e4a36284300523eb4335c3726fb9070fa83074b02279e"
 custom_msg = "allowlist go compiler component"
 
 [[rules]]
 rule_type = "BINARY"
 policy = "ALLOWLIST_COMPILER"
-sha256 = "8e78770685d51324b78588fddc6afc2f8b6cef5231c27eeb97363cc437fec18a"
+identifier = "8e78770685d51324b78588fddc6afc2f8b6cef5231c27eeb97363cc437fec18a"
 custom_msg = "allowlist go compiler component"
 
 [[rules]]
 rule_type = "BINARY"
 policy = "ALLOWLIST_COMPILER"
-sha256 = "e88617cfd62809fb10e213c459a52f48e028fae4321e41134c4797465af886b6"
+identifier = "e88617cfd62809fb10e213c459a52f48e028fae4321e41134c4797465af886b6"
 custom_msg = "allowlist go compiler component"
 
 [[rules]]
 rule_type = "BINARY"
 policy = "ALLOWLIST_COMPILER"
-sha256 = "d867fca68bbd7db18e9ced231800e7535bc067852b1e530987bb7f57b5e3a02c"
+identifier = "d867fca68bbd7db18e9ced231800e7535bc067852b1e530987bb7f57b5e3a02c"
 custom_msg = "allowlist go compiler component"

santa/santa.go

@@ -20,18 +20,20 @@ type Config struct {
 type Rule struct {
 	RuleType      RuleType `json:"rule_type" toml:"rule_type"`
 	Policy        Policy   `json:"policy" toml:"policy"`
-	SHA256        string   `json:"sha256" toml:"sha256"`
+	Identifier    string   `json:"identifier" toml:"identifier"`
 	CustomMessage string   `json:"custom_msg,omitempty" toml:"custom_msg,omitempty"`
 }
 
 // Preflight representssync response sent to a Santa client by the sync server.
 type Preflight struct {
-	ClientMode                    ClientMode `json:"client_mode" toml:"client_mode"`
-	BlocklistRegex                string     `json:"blocklist_regex" toml:"blocklist_regex"`
-	AllowlistRegex                string     `json:"allowlist_regex" toml:"allowlist_regex"`
-	BatchSize                     int        `json:"batch_size" toml:"batch_size"`
-	EnableBundles                 bool       `json:"enable_bundles" toml:"enable_bundles"`
-	EnabledTransitiveAllowlisting bool       `json:"enabled_transitive_allowlisting" toml:"enabled_transitive_allowlisting"`
+	ClientMode            ClientMode `json:"client_mode" toml:"client_mode"`
+	BlockedPathRegex      string     `json:"blocked_path_regex" toml:"blocked_path_regex"`
+	AllowedPathRegex      string     `json:"allowed_path_regex" toml:"allowed_path_regex"`
+	BatchSize             int        `json:"batch_size" toml:"batch_size"`
+	EnableBundles         bool       `json:"enable_bundles" toml:"enable_bundles"`
+	EnableTransitiveRules bool       `json:"enable_transitive_rules" toml:"enable_transitive_rules"`
+	CleanSync             bool       `json:"clean_sync" toml:"clean_sync"`
+	FullSyncInterval      int        `json:"full_sync_interval" toml:"full_sync_interval"`
 }
 
 // A PreflightPayload represents the request sent by a santa client to the sync server.
@@ -65,6 +67,17 @@ const (
 	// This is a powerful rule type that has a much broader reach than an individual binary rule .
 	// A signing certificate can sign any number of binaries.
 	Certificate
+
+	// TeamID rules are the 10-character identifier issued by Apple and tied to developer accounts/organizations.
+	// This is an even more powerful rule with broader reach than individual certificate rules.
+	// ie. EQHXZ8M8AV for Google
+	TeamID
+
+	// Signing IDs are arbitrary identifiers under developer control that are given to a binary at signing time.
+	// Because the signing IDs are arbitrary, the Santa rule identifier must be prefixed with the Team ID associated
+	// with the Apple developer certificate used to sign the application.
+	// ie. EQHXZ8M8AV:com.google.Chrome
+	SigningID
 )
 
