You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Both of these binaries are blocked with the machine's current configuration.
❯ santactl fileinfo /Users/sbenson/santa-testing-failure/a/Wireshark.app
Path : /Users/sbenson/santa-testing-failure/a/Wireshark.app/Contents/MacOS/Wireshark
SHA-256 : 04d463dfa079d6d15f02c949f1226780714905ab92ccbc6f42e8085b692abca5
SHA-1 : 8c7b4858523c807fc32a75d6b14e04799cbff552
Bundle Version : 4.2.5
Bundle Version Str : 4.2.5
Team ID : 7Z6EMTD2C6
Signing ID : 7Z6EMTD2C6:org.wireshark.Wireshark
CDHash : 922c0c1ac827f7769724b1806110dd3800504059
Type : Executable (arm64)
Code-signed : Yes
Rule : Blocked (Unknown)
Signing Chain:
1. SHA-256 : 11fe46f34c2d2274741b5b87edfaec78568487985a57fd7001b2ccea4dc86ab8
SHA-1 : 1fca796d215bd0212aee5ec227bae97d0b1cd2c6
Common Name : Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)
Organization : Wireshark Foundation
Organizational Unit : 7Z6EMTD2C6
Valid From : 2023/09/19 18:03:06 -0700
Valid Until : 2027/02/01 14:12:15 -0800
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 14:12:15 -0800
Valid Until : 2027/02/01 14:12:15 -0800
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 14:40:36 -0700
Valid Until : 2035/02/09 13:40:36 -0800
❯ santactl fileinfo /Users/sbenson/santa-testing-failure/b/Wireshark.app
Path : /Users/sbenson/santa-testing-failure/b/Wireshark.app/Contents/MacOS/Wireshark
SHA-256 : 04d463dfa079d6d15f02c949f1226780714905ab92ccbc6f42e8085b692abca5
SHA-1 : 8c7b4858523c807fc32a75d6b14e04799cbff552
Bundle Version : 4.2.5
Bundle Version Str : 4.2.5
Team ID : 7Z6EMTD2C6
Signing ID : 7Z6EMTD2C6:org.wireshark.Wireshark
CDHash : 922c0c1ac827f7769724b1806110dd3800504059
Type : Executable (arm64)
Code-signed : Yes
Rule : Blocked (Unknown)
Signing Chain:
1. SHA-256 : 11fe46f34c2d2274741b5b87edfaec78568487985a57fd7001b2ccea4dc86ab8
SHA-1 : 1fca796d215bd0212aee5ec227bae97d0b1cd2c6
Common Name : Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)
Organization : Wireshark Foundation
Organizational Unit : 7Z6EMTD2C6
Valid From : 2023/09/19 18:03:06 -0700
Valid Until : 2027/02/01 14:12:15 -0800
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 14:12:15 -0800
Valid Until : 2027/02/01 14:12:15 -0800
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 14:40:36 -0700
Valid Until : 2035/02/09 13:40:36 -0800
We can pass a single path regex to change the result of Blocked to Allowed:
❯ ./rudolph config set -m 151D92F9-9924-5A5C-B591-5DC04A4F988C -c lockdown -a "/Users/sbenson/santa-testing-failure/a/"
Setting the following configuration
Config Setting
MachineID: 151D92F9-9924-5A5C-B591-5DC04A4F988C
ClientMode: 2 -->( LOCKDOWN )
BlockedPathRegex: " "
AllowedPathRegex: " /Users/sbenson/santa-testing-failure/a/ "
BatchSize: 50
BundlesEnabled: false
EnabledTransitiveRules: false
CleanSync: false
FullSyncInterval: 600
UploadLogUrl: " "
Apply changes? (Enter: "yes" or "ok")
> yes
Sending the configuration to DynamoDB...
Success! Configuration was sent properly to DynamoDB...
❯ santactl fileinfo /Users/sbenson/santa-testing-failure/a/Wireshark.app
Path : /Users/sbenson/santa-testing-failure/a/Wireshark.app/Contents/MacOS/Wireshark
SHA-256 : 04d463dfa079d6d15f02c949f1226780714905ab92ccbc6f42e8085b692abca5
SHA-1 : 8c7b4858523c807fc32a75d6b14e04799cbff552
Bundle Version : 4.2.5
Bundle Version Str : 4.2.5
Team ID : 7Z6EMTD2C6
Signing ID : 7Z6EMTD2C6:org.wireshark.Wireshark
CDHash : 922c0c1ac827f7769724b1806110dd3800504059
Type : Executable (arm64)
Code-signed : Yes
Rule : Allowed (Scope)
Signing Chain:
1. SHA-256 : 11fe46f34c2d2274741b5b87edfaec78568487985a57fd7001b2ccea4dc86ab8
SHA-1 : 1fca796d215bd0212aee5ec227bae97d0b1cd2c6
Common Name : Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)
Organization : Wireshark Foundation
Organizational Unit : 7Z6EMTD2C6
Valid From : 2023/09/19 18:03:06 -0700
Valid Until : 2027/02/01 14:12:15 -0800
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 14:12:15 -0800
Valid Until : 2027/02/01 14:12:15 -0800
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 14:40:36 -0700
Valid Until : 2035/02/09 13:40:36 -0800
However, while rudolph's help message states it supports multiple paths in a comma separated list, we have not been able to get rudolph to successfully accept multiple paths.
