github/santa
1
1
Fork 0
mirror of https://github.com/google/santa.git synced 2026-04-24 03:00:12 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
santa/docs/binaries/santad.md
Evangelos Mamalakis 587ac2ddc8 Fix santd title in docs (#1368)
2024-06-18 19:49:16 +02:00

2.9 KiB
Raw Permalink Blame History

parent
parent
Binaries

santad

Note: This documentation refers to the main Santa daemon as santad, but this process will typically be seen on the system by its full name: com.google.santa.daemon.

The santad process makes decisions about binary executions, file access, and mounting USB mass storage devices. It also handles brokering all of the XPC connections between the various components of Santa.

On Launch

When santad starts, it immediately performs the following setup tasks:

  • Initializes the rule and event databases
  • Establishes an XPC listener for incoming connections
  • Establishes an XPC connection to the santasyncservice daemon
  • Processes the config file

Next, if configured to do so, santad begins to unmount/remount any connected USB mass storage devices that violate policy.

Finally, santad establishes its connections to the Endpoint Security (ES) framework which is used to authorize actions and collect telemetry. Once successfully registered, appropriate event streams are subscribed to and santad is able to begin making decisions.

Event Streams

Multiple ES clients are created, each with their own area of responsibility and unique set of event streams.

Client Responsibility
Authorizer Applying policy to new executions
Recorder Gathering telemetry, creating transitive rules
File Access Authorizer Enforcing FAA policy by tracking all file access events
Device Manager Blocking USB mounts or enforcing mounts contain specified flags
Tamper Resistance Protecting Santa components from tampering

Logging

santad logs can be configured to target one of several different outputs:

Log Type Description
syslog Emits events as a human-readable, key/value pair string to the Apple ULS
file Similar output to syslog, but logs are sent to a file instead of the ULS
protobuf Emits events with a rich set of data defined by the santa.proto schema
json Similar to protobuf, but the output is converted to JSON (Note: This is not a performant option and should only be used in targeted situations or when logging is expected to be minimal)
null Disables logging

A note on performance

On an idling machine, santad and the other components of Santa consume virtually no CPU and a minimal amount of memory (5-50MB). When lots of processes execute at the same time, the CPU and memory usage can spike. All of the execution authorizations are made on high priority threads to ensure decisions are made as soon as possible. A watchdog thread will log warnings when there is sustained CPU and memory usage detected.

Reference in New Issue View Git Blame Copy Permalink