groob / moroz Goto Github PK
View Code? Open in Web Editor NEWMoroz is a Santa server
License: MIT License
Moroz is a Santa server
License: MIT License
I'm trying to setup a Moroz Sync Server on Ubuntu Server on an AWS EC2 Machine.
I am constantly getting the following error:
"Looks like you're missing a TLS certificate and private key..."
But actually I don't. I created the certificate and the key as shown in the readme. Adding it via
./tools/dev/certificate/add-trusted-cert
did not work, so I added it manually to the root certificates, which worked. But it still shows me the message from above.
I also tried adding the certificate's path to moroz by
./moroz -tls-cert string path to TLS certificate (default "server.crt")
but it always gives back the following message
{"caller":"logutil.go:15","err":"open server.key: no such file or directory","msg":"terminated","severity":"info","ts":"2020-10-22T13:45:58.166935577Z"}
Does anybody can help?
This would be incredibly helpful for checking status of a client and whether it is checking in when santactl sync
is run
In the preflight response, if you specify a upload_logs_url
key, santa will send logs as a multipart file to that URL.
We should support that option.
Hey! I've been trying to get moroz to output data that promtail will be able to interpret and use for logs in Grafana, but the only way I've found so far is to make moroz's output to append to a file and then let promtail tail that file.
Has anyone found any other better way of managing logs? I'm open to other services as well
Thanks for this project!
the lack of tests in this project is unfortunate.
I created a machine specific .toml file and I can see there is an extra line in the debug when I set the clean_sync = true in the machinename.toml file. However, I remove an entire ruleset from my toml file, the subsequent sync doesn't allow the app that was previously blocked to run. This makes me believe that the blacklist rule definition is still in the database.
sudo santactl sync --clean --debug
Clean sync requested by user
Server Trust: /O=(null)/OU=(null)/CN=santa/SHA-1=
Preflight complete
Uploaded 4 events
Event upload complete
Added 1 rules
Rule download complete
Postflight complete
Sync completed successfully
When trying to sync Santa it gives me the following error:
Missing Machine Owner.
2020-02-27 10:35:11.119 santactl[9717:403678] -[NSNull countByEnumeratingWithState:objects:count:]: unrecognized selector sent to instance 0x7fff9053a9d0
2020-02-27 10:35:11.120 santactl[9717:403678] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[NSNull countByEnumeratingWithState:objects:count:]: unrecognized selector sent to instance 0x7fff9053a9d0'
*** First throw call stack:
(
0 CoreFoundation 0x00007fff379628ab __exceptionPreprocess + 250
1 libobjc.A.dylib 0x00007fff6da83805 objc_exception_throw + 48
2 CoreFoundation 0x00007fff379e1b61 -[NSObject(NSObject) __retain_OA] + 0
3 CoreFoundation 0x00007fff378c6adf ___forwarding___ + 1427
4 CoreFoundation 0x00007fff378c64b8 _CF_forwarding_prep_0 + 120
5 santactl 0x000000010e8edcf1 -[SNTCommandSyncRuleDownload downloadNewRulesFromServer] + 536
6 santactl 0x000000010e8ed5cb -[SNTCommandSyncRuleDownload sync] + 36
7 santactl 0x000000010e8eacb8 -[SNTCommandSyncManager ruleDownloadWithSyncState:] + 79
8 santactl 0x000000010e8eac13 -[SNTCommandSyncManager eventUploadWithSyncState:] + 131
9 santactl 0x000000010e8eaa96 -[SNTCommandSyncManager preflight] + 537
10 santactl 0x000000010e8e8e13 __59-[SNTCommandSyncManager initWithDaemonConnection:isDaemon:]_block_invoke + 217
11 libdispatch.dylib 0x00007fff6ed9850e _dispatch_client_callout + 8
12 libdispatch.dylib 0x00007fff6ed9a6c0 _dispatch_continuation_pop + 414
13 libdispatch.dylib 0x00007fff6edaa3c4 _dispatch_source_invoke + 2084
14 libdispatch.dylib 0x00007fff6eda67e2 _dispatch_root_queue_drain + 326
15 libdispatch.dylib 0x00007fff6eda6f22 _dispatch_worker_thread2 + 92
16 libsystem_pthread.dylib 0x00007fff6eff26b6 _pthread_wqthread + 220
17 libsystem_pthread.dylib 0x00007fff6eff1827 start_wqthread + 15
)
libc++abi.dylib: terminating with uncaught exception of type NSException
[1] 9715 abort sudo santactl sync
I have dropped the moroz files inside of /opt/moroz
with the following files in it:
configs logs moroz-linux-amd64 server.crt server.key tmp
from here I launch the moroz server:
./moroz-linux-amd64 --configs ./configs 2>&1 &
My machine is a Centos 7 machine, bare bones. I get the message the server starts when I run the command. I can see that the server is running:
[root@satellite moroz]# pgrep -a moroz
5769 ./moroz-linux-amd64 --configs ./configs
Here is the stout from my connection
2020/02/27 13:17:57 http: TLS handshake error from 10.10.1.200:57757: read tcp 10.2.128.2:8080->10.10.1.200:57757: read: connection reset by peer
method=Preflight error=null took=290.402592ms
method=EventUpload error=null took=62.722374ms
method=RuleDownload error=null took=343.737µs
My expected behavior is that a workstation uses global.toml and then applies differences from a specific machine.toml file. A nice enhancement would be to have the global.toml file with all base settings, then 'override' just certain entries with a machine.toml file.
