GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → google → Santa

google / Santa

Licence: apache-2.0
A binary authorization system for macOS

Programming Languages

objective c
16641 projects - #2 most used programming language
Objective-C++
1391 projects
C++
36643 projects - #6 most used programming language
Starlark
911 projects
shell
77523 projects
c
50402 projects - #5 most used programming language

Labels

securitymacosauthorizationblocklistsantakextkernel-extensionallowlistsystem-extension

Projects that are alternatives of or similar to Santa

Filterlist-for-AdGuard-or-PiHole
A very aggressive filter-list that consolidates over 370 lists for use in AdGuard Home, Pi-Hole or similar.
Stars: ✭ 349 (-90.27%)
Mutual labels:  blocklist, allowlist
Itlwm
Intel Wi-Fi Drivers for macOS
Stars: ✭ 5,126 (+42.94%)
Mutual labels:  kext, kernel-extension
Karabiner-VirtualHIDDevice
Karabiner-VirtualHIDDevice is a virtual HID device driver for macOS.
Stars: ✭ 49 (-98.63%)
Mutual labels:  kext, kernel-extension
Intelbluetoothfirmware
Intel Bluetooth Drivers for macOS
Stars: ✭ 1,816 (-49.36%)
Mutual labels:  kext, kernel-extension
AzulPatcher4600
Lilu plugin which applies common patches for the mobile HD4600 iGPU
Stars: ✭ 17 (-99.53%)
Mutual labels:  kext, kernel-extension
JWTweak
Detects the algorithm of input JWT Token and provide options to generate the new JWT token based on the user selected algorithm.
Stars: ✭ 85 (-97.63%)
Mutual labels:  authorization
Fullstack Apollo Express Mongodb Boilerplate
💥A sophisticated GraphQL with Apollo, Express and MongoDB boilerplate project.
Stars: ✭ 301 (-91.61%)
Mutual labels:  authorization
keycloak-restrict-client-auth
A Keycloak authenticator to restrict authorization on clients
Stars: ✭ 34 (-99.05%)
Mutual labels:  authorization
RoleBasedAuthWithBlazor
Companion code sample for my blog post - Configuring Role-based Authorization with client-side Blazor
Stars: ✭ 22 (-99.39%)
Mutual labels:  authorization
Xorm Adapter
Xorm adapter for Casbin
Stars: ✭ 329 (-90.83%)
Mutual labels:  authorization
Keycloak Nodejs Admin Client
🔑 NodeJS keycloak admin client
Stars: ✭ 309 (-91.38%)
Mutual labels:  authorization
Express Graphql Mongodb Boilerplate
A boilerplate for Node.js apps / GraphQL-API / Authentication from scratch - express, graphql - (graphql compose), mongodb (mongoose).
Stars: ✭ 288 (-91.97%)
Mutual labels:  authorization
Ember Can
Simple authorisation addon for Ember apps
Stars: ✭ 262 (-92.69%)
Mutual labels:  authorization
Securing Restful Apis With Jwt
How to secure a Nodejs RESTful CRUD API using JSON web tokens?
Stars: ✭ 301 (-91.61%)
Mutual labels:  authorization
approver-policy
approver-policy is a cert-manager approver that allows users to define policies that restrict what certificates can be requested.
Stars: ✭ 37 (-98.97%)
Mutual labels:  authorization
Grant
OAuth Proxy
Stars: ✭ 3,509 (-2.15%)
Mutual labels:  authorization
jwt-go
The easiest JWT library to GO
Stars: ✭ 15 (-99.58%)
Mutual labels:  authorization
Stuntman
Library for impersonating users during development leveraging ASP.NET Identity.
Stars: ✭ 285 (-92.05%)
Mutual labels:  authorization
Oxauth
OAuth 2.0 server and client; OpenID Connect Provider (OP) & UMA Authorization Server (AS)
Stars: ✭ 308 (-91.41%)
Mutual labels:  authorization
Casl
CASL is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access
Stars: ✭ 3,610 (+0.67%)
Mutual labels:  authorization
View All Similar Projects ➔

Santa CI Coverage Status

Santa Icon

Santa is a binary authorization system for macOS. It consists of a system or kernel extension (depending on the macOS version) that monitors for executions, a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.

