northpolesec · mlw · Nov 12, 2024 · Aug 27, 2024 · Aug 28, 2024 · Sep 5, 2024
@@ -27,7 +27,7 @@ also known as mobileconfig files, which are in an Apple-specific XML format.
 | FileChangesRegex\*                 | String     | The regex of paths to log file changes. Regexes are specified in ICU format. |
 | AllowedPathRegex\*                 | String     | A regex to allow if the binary, certificate, or Team ID scopes did not allow/block execution.  Regexes are specified in ICU format. |
 | BlockedPathRegex\*                 | String     | A regex to block if the binary, certificate, or Team ID scopes did not allow/block an execution.  Regexes are specified in ICU format. |
-| FileChangesPrefixFilters           | Array      | Array of path prefix strings. When an event is logged, if the target path (e.g. the file being written/removed/etc ) matches a prefix it will not be loggged. |
+| FileChangesPrefixFilters           | Array      | Array of path prefix strings. When an event is logged, if the target path (e.g. the file being written/removed/etc ) matches a prefix it will not be logged. |
 | EnableBadSignatureProtection       | Bool       | If true, binaries with a bad signing chain will be blocked even in MONITOR mode, **unless** the binary is allowed by an explicit rule. Defaults to false. |
 | EnablePageZeroProtection           | Bool       | If true, 32-bit binaries that are missing the `__PAGEZERO` segment will be blocked even in MONITOR mode, **unless** the binary is allowed by an explicit rule. Defaults to true. |
 | EnableSilentMode                   | Bool       | If true, Santa will not post any GUI notifications. This can be a very confusing experience for users, use with caution. Defaults to false. |

@@ -40,7 +40,7 @@ To enable this feature, the `FileAccessPolicyPlist` key in the main [Santa confi
 | `TeamID`                      | `Processes`  | String     | No       | v2023.1+      | Team ID of the instigating process. |
 | `CertificateSha256`           | `Processes`  | String     | No       | v2023.1+      | SHA256 of the leaf certificate of the instigating process. |
 | `CDHash`                      | `Processes`  | String     | No       | v2023.1+      | CDHash of the instigating process. |
-| `SigningID`                   | `Processes`  | String     | No       | v2023.1+      | Signing ID of the instigating process. |
+| `SigningID`                   | `Processes`  | String     | No       | v2023.1+      | Signing ID of the instigating process. Note that unlike in binary authorization, the Signing ID for file access authorization is specified separately from the Team ID; see the example below. |
 | `PlatformBinary`              | `Processes`  | Boolean    | No       | v2023.2+      | Whether or not the instigating process is a platform binary. |
 
 ### EventDetailURL
@@ -78,7 +78,10 @@ This is an example configuration conforming to the specification outlined above:
 		<dict>
 			<key>Paths</key>
 			<array>
+				<!-- restrict access to foo in all user directories -->
 				<string>/Users/*/foo</string>
+
+				<!-- restrict access to ~/tmp/foo, ~/tmp/foo2, ~/tmp/foo/bar, for all user directories -->
 				<dict>
 					<key>Path</key>
 					<string>/Users/*/tmp/foo</string>
@@ -97,7 +100,27 @@ This is an example configuration conforming to the specification outlined above:
 			</dict>
 			<key>Processes</key>
 			<array>
+		                <dict>
+					<!-- Platform binaries use a separate key that, rather than the `platform:com.apple.ls` format used in binary authorization rules -->
+					<key>PlatformBinary</key>
+					<true/>
+					<key>SigningID</key>
+					<string>com.apple.ls</string>
+		                </dict>
+		                <dict>
+					<!-- Signing IDs are specified differently than in binary authorization rules, note the separate TeamID key -->
+					<key>TeamID</key>
+					<string>EQHXZ8M8AV</string>
+					<key>SigningID</key>
+					<string>com.google.Chrome</string>
+		                </dict>
+		                <dict>
+					<!-- Allow the Slack Team ID -->
+					<key>TeamID</key>
+					<string>BQR82RBBHL</string>
+				</dict>
 				<dict>
+					<!-- Allow the binary at the path, AND require the TeamID specified -->
 					<key>BinaryPath</key>
 					<string>/usr/local/bin/my_foo_writer</string>
 					<key>TeamID</key>
@@ -139,7 +162,9 @@ The following table demonstrates which rule will be applied for operations on a
 
 Configured path globs represent a point in time. That is, path globs are expanded when a configuration is applied to generate the set of monitored paths. This is not a "live" representation of the filesystem. For instance, if a new file or directory is added that would match a glob after the configuration is applied, it is not immediately monitored.
 
-Within the main Santa configuration, the `FileAccessPolicyUpdateIntervalSec` key controls how often any changes to the configuration are applied as well as re-evaluating configured path globs to match the current state of the filesystem.
+Within the main Santa configuration, the `FileAccessPolicyUpdateIntervalSec` key controls how often any changes to the configuration are applied as well as re-evaluating configured path globs to match the current state of the filesystem. This has a minimum value of 15 seconds.
+
+Glob pattern support is provided by the libc `glob(3)` function. Extended glob patterns, such as globstar (`**`), are not supported.
 
 ### Prefix and Glob Path Evaluation