santa
santa copied to clipboard
google
A binary authorization and monitoring system for macOS
I notice that only binary and certificate rules can be synced from servers: https://github.com/google/santa/blob/b70442e483887ed2368003dbe5f736931401d535/Source/santactl/Commands/sync/SNTCommandSyncRuleDownload.m#L146 Would it be possible to allow SCOPE rules to be served by Sync servers? Managing them...
I would to be able to add a rule to the conf that would block or allow files downloaded from specific domains. This could help with some types of malware.
This came up when talking to @tburgin: This is mostly for development purposes but it would be helpful to have a console command to "block" a given binary regardless of...
We would like to have the possibility to get all the santa decisions. It is my understanding that `ALLOW_SCOPE`, `ALLOW_BINARY` and `ALLOW_CERTIFICATE` [are not considered events](https://github.com/google/santa/blob/0c39342d5349fd012e2a8c09c17685d4cbeb2e0a/Source/santad/SNTExecutionController.m#L130), and will only be...
To accelerate adding to the whitelist, the most applicable criteria for building a rule to be fed into the database should be surfaced in the block GUI, rather than tracking...
Similar to how osquery collects common queries into 'packs' to be enabled in their config, it would be great to be able to import/export rules from the database as an...
RE2 is faster than ICU (used by NSRegularExpression) for most types of expression at both matching and compiling. It would possibly be prudent to benchmark some example regexes that are...
I don't see an easy way to set up the initial information about executables on your system. I played with a Python script (sorry my ruby skills are limited) that...
- get `BlockUSBMount` and `RemountUSBMode` from the `configState` and from the `syncState`. - disable `BlockUSBMount` if set to `false` in the preflight response. - only set `BlockUSBMount` in `syncState` if...
This is a major refactor with the overall major goals of: 1. Utilize more C++/ObjectiveC++ * Help reduce the overall number of per-event allocations and copies 1. Wrap ES messages...
