santa: After turning on the clean_sync switch, the event logs are no longer being uploaded

Hey: In the profile, I set EnableAllEventUpload and SyncEnableCleanSyncEventUpload to true. Additionally, I sent the clean_sync field to the santa client through the sync server and set it as true. However, I noticed that aside from block event logs that occasionally upload, the event logs of Allow_XXX type are not being uploaded. My understanding was that all logs should be uploaded like they were when clean_sync was set to false. Unfortunately, since I am not familiar with OC language, I was unable to comprehend the logic by reading the source code. Did I misunderstand something?

my santa client version:

santad          | 2023.1 (build 503475832)
santactl        | 2023.1 (build 503475832)
SantaGUI        | 2023.1 (build 503475832)

About this issue

Original URL
State: closed
Created a year ago
Comments: 19 (7 by maintainers)

Most upvoted comments

@izzh to clarify is this the behavior you’re reporting is this.

If you have EnabledAllEventUpload set to true and you have 4 pending events then do the following

sequenceDiagram
santa ->> sync_service:  preflight req /santa/api/preflight/<machine ID>
sync_service -->> santa: preflight response `clean_sync: true`
 Note right of sync_service: You're seeing zero events uploaded here if there's an pending events as reported by santactl status
santa ->> sync_service: eventupload request /santa/api/eventupload/<machine ID>
sync_service -->> santa: eventupload response

Looking at the sync state code we can see the following:

https://github.com/google/santa/blob/cd719ccef4427cfe10a9e0db656315387118c2be/Source/santasyncservice/SNTSyncEventUpload.m#L58-L69

In which case setting the clean_sync state will avoid uploading the events and then delete them unless SyncEnableCleanSyncEventUpload is enabled.

Your logs are also not showing the expected Uploaded 5 events logline from the SLOGI(@"Uploaded %lu events", uploadEvents.count);

So it seems like you’re not taking the branch.

We know that you’ve set clean_sync in the preflight response so !self.syncState.cleanSync should be false as you set it in your preflight response and [[SNTConfigurator configurator] enableCleanSyncEventUpload]) should be true for your Santa instance to upload events which it isn’t.

That code comes from:

https://github.com/google/santa/blob/cd719ccef4427cfe10a9e0db656315387118c2be/Source/common/SNTConfigurator.m#L860-L863

Which is really just accessing the key:

https://github.com/google/santa/blob/cd719ccef4427cfe10a9e0db656315387118c2be/Source/common/SNTConfigurator.m#L60

I’ve tried testing with a hacked up version of moroz and using a config-overrides.plist

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>    
    <key>SyncBaseURL</key>
    <string>http://localhost:8080/v1/santa/</string>
    <key>SyncEnableCleanSyncEventUpload</key>
    <true/>
    <key>EnableDebugLogging</key>
    <true/>
  </dict>
</plist>

It looks like we’re not properly getting the value of SyncEnableCleanSyncEventUpload. After adding it to the __forcedConfigKeyTypes https://github.com/google/santa/blob/cd719ccef4427cfe10a9e0db656315387118c2be/Source/common/SNTConfigurator.m#L168

And trying again. Events are correctly uploaded. I’ve filed #1123 to fix this.

pmarkowsky on Jul 6, 2023

Folks have been out for a bit I’ll try to get something next week.

pmarkowsky on Jun 16, 2023

I ran some additional tests and still have not been able to reproduce the issue.

I ran a setup to force clean_sync, EnableAllEventUpload and SyncEnableCleanSyncEventUpload to all be true. Further I added some debug log lines around the if-statement linked above. I see this working as expected and attempt event uploads for all events, including ALLOW_XYZ events.

mlw on May 24, 2023