santa icon indicating copy to clipboard operation
santa copied to clipboard

Published 20 hours ago verified publisher icon google

CDHash based rules

Open tnek opened this issue 2 years ago • 0 comments

We'd like to extend rule types in Santa to block off of binary CDHash. As CDHashes are already provided by the EndpointSecurity framework, this allows us to skip the expensive hashing in Santad.

Proposed New Rule Precedence (in-order of highest to lowest)

  • CDHash
  • SHA256
  • Certificate
  • Team ID

Steps to Completion

  • [ ] Refactor santa_message_t to not hold the raw es_message_t
  • [ ] Update EndpointSecurityManager to construct a santa_message_t with the relevant information for higher-level policy processing.
  • [ ] Update santactl sync and rule commands to create/read/update/delete these new rules.
  • [ ] Update validateBinaryWithMessage to properly check by CDHash first
  • [ ] Update SNTPolicyProcessor to add a method for checking CDHashes

tnek avatar Nov 16 '21 16:11 tnek