 func (r *RuleType) UnmarshalText(text []byte) error {
@@ -73,6 +86,10 @@ func (r *RuleType) UnmarshalText(text []byte) error {
 		*r = Binary
 	case "CERTIFICATE":
 		*r = Certificate
+	case "TEAMID":
+		*r = TeamID
+	case "SIGNINGID":
+		*r = SigningID
 	default:
 		return errors.Errorf("unknown rule_type value %q", t)
 	}
@@ -85,6 +102,10 @@ func (r RuleType) MarshalText() ([]byte, error) {
 		return []byte("BINARY"), nil
 	case Certificate:
 		return []byte("CERTIFICATE"), nil
+	case TeamID:
+		return []byte("TEAMID"), nil
+	case SigningID:
+		return []byte("SIGNINGID"), nil
 	default:
 		return nil, errors.Errorf("unknown rule_type %d", r)
 	}
@@ -100,6 +121,7 @@ const (
 	// AllowlistCompiler is a Transitive allowlist policy which allows allowlisting binaries created by
 	// a specific compiler. EnabledTransitiveAllowlisting must be set to true in the Preflight first.
 	AllowlistCompiler
+	Remove
 )
 
 func (p *Policy) UnmarshalText(text []byte) error {
@@ -110,6 +132,8 @@ func (p *Policy) UnmarshalText(text []byte) error {
 		*p = Allowlist
 	case "ALLOWLIST_COMPILER":
 		*p = AllowlistCompiler
+	case "REMOVE":
+		*p = Remove
 	default:
 		return errors.Errorf("unknown policy value %q", t)
 	}
@@ -124,6 +148,8 @@ func (p Policy) MarshalText() ([]byte, error) {
 		return []byte("ALLOWLIST"), nil
 	case AllowlistCompiler:
 		return []byte("ALLOWLIST_COMPILER"), nil
+	case Remove:
+		return []byte("REMOVE"), nil
 	default:
 		return nil, errors.Errorf("unknown policy %d", p)
 	}

santa/santa_test.go

@@ -16,6 +16,18 @@ func TestConfigMarshalUnmarshal(t *testing.T) {
 		t.Errorf("have client_mode %d, want %d\n", have, want)
 	}
 
+	if have, want := conf.CleanSync, true; have != want {
+		t.Errorf("have clean_sync %t, want %t\n", have, want)
+	}
+
+	if have, want := conf.FullSyncInterval, 600; have != want {
+		t.Errorf("have full_sync_interval %d, want %d\n", have, want)
+	}
+
+	if have, want := conf.Rules[0].Identifier, "2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda"; have != want {
+		t.Errorf("have identifier %s, want %s\n", have, want)
+	}
+
 	if have, want := conf.Rules[0].RuleType, Binary; have != want {
 		t.Errorf("have rule_type %d, want %d\n", have, want)
 	}
@@ -24,6 +36,14 @@ func TestConfigMarshalUnmarshal(t *testing.T) {
 		t.Errorf("have rule_type %d, want %d\n", have, want)
 	}
 
+	if have, want := conf.Rules[2].RuleType, TeamID; have != want {
+		t.Errorf("have rule_tpe %d, want %d\n", have, want)
+	}
+
+	if have, want := conf.Rules[3].RuleType, SigningID; have != want {
+		t.Errorf("have rule_type %d, want %d\n", have, want)
+	}
+
 	if have, want := conf.Rules[0].Policy, Blocklist; have != want {
 		t.Errorf("have policy %d, want %d\n", have, want)
 	}
@@ -32,10 +52,13 @@ func TestConfigMarshalUnmarshal(t *testing.T) {
 		t.Errorf("have policy %d, want %d\n", have, want)
 	}
 