❯ ./rudolph config set -h
Create a configuration and set globally or a specific machine UUID
Usage:
rudolph config set [-m <machine-id>|--global] [-c <ClientMode - 'monitor' or 'lockdown'>|--client-mode] [flags]
Flags:
-a, --allowed-paths string A comma separated list of regex paths to be allowed
❯ ./rudolph config set -m 151D92F9-9924-5A5C-B591-5DC04A4F988C -c lockdown -a "/Users/sbenson/santa-testing-failure/a/,/Users/sbenson/santa-testing-failure/b/"
Setting the following configuration
Config Setting
MachineID: 151D92F9-9924-5A5C-B591-5DC04A4F988C
ClientMode: 2 -->( LOCKDOWN )
BlockedPathRegex: " "
AllowedPathRegex: " /Users/sbenson/santa-testing-failure/a/,/Users/sbenson/santa-testing-failure/b/ "
BatchSize: 50
BundlesEnabled: false
EnabledTransitiveRules: false
CleanSync: false
FullSyncInterval: 600
UploadLogUrl: " "
Apply changes? (Enter: "yes" or "ok")
> yes
Sending the configuration to DynamoDB...
Success! Configuration was sent properly to DynamoDB...
❯ santactl fileinfo /Users/sbenson/santa-testing-failure/a/Wireshark.app
Path : /Users/sbenson/santa-testing-failure/a/Wireshark.app/Contents/MacOS/Wireshark
SHA-256 : 04d463dfa079d6d15f02c949f1226780714905ab92ccbc6f42e8085b692abca5
SHA-1 : 8c7b4858523c807fc32a75d6b14e04799cbff552
Bundle Version : 4.2.5
Bundle Version Str : 4.2.5
Team ID : 7Z6EMTD2C6
Signing ID : 7Z6EMTD2C6:org.wireshark.Wireshark
CDHash : 922c0c1ac827f7769724b1806110dd3800504059
Type : Executable (arm64)
Code-signed : Yes
Rule : Blocked (Unknown)
Signing Chain:
1. SHA-256 : 11fe46f34c2d2274741b5b87edfaec78568487985a57fd7001b2ccea4dc86ab8
SHA-1 : 1fca796d215bd0212aee5ec227bae97d0b1cd2c6
Common Name : Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)
Organization : Wireshark Foundation
Organizational Unit : 7Z6EMTD2C6
Valid From : 2023/09/19 18:03:06 -0700
Valid Until : 2027/02/01 14:12:15 -0800
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 14:12:15 -0800
Valid Until : 2027/02/01 14:12:15 -0800
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 14:40:36 -0700
Valid Until : 2035/02/09 13:40:36 -0800
❯ santactl fileinfo /Users/sbenson/santa-testing-failure/b/Wireshark.app
Path : /Users/sbenson/santa-testing-failure/b/Wireshark.app/Contents/MacOS/Wireshark
SHA-256 : 04d463dfa079d6d15f02c949f1226780714905ab92ccbc6f42e8085b692abca5
SHA-1 : 8c7b4858523c807fc32a75d6b14e04799cbff552
Bundle Version : 4.2.5
Bundle Version Str : 4.2.5
Team ID : 7Z6EMTD2C6
Signing ID : 7Z6EMTD2C6:org.wireshark.Wireshark
CDHash : 922c0c1ac827f7769724b1806110dd3800504059
Type : Executable (arm64)
Code-signed : Yes
Rule : Blocked (Unknown)
Signing Chain:
1. SHA-256 : 11fe46f34c2d2274741b5b87edfaec78568487985a57fd7001b2ccea4dc86ab8
SHA-1 : 1fca796d215bd0212aee5ec227bae97d0b1cd2c6
Common Name : Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)
Organization : Wireshark Foundation
Organizational Unit : 7Z6EMTD2C6
Valid From : 2023/09/19 18:03:06 -0700
Valid Until : 2027/02/01 14:12:15 -0800
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 14:12:15 -0800
Valid Until : 2027/02/01 14:12:15 -0800
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 14:40:36 -0700
Valid Until : 2035/02/09 13:40:36 -0800
I have tried multiple values for the comma separated list of regex paths to be allowed, but none of them have been successful in allowing both binaries:
Expected behavior
I would expect that when we pass multiple allowlist paths regexes in a comma separated list, that binaries within those paths would be allowed.
Screenshots
Available by request.
Environment:
Deployment OS Version: Linux (unsure of specifics)
Terraform Version: 1.8.0
Golang version: 1.22
aws-cli version: aws-cli/2.16.10
rudolph version: development
Additional context
We have had success using these allowlist path regexes with the local Santa config. We just want to manage them using Rudolph.
I performed santactl sync after any ./rudolph confuig set commands. I withheld the command and the output from the reproduction steps above, just to keep things cleaner.
The text was updated successfully, but these errors were encountered:
Describe the bug
Rudolph does not appear to handle multiple allowed path regexes
To Reproduce
Our machine is running santa in lockdown mode, managed by Rudolph. There are no allowlisted paths.
We have created the following two binaries for testing purposes:
Both of these binaries are blocked with the machine's current configuration.
We can pass a single path regex to change the result of Blocked to Allowed:
However, while rudolph's help message states it supports multiple paths in a comma separated list, we have not been able to get rudolph to successfully accept multiple paths.
I have tried multiple values for the comma separated list of regex paths to be allowed, but none of them have been successful in allowing both binaries:
Expected behavior
I would expect that when we pass multiple allowlist paths regexes in a comma separated list, that binaries within those paths would be allowed.
Screenshots
Available by request.
Environment:
Additional context
santactl syncafter any./rudolph confuig setcommands. I withheld the command and the output from the reproduction steps above, just to keep things cleaner.The text was updated successfully, but these errors were encountered: