First, a little background, I've spent most of my time in Windows. As a Windows admin I fell in love with AppLocker. These days I find myself spending more time with MacOS and I've been looking for a way to secure MacOS in a similar way
That brings me to Google Santa. This product has a few things that drew me to it.
- It's updated regularly, as of writing this article the most recent build is 7 days old
- It has Certificate, Path, and Hash rule capabilities, similar to AppLocker.
- Simple setup and configuration.
This blog will bring you through initial setup of Google Santa and the linked GitHub repo contains a selection of SHA256 certificates needed to whitelist specific applications
Setup for Santa is extremely straight forward.
- Install Precompiled Signed Binary
- Set Santa to enforce
- Change key
- Change key
By default Santa whitelists Apple certificates. This is an anti-lockout 'feature'. By putting Santa into enforce mode, everything is now blocked except Apple applications.
Important Files, Directories, & CommandsWhile using Santa these things will be extremely useful to understand.
- Santa Configuration
To understand more about configurable options with Santa review Configuration
- Review Logs
This will show you what's blocked, whats allowed, etc. The cert_sha256 hash shown in the log can be used to create whitelist rules
- Find Certificate Information
santactl fileinfo /Applications/%app%
- Whitelist an Application
santactl rule --whitelist --certificate --SHA256 %SHA256_of_app%
- View the rules database.
/bin/launchctl unload /Library/LaunchDaemons/com.google.santad.plist
/usr/bin/sqlite3 /var/db/santa/rules.db ".dump" >> /tmp/rules_playback.sql
/bin/launchctl load /Library/LaunchDaemons/com.google.santad.plist
Whitelisting an Application - WebEx Network Player
In this example WebEx Network Player has already been installed prior to enabling Santa, as such, we can
try to launch it and get a failure
To enable WebEx as Root perform the following:
- Monitor Logs using
tail -f /var/db/santa/santa.log | grep --line-buffered WebEx | grep DENY
- Launch WebEx Network Player
- Review logs looking for
- Add to Santa SHA256 rules (as of 20170921)
santactl rule --whitelist --certificate --sha256 ed3dc18e83b80201e1f16ae27a37e3cac7636744bae5ae8286509f64f8730292
Note some applications require multiple certificates. Google Chrome's updater uses a different cert than Google Chrome itself. Be on the lookout for this behavor.
This should give you enough information to start whitelisting the apps on your laptop that you trust and to deny the ones you don't
To help get you started I've uploaded to github https://github.com/vgrsec/googlesantarules some scripts for some common applications.