-	if have, want := conf.Rules[2].Policy, AllowlistCompiler; have != want {
+	if have, want := conf.Rules[4].Policy, AllowlistCompiler; have != want {
 		t.Errorf("have policy %d, want %d\n", have, want)
 	}
 
+	if have, want := conf.Rules[5].Policy, Remove; have != want {
+		t.Errorf("have policy %d, want %d\n", have, want)
+	}
 }
 
 func testConfig(t *testing.T, path string, replace bool) Config {

santa/testdata/config_a_toml.golden

@@ -1,42 +1,62 @@
 client_mode = "LOCKDOWN"
-blocklist_regex = "^(?:/Users)/.*"
-allowlist_regex = "^(?:/Users)/.*"
+blocked_path_regex = "^(?:/Users)/.*"
+allowed_path_regex = "^(?:/Users)/.*"
 batch_size = 100
 enable_bundles = false
-enabled_transitive_allowlisting = true
+enable_transitive_rules = true
+clean_sync = true
+full_sync_interval = 600
 
 [[rules]]
   rule_type = "BINARY"
   policy = "BLOCKLIST"
-  sha256 = "2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda"
+  identifier = "2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda"
   custom_msg = "blocklist firefox"
 
 [[rules]]
   rule_type = "CERTIFICATE"
   policy = "ALLOWLIST"
-  sha256 = "e7726cf87cba9e25139465df5bd1557c8a8feed5c7dd338342d8da0959b63c8d"
-  custom_msg = "blocklist dash app certificate"
+  identifier = "e7726cf87cba9e25139465df5bd1557c8a8feed5c7dd338342d8da0959b63c8d"
+  custom_msg = "allowlist dash app certificate"
+
+[[rules]]
+  rule_type = "TEAMID"
+  policy = "ALLOWLIST"
+  identifier = "EQHXZ8M8AV"
+  custom_msg = "allow google team id"
+
+[[rules]]
+  rule_type = "SIGNINGID"
+  policy = "ALLOWLIST"
+  identifier = "EQHXZ8M8AV:com.google.Chrome"
+  custom_msg = "allow google chrome signing id"
 
 [[rules]]
   rule_type = "BINARY"
   policy = "ALLOWLIST_COMPILER"
-  sha256 = "60d79d1763fefb56716e4a36284300523eb4335c3726fb9070fa83074b02279e"
+  identifier = "60d79d1763fefb56716e4a36284300523eb4335c3726fb9070fa83074b02279e"
   custom_msg = "allowlist go compiler component"
 
+[[rules]]
+  rule_type = "BINARY"
+  policy = "REMOVE"
+  identifier = "50d79d1763fefb56716e4a36284300523eb4335c3726fb9070fa83074b02279e"
+  custom_msg = "remove allowlist of the go compiler component"
+
 [[rules]]
   rule_type = "BINARY"
   policy = "ALLOWLIST_COMPILER"
-  sha256 = "8e78770685d51324b78588fddc6afc2f8b6cef5231c27eeb97363cc437fec18a"
+  identifier = "8e78770685d51324b78588fddc6afc2f8b6cef5231c27eeb97363cc437fec18a"
   custom_msg = "allowlist go compiler component"
 
 [[rules]]
   rule_type = "BINARY"
   policy = "ALLOWLIST_COMPILER"
-  sha256 = "e88617cfd62809fb10e213c459a52f48e028fae4321e41134c4797465af886b6"
+  identifier = "e88617cfd62809fb10e213c459a52f48e028fae4321e41134c4797465af886b6"
   custom_msg = "allowlist go compiler component"
 
 [[rules]]
   rule_type = "BINARY"
   policy = "ALLOWLIST_COMPILER"
-  sha256 = "d867fca68bbd7db18e9ced231800e7535bc067852b1e530987bb7f57b5e3a02c"
+  identifier = "d867fca68bbd7db18e9ced231800e7535bc067852b1e530987bb7f57b5e3a02c"
   custom_msg = "allowlist go compiler component"