Moroz should support serving files and uploading events with a cloud storage provider like S3 and GCS.
The code from https://github.com/micromdm/squirrel/tree/master/storage can be used as a starting point.
For the writer a folder structure like /santa/events/<machineid>/<year>/<month>/<day>/timestamp.json
can be used.
Hi,
I am running the binary and everytime I try a santactl sync I get this error.
http: TLS handshake error from XX EOF
I created the cert with the instructions:
openssl genrsa -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -sha256 -new -key server.key -out server.csr -subj "/CN=santa"
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
rm -f server.csr
Thanks,
Escaping characters for use in regex does work properly.
Regex in TMOL: (Matches every app bundle inside a user dir execept admin's)
blacklist_regex = "^(?:/Users)/(?!admin/).+\.app.*"
Alternatives it tried (based on tmol reference)
blacklist_regex = "^(?:/Users)/(?!admin/).+\\.app.*" blacklist_regex = "^(?:/Users)/(?!admin/).+\u005C.app.*" blacklist_regex = '^(?:/Users)/(?!admin/).+\.app.*'
After sync to client (read via "defaults read /var/db/santa/sync-state.plist BlacklistRegex"):
"^(?:/Users)/(?!admin/).+\\\\.app.*"
Whats the best way to add multiple Whitelisting or Blacklisting Rules?
I would like to add multiple things such as:
whitelist_regex = "^(?:/Users)/.*/.rbenv/.*"
whitelist_regex = "^/usr/local/Homebrew/.*"
As soon as I add the Second Whitelist_regex rule the server Is unable to start:
2020/04/10 12:56:48 failed to decode global.toml, skipping
2020/04/10 12:56:48 configuration not found```
I set up my Moroz instance on a server that I already had. (Its a Foreman/Puppet Server) I didn't think it would really have any problems because moroz seems to be 'Santa' TCP listener.
But Moroz seems to be competing with Foreman for resources on the server, and it slowly escalates until the server is maxed out.
My current load is load average: 0.13, 0.32, 1.00
, but when I woke up this morning the server was rocking 44.00 across the board. Had to kill a few services and restart them.
I know this is an environment issue, but is there any way to cap the resources that Moroz is trying to use?
right now the -event-logfile
path is globally. Unfortunately the machineID is not part of the JSON object sent to the /eventupload
endpoint, so the endpoint ends up un-differentiated events for every host that reports in.
We should ether add the machine id
to the events object, or create a separate event file for every machine id.
Other ideas welcome.
Hi,
I have clean_sync = true in my global.toml file using moroz 1.1 in an ubuntu docker container but when i do a santactl sync everything looks like it works except the clean_required doesn't change to yes.
santactl status --json
{
"daemon" : {
"watchdog_ram_events" : 0,
"mode" : "Monitor",
"watchdog_cpu_events" : 0,
"driver_connected" : true,
"watchdog_ram_peak" : 25.609375,
"watchdog_cpu_peak" : 18.936816666666665,
"file_logging" : true
},
"database" : {
"transitive_rules" : 0,
"events_pending_upload" : 3,
"certificate_rules" : 5,
"compiler_rules" : 0,
"binary_rules" : 6
},
"sync" : {
"server" : "https://santa:8080/v1/santa/",
"last_successful_rule" : "2020/03/11 21:48:26 -0500",
"transitive_whitelisting" : false,
"clean_required" : false,
"push_notifications" : "Disconnected",
"last_successful_full" : "2020/03/11 21:48:26 -0500",
"bundle_scanning" : false
}
}
santactl version --json
{
"santa-driver" : "un-needed (SystemExtension being used)",
"santad" : "1.10",
"SantaGUI" : "1.10",
"santactl" : "1.10"
}
Here we try to load a config by MachineID and if that fails, we use a cached global config
Line 65 in ece124d
changing that line to config, _ = svc.repo.Config("global")
would be a sufficient fix for now.
In the future we can look at fsnotify to reload configs.
Hi.
When a rule is deleted from the toml, a Santa sync does not remove the rule from the Santa dB.
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.