Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Track naughty and nice binaries with Google Santa - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Track naughty and nice binaries with Google Santa

Santa is a binary white- or blacklisting daemon, being developed by the Google Macintosh Operations Team (largest contributor is Russel Hancox) for over 4 years now (not an official Google product!). Google Santa is being used by Google to protect and monitor their macOS machines internally, and has been called Santa because it keeps track of binaries that are naugthy or nice. 

The application has two modes, monitor and lockdown mode. Monitor mode will keep track of each binary being executed, check it for matches against the blacklist and track all information it in the events database. The events will contain information about the signing chain, the parent name, the logged_in users, filepath, bundle version, executing user, sha256 hash and some additional information of the file being executed. In lockdown mode, only whitelisted binaries are allowed to run. For both white- and blacklisting you can use either path based (using the sha256 fingerprint) or certificate based rules. 

It is important to know that two immutable certificate rules are being created on launch, of santad and launchd. This prevents Santa from blocking criticial os binaries or santa components. Also be aware that scripts are not being checked against the lists. 

Santa consists of several daemons, a small gui and a santactl that will be used to communicate with the daemons. The black- and whitelists can be controlled using santactl:

# whitelist file on path
$ santactl rule --whitelist --path "/path/to/bundle/or/file"
# whitelist file on certificate
$ santactl rule --whitelist --certificate --path  "/path/to/bundle/or/file"

Using santactl you can also retrieve information about status, file information and sync progress. 

Corporate users will love sync, which allows central management of white- and blacklists. Generated events are uploaded to the sync server, allowing statistics and data on executed and blocked binaries. There are multiple opensource sync servers that can be used to manage lists and show events.

I'm a happy Google Santa user for a few years now, it gives me insights and control of the binaries that are being executed. There is much more to be told about this application, take a look at the docs for more information.

References

  • https://github.com/google/santa
  • https://santa.readthedocs.io/en/latest/?badge=latest
Remco

13 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!