santa
santa copied to clipboard
google
A binary authorization and monitoring system for macOS
Unfortunately, the firmware password was removed on Applie Silicon Macs. Any admin user can log into recovery mode and disable Santa from there. Any thoughts on ways to stop this?
What will be the correct rule to allow debugging in IntelliJ IDEA a temp output is blocked? See the message from Santa below for a Golang app executed from within...
I would like to add parquet output support to Santa, however there are some trade-offs that might not be acceptable to you. I'd like to have the discussion and the...
We've been using Santa on about 50 Macs for a few months now. Our rule database contains about 500 rules, a mix of binary/certificate/signingID. Of that 500, about half are...
If I have root privileges, I can bypass the allowlist mechanism by repeatedly killing santa daemon in a loop. ``` #!bin/bash while true; do ps aux | grep com.google.santa.daemon |...
The `SNTPolicyProcessor` via `MOLCodesignChecker` currently evaluates the `SecStaticCodeRef` of a file path when a new exec is authorized. This is a legacy limitation from when Santa deployed its own kext...
Occasionally when i push Santa to a new machines via JAMF it fails to detect the config profiles for the sync server that have also been placed by the MDM....
(discussed IRL with @mlw, opening an issue for discussion) Santa's process based rulesets currently apply either as an allow or block to all invocations of a executable. This works well...
Every now and then, there's an Apple-supplied, system binary that isn't signed. (Currently: looking at you, RemotePairingDataVaultHelper) Naturally, Santa blocks these, but it doesn't have to be this way: SecTaskGetCodeSignStatus...
I wonder would it be feasible to support wildcards in SigningID rules? The usecase would be where you want to allow only specific applications from a developer, so a TeamID...