santa
santa copied to clipboard
CDHash based rules
We'd like to extend rule types in Santa to block off of binary CDHash. As CDHashes are already provided by the EndpointSecurity framework, this allows us to skip the expensive hashing in Santad.
Proposed New Rule Precedence (in-order of highest to lowest)
- CDHash
- SHA256
- Certificate
- Team ID
Steps to Completion
- [ ] Refactor
santa_message_t
to not hold the rawes_message_t
- [ ] Update
EndpointSecurityManager
to construct asanta_message_t
with the relevant information for higher-level policy processing. - [ ] Update santactl sync and rule commands to create/read/update/delete these new rules.
- [ ] Update
validateBinaryWithMessage
to properly check by CDHash first - [ ] Update
SNTPolicyProcessor
to add a method for checking CDHashes