synchronise.. include:: ../includes.txt

Troubleshooting

Osquery (Mac OS X)

No node key

There are a number of reasons for this error:

  • Your enrollment secret is invalid. Are you re-installing Zercurity from another account or deployment server? Try removing the enroll.dat file within the Zercurity installation folder.
  • Zercurity has either blocked an enrollment from talking place. Please contact our support team to help resolve this for you.
Failed enrollment request to https://api.zercurity.com/v1/osquery/enroll (No node key returned from TLS enroll plugin) retrying...

Accessing logs

tail -f /var/log/zercurity_osqueryd_stderr.log

Restarting Osquery

user=$(/usr/bin/stat -f '%u' /dev/console)
/bin/launchctl asuser ${user} /bin/launchctl unload "/Library/LaunchAgents/com.google.santa.plist"
/bin/launchctl asuser ${user} /bin/launchctl load "/Library/LaunchAgents/com.google.santa.plist"

Google Santa

Zercurity makes use of Google Santa for its Mac OSX application whitelisting and blacklisting.

Force sync rules

Sometimes you may want to forcefully synchronise your local machine with the remote server to ensure all rules are up-to-date. The sync command will also send any pending updates back to the Zercurity server.

sudo santactl sync

Santa daemon failing to start

If you’ve installed Zercurity locally without using an MDM you will most likely encounter the following error. As during the installation you may not have given permission to Santa to install its System extension.

sudo santactl sync
An error occurred communicating with the daemon, is it running?

The first thing to do is check the logs as described below.

Accessing logs

It maybe that you need to manually “Allow” the Santa system extension. The installer should have prompted you to do this if your not using an MDM.

SystemExtension authorisation

If that still doesn’t work then make sure that Santa has “Full Disk Access”. You may need to reload the Santa daemon after completing this step.

Full Disk Access

Accessing logs

You can show the logs for Google Santa using the following command.

/usr/bin/log show --info --debug --predicate 'senderImagePath CONTAINS "Santa"' --last 1d

SystemExtension authorisation

If you see the following error then either the user needs to accept permission for Santa to run under System->Security&Privacy or the Zercurity MDM needs to be applied to the system via the MDM manager i.e. JAMF.

Santa: I Santa: SystemExtension "com.google.santa.daemon" request needs user approval
../_images/installer_osx_error_03.png

If you don’t see the option to accept permission under “System->Security & Privacy” to run Santa. Try closing the Security window and run the following command which should force the prompt.

sudo /bin/launchctl unload -w "/Library/LaunchDaemons/com.google.santa.bundleservice.plist"
/Applications/Santa.app/Contents/MacOS/Santa --load-system-extension
sudo /bin/launchctl load -w "/Library/LaunchDaemons/com.google.santa.bundleservice.plist"

Full Disk Access

../_images/trouble_osx_disk_access_full.png

Missing Zercurity profile

The Zercurity installer should automatically install our profile. If the profile can’t be found or was removed you’ll get the following error when trying to manually sync Santa using santactl.

sudo santactl sync
Missing SyncBaseURL. Exiting.

To resolve this you’ll need to re-install Zercurity.