Hey! I've been trying to get moroz to output data that promtail will be able to interpret and use for logs in Grafana, but the only way I've found so far is to make moroz's output to append to a file and then let promtail tail that file.

Has anyone found any other better way of managing logs? I'm open to other services as well

Thanks for this project!

I created a machine specific .toml file and I can see there is an extra line in the debug when I set the clean_sync = true in the machinename.toml file. However, I remove an entire ruleset from my toml file, the subsequent sync doesn't allow the app that was previously blocked to run. This makes me believe that the blacklist rule definition is still in the database.

sudo santactl sync --clean --debug
Clean sync requested by user
Server Trust: /O=(null)/OU=(null)/CN=santa/SHA-1=
Preflight complete
Uploaded 4 events
Event upload complete
Added 1 rules
Rule download complete
Postflight complete
Sync completed successfully

Escaping characters for use in regex does work properly.

Regex in TMOL: (Matches every app bundle inside a user dir execept admin's)

blacklist_regex = "^(?:/Users)/(?!admin/).+\.app.*"

Alternatives it tried (based on tmol reference)

blacklist_regex = "^(?:/Users)/(?!admin/).+\\.app.*"
blacklist_regex = "^(?:/Users)/(?!admin/).+\u005C.app.*"
blacklist_regex = '^(?:/Users)/(?!admin/).+\.app.*'

After sync to client (read via "defaults read /var/db/santa/sync-state.plist BlacklistRegex"):

"^(?:/Users)/(?!admin/).+\\\\.app.*"

In the preflight response, if you specify a upload_logs_url key, santa will send logs as a multipart file to that URL.

We should support that option.

Here we try to load a config by MachineID and if that fails, we use a cached global config

changing that line to config, _ = svc.repo.Config("global") would be a sufficient fix for now.

In the future we can look at fsnotify to reload configs.

My expected behavior is that a workstation uses global.toml and then applies differences from a specific machine.toml file. A nice enhancement would be to have the global.toml file with all base settings, then 'override' just certain entries with a machine.toml file.

I'm trying to setup a Moroz Sync Server on Ubuntu Server on an AWS EC2 Machine.
I am constantly getting the following error:

"Looks like you're missing a TLS certificate and private key..."

But actually I don't. I created the certificate and the key as shown in the readme. Adding it via
./tools/dev/certificate/add-trusted-cert
did not work, so I added it manually to the root certificates, which worked. But it still shows me the message from above.

I also tried adding the certificate's path to moroz by
./moroz -tls-cert string path to TLS certificate (default "server.crt")

but it always gives back the following message

{"caller":"logutil.go:15","err":"open server.key: no such file or directory","msg":"terminated","severity":"info","ts":"2020-10-22T13:45:58.166935577Z"}

Does anybody can help?

I set up my Moroz instance on a server that I already had. (Its a Foreman/Puppet Server) I didn't think it would really have any problems because moroz seems to be 'Santa' TCP listener.

But Moroz seems to be competing with Foreman for resources on the server, and it slowly escalates until the server is maxed out.

My current load is load average: 0.13, 0.32, 1.00, but when I woke up this morning the server was rocking 44.00 across the board. Had to kill a few services and restart them.

I know this is an environment issue, but is there any way to cap the resources that Moroz is trying to use?

the lack of tests in this project is unfortunate.

This would be incredibly helpful for checking status of a client and whether it is checking in when santactl sync is run

Moroz should support serving files and uploading events with a cloud storage provider like S3 and GCS.

The code from https://github.com/micromdm/squirrel/tree/master/storage can be used as a starting point.

For the writer a folder structure like /santa/events/<machineid>/<year>/<month>/<day>/timestamp.json can be used.

Whats the best way to add multiple Whitelisting or Blacklisting Rules?

I would like to add multiple things such as:

whitelist_regex = "^(?:/Users)/.*/.rbenv/.*"
whitelist_regex = "^/usr/local/Homebrew/.*"

As soon as I add the Second Whitelist_regex rule the server Is unable to start:

2020/04/10 12:56:48 failed to decode global.toml, skipping 
2020/04/10 12:56:48 configuration not found```

right now the -event-logfile path is globally. Unfortunately the machineID is not part of the JSON object sent to the /eventupload endpoint, so the endpoint ends up un-differentiated events for every host that reports in.

We should ether add the machine id to the events object, or create a separate event file for every machine id.

Other ideas welcome.

When trying to sync Santa it gives me the following error:

Missing Machine Owner.
2020-02-27 10:35:11.119 santactl[9717:403678] -[NSNull countByEnumeratingWithState:objects:count:]: unrecognized selector sent to instance 0x7fff9053a9d0
2020-02-27 10:35:11.120 santactl[9717:403678] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[NSNull countByEnumeratingWithState:objects:count:]: unrecognized selector sent to instance 0x7fff9053a9d0'
*** First throw call stack:
(
	0   CoreFoundation                      0x00007fff379628ab __exceptionPreprocess + 250
	1   libobjc.A.dylib                     0x00007fff6da83805 objc_exception_throw + 48
	2   CoreFoundation                      0x00007fff379e1b61 -[NSObject(NSObject) __retain_OA] + 0
	3   CoreFoundation                      0x00007fff378c6adf ___forwarding___ + 1427
	4   CoreFoundation                      0x00007fff378c64b8 _CF_forwarding_prep_0 + 120
	5   santactl                            0x000000010e8edcf1 -[SNTCommandSyncRuleDownload downloadNewRulesFromServer] + 536
	6   santactl                            0x000000010e8ed5cb -[SNTCommandSyncRuleDownload sync] + 36
	7   santactl                            0x000000010e8eacb8 -[SNTCommandSyncManager ruleDownloadWithSyncState:] + 79
	8   santactl                            0x000000010e8eac13 -[SNTCommandSyncManager eventUploadWithSyncState:] + 131
	9   santactl                            0x000000010e8eaa96 -[SNTCommandSyncManager preflight] + 537
	10  santactl                            0x000000010e8e8e13 __59-[SNTCommandSyncManager initWithDaemonConnection:isDaemon:]_block_invoke + 217
	11  libdispatch.dylib                   0x00007fff6ed9850e _dispatch_client_callout + 8
	12  libdispatch.dylib                   0x00007fff6ed9a6c0 _dispatch_continuation_pop + 414
	13  libdispatch.dylib                   0x00007fff6edaa3c4 _dispatch_source_invoke + 2084
	14  libdispatch.dylib                   0x00007fff6eda67e2 _dispatch_root_queue_drain + 326
	15  libdispatch.dylib                   0x00007fff6eda6f22 _dispatch_worker_thread2 + 92
	16  libsystem_pthread.dylib             0x00007fff6eff26b6 _pthread_wqthread + 220
	17  libsystem_pthread.dylib             0x00007fff6eff1827 start_wqthread + 15
)
libc++abi.dylib: terminating with uncaught exception of type NSException
[1]    9715 abort      sudo santactl sync 

I have dropped the moroz files inside of /opt/moroz with the following files in it:

configs  logs  moroz-linux-amd64  server.crt  server.key  tmp

from here I launch the moroz server:

./moroz-linux-amd64 --configs ./configs 2>&1 &

My machine is a Centos 7 machine, bare bones. I get the message the server starts when I run the command. I can see that the server is running:

[root@satellite moroz]# pgrep -a moroz
5769 ./moroz-linux-amd64 --configs ./configs

Here is the stout from my connection

 2020/02/27 13:17:57 http: TLS handshake error from 10.10.1.200:57757: read tcp 10.2.128.2:8080->10.10.1.200:57757: read: connection reset by peer
method=Preflight error=null took=290.402592ms
method=EventUpload error=null took=62.722374ms
method=RuleDownload error=null took=343.737µs

Hi,

I am running the binary and everytime I try a santactl sync I get this error.

http: TLS handshake error from XX EOF

I created the cert with the instructions:

openssl genrsa -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -sha256 -new -key server.key -out server.csr -subj "/CN=santa"
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
rm -f server.csr

Thanks,

Hi,

I have clean_sync = true in my global.toml file using moroz 1.1 in an ubuntu docker container but when i do a santactl sync everything looks like it works except the clean_required doesn't change to yes.

santactl status --json
{
"daemon" : {
"watchdog_ram_events" : 0,
"mode" : "Monitor",
"watchdog_cpu_events" : 0,
"driver_connected" : true,
"watchdog_ram_peak" : 25.609375,
"watchdog_cpu_peak" : 18.936816666666665,
"file_logging" : true
},
"database" : {
"transitive_rules" : 0,
"events_pending_upload" : 3,
"certificate_rules" : 5,
"compiler_rules" : 0,
"binary_rules" : 6
},
"sync" : {
"server" : "https://santa:8080/v1/santa/",
"last_successful_rule" : "2020/03/11 21:48:26 -0500",
"transitive_whitelisting" : false,
"clean_required" : false,
"push_notifications" : "Disconnected",
"last_successful_full" : "2020/03/11 21:48:26 -0500",
"bundle_scanning" : false
}
}

santactl version --json
{
"santa-driver" : "un-needed (SystemExtension being used)",
"santad" : "1.10",
"SantaGUI" : "1.10",
"santactl" : "1.10"
}

Hi.

When a rule is deleted from the toml, a Santa sync does not remove the rule from the Santa dB.

Thanks!