It is named Santa because it keeps track of binaries that are naughty or nice.

Docs

The Santa docs are stored in the Docs directory and published at http://santa.dev.

The docs include deployment options, details on how parts of Santa work and instructions for developing Santa itself.

Get Help

If you have questions or otherwise need help getting started, the santa-dev group is a great place.

If you believe you have a bug, feel free to report an issue and we'll respond as soon as we can.

If you believe you've found a vulnerability, please read the security policy for disclosure reporting.

Features

  • Multiple modes: In the default MONITOR mode, all binaries except those marked as blocked will be allowed to run, whilst being logged and recorded in the events database. In LOCKDOWN mode, only listed binaries are allowed to run.

  • Event logging: When the kext is loaded, all binary launches are logged. When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.

  • Certificate-based rules, with override levels: Instead of relying on a binary's hash (or 'fingerprint'), executables can be allowed/blocked by their signing certificate. You can therefore allow/block all binaries by a given publisher that were signed with that cert across version updates. A binary can only be allowed by its certificate if its signature validates correctly but a rule for a binary's fingerprint will override a decision for a certificate; i.e. you can allowlist a certificate while blocking a binary signed with that certificate, or vice-versa.

  • Path-based rules (via NSRegularExpression/ICU): This allows a similar feature to that found in Managed Client (the precursor to configuration profiles, which used the same implementation mechanism), Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and not relying on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precedence.

  • Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore automatically allowed. This does not affect binaries from Apple's App Store, which use various certs that change regularly for common apps. Likewise, you cannot block Santa itself, and Santa uses a distinct separate cert than other Google apps.

  • Userland components validate each other: each of the userland components (the daemon, the GUI agent and the command-line utility) communicate with each other using XPC and check that their signing certificates are identical before any communication is accepted.

  • Caching: allowed binaries are cached so the processing required to make a request is only done if the binary isn't already cached.

Intentions and Expectations

No single system or process will stop all attacks, or provide 100% security. Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a large fleet of machines. Independently, Santa can aid in analyzing what is running on your computer.

Santa is part of a defense-in-depth strategy, and you should continue to protect hosts in whatever other ways you see fit.

Security and Performance-Related Features

Known Issues

  • Santa only blocks execution (execve and variants), it doesn't protect against dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or libraries loaded using DYLD_INSERT_LIBRARIES.

  • Scripts: Santa is currently written to ignore any execution that isn't a binary. This is because after weighing the administration cost vs the benefit, we found it wasn't worthwhile. Additionally, a number of applications make use of temporary generated scripts, which we can't possibly allowlist and not doing so would cause problems. We're happy to revisit this (or at least make it an option) if it would be useful to others.

Sync Servers

  • The santactl command-line client includes a flag to synchronize with a management server, which uploads events that have occurred on the machine and downloads new rules. There are several open-source servers you can sync with:

    • Moroz - A simple golang server that serves hardcoded rules from simple configuration files.
    • Rudolph - An AWS-based serverless sync service primarily built on API GW, DynamoDB, and Lambda components to reduce operational burden. Rudolph is designed to be fast, easy-to-use, and cost-efficient.
    • Zentral - A centralized service that pulls data from multiple sources and deploy configurations to multiple services.
    • Zercurity - A dockerized service for managing and monitoring applications across a large fleet utilizing Santa + Osquery.

  • Alternatively, santactl can configure rules locally (without a sync server).

Screenshots

A tool like Santa doesn't really lend itself to screenshots, so here's a video instead.

Santa Block Video

Contributing

Patches to this project are very much welcome. Please see the CONTRIBUTING doc.

Disclaimer

This is not an official Google product.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].