What is Google Santa?

Zercurity
5 min readJan 29, 2018

--

Google Santa, is an application whitelisting and blacklisting service for Mac OSX. Application whitelisting and blacklisting is a technique where you can deem applications to be either trustworthy. Therefore, allