-
Notifications
You must be signed in to change notification settings - Fork 297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Efficient mechanism for rule pruning #1234
Comments
We don't. My machine has over 70k rules and we have tested Santa with well over 10M rules and saw no discernible performance penalty. A full sync takes a little while but these are very rare and the protocol was designed to break up a full sync into multiple requests to make it more reliable.
One option to reduce the number of rules you currently have would be to switch to replace binary rules with signing ID rules wherever possible. This will reduce the number of rules now and prevent the constant growth you're seeing. |
That's incredible! Do you think most of those 70k rules are for binaries that are still in-use or do you have any process in-place to prune them? We only have a tiny team of developers, but between homebrew, XCode, Android Studio etc we see 100-200 unsigned binaries which cannot be covered with signingID/certificate rules and which are updated every few months leading to new rules being required. |
I think a lot of those rules are unused and there is no process to prune them, though there are several processes to remove or block binaries in certain circumstances. I probably have a larger number of rules than most as I've been running Santa on my machines longer than anyone but it was always a design goal that a huge rule database should work without issue. |
I run with about 64,000+ rules as well. Most of the rules are for binaries that aren't on my machine. Out of the options above the following makes the most sense to me.
One thought is that this could be an extension to the |
We've been using Santa on about 50 Macs for a few months now. Our rule database contains about 500 rules, a mix of binary/certificate/signingID. Of that 500, about half are duplicates where new versions of binaries have been released and an additional binary hash rule has been added. For example, we have 9 hashes for the alamofire-manifest binary, 5 for appt2 etc and a year from now these may all have doubled again.
Shrinking our ruleset from 500 to 250 rules would make it more manageable and I assume the problem is more significant for those using Santa in larger environments for a longer period of time.
Firstly I'm curious how others deal with this, and secondly I wonder if there is a feature enhancement that might help. Options that jump out to me -
EnableAllEventUpload
on all devices and track rule matches in our database so we know what not to prune. This would require no changes to Santa but would increase the load on endpoints and would significantly increase the load on Santa servers, to an impractical degree in larger deploymentsThoughts?
The text was updated successfully, but these errors were encountered: