What is Google Santa?

What is Google Santa?

Google Santa is an open-source project from Google's Macintosh Operations Team. It is a binary whitelisting / blacklisting system for macOS and can be used to analyze what applications run across your fleet and control them by blocking their use entirely.

Santa can be configured to prevent users from using malicious, high risk, or prohibited applications.

What are some Google Santa options in Fleetsmith?

Some available Google Santa options are:

• Blacklist binary file hashes
• Blacklist certificate hashes
• Blacklist file paths
• Blacklist file path regex
• File changes regex
• Page Zero protection

Blacklisted binary file hashes
Enter a CSV list containing SHA256 binary hashes. This is the most granular rule and will blacklist individual binaries. Note that even a small change in a binary will alter the SHA256 hash, invalidating the rule. 

Blacklisted certificate hashes
Enter a CSV list containing SHA256 binary hashes of leaf (signing) certificates. This is a powerful rule type that has a much broader reach than an individual binary rule, allowing you to blacklist all apps signed by a particular code signing certificate.

Blacklisted file paths
Enter a CSV list containing binary or app bundle file paths. This will blacklist the SHA256 hash of a binary or app bundle currently located at each path. 

Blacklisted file path regex
Enter an ICU format regular expression (regex) to create a blacklist scope, blocking all binaries located within a matching file system path or subdirectory.

File changes regex
Enter an ICU format regular expression (regex) to include logs of file changes at matching file system paths. By default, all executions and disk mounts are automatically logged in Santa. Use this regex to also include the file operations of specific paths.

Page Zero protection
Choose whether or not 32-bit binaries without a _PAGEZERO segment are blocked, preventing the execution of binaries which are highly vulnerable to code injection.