Google SantaSanta Claus
google/santa: Ein binäres Whitelist/Blacklisting-System für MacOS
The Santa is a white list/blacklisting system for binaries for macOS. There is a kernel expansion that oversees performance, a GUI editor that alerts the operator in the event of a blocking request, a GUI editor that manages the system and synchronizes the system with a host, and a GUI editor that allows the operator to configure the system to run on a SQLite system.
Father Christmas isn't at 1:0 yet. It' called Santa because it keeps tracking binary files that are bad or cute. The Santa is a Google Macintosh Operations Team game. Santa documents are saved in the Downloads folder. The standard MOUNT OR operation allows all binary files except those flagged as blacklists to be executed while they are logged and written to the event history base.
LOCKDOWN allows only white list execution of white list execution of executable files. Once the keyword is preloaded, all logic starts are recorded. In both modes, all unrecognized or rejected files are saved in the data base for later aggregate. Rather than rely on the hazard (or fingerprint) of a binary file, executable files can be whitelist/blacklisted with their signature certificates.
Therefore, you can trust/block all of a particular publisher's executables that have been digitally autographed with this certification across release up-dates. Whitelisting a file from its certificates is only possible if its digital signatures are validated properly, but a digital file print policy overwrites a digital file's white list choice; that is, you can put a digital file on the white list while putting a digital file marked with that digital file on the black list, or both.
It allows a similar function as in the Managed Client (the predecessor of config profiling that used the same deployment mechanism), Application Launch Restrictions via the wcxalrinary. There is no way to enter a ' Deny' policy that would prevent the signature from being signed by launchingd, alias 1, from blocking all items used in MacOS.
Therefore, the binary files in each operating system upgrade (and, in some cases, completely new versions) are automatically added to the whitelist. It does not apply to binary files from Apple's App Store that use various certificates that periodically vary with popular applications. Similarly, you can't put Santa on the black list yourself, and Santa uses a distinctly different certificate than other Google applications.
Father Christmas was created with the intent of protecting the user from himself. Santa Claus is a centralized management tool that can help stop the spreading of malware on a large number of computers. Regardless, Santa can help you analyze what is going on on your computer. Father Christmas is part of a deep defensive policy, and you should keep protecting the host in any other way you think is right.
When you have a question or need help getting in, the Santa Dev Group is a great place. Intermediate storage in the kernel: White list bindings are stored in the cache in the Kernel, so the handling necessary for a requirement is only done if the bin is not already mined. Each of the username land component (the daemon, the GUI agents, and the CLI ) communicates via the XPC and verifies that their signature credentials are the same before accepting a communications.
Keep-Keyx uses a KPI only: The KPI expansion uses only provided kernal APIs to do its work. That means that the keyword should still work across operating system releases. and we have some known problems to consider: It does not block dynamical library loads using DLOPs, library replacements on the hard drive, or library loads using CLIBRARIES (DYLD_INSERT_LIBRARIES).
Encrypted communications security: The Encrypted Communications server receives only one session at a a time from a particular clients and that clients must run as roots. However, we have not yet found a good way to make sure that the keyword only accepted links from a current one. The SQLite data base is installs with privileges so that only the roots users can read/write it.
For synchronization with a managment servers, the Santactl switch contains a flags that allows you to upload and download incidents that have occured on the machines and new policies. At the moment Santa is writing to disregard any run that is not a binaries file. Tools like Santa aren't really suitable for screen shots, so here's a movie instead. Workingspace and Builds, which only prints the full protocol when an issue occurs.
Please note: The Xcode projekt is set up to use any Mac developer certificates that have been set up, and for safety purposes, parts of Santa do not work correctly if they are not autographed. Linux 10 and higher. 9 and higher must be autographed with a Apple-provided developers ID certification with a Linux 10 and higher kernel enhancement flags. The only way to download an expansion without it is to activate the kext-dev or deactivate SIP, according to the operating system you have.
Please use a pre-configured, pre-signed copy of the Kextes delivered by us. Every change made to the Kevlar key is reflected in an upgrade to the pre-built release that you can use. However, this does not stop you from making and sharing changes to unrelated parts of Santa. When you make changes to the sign and make a pull query, we can include them and deploy a new one.
Request your own signed key signature certification. It is not an officially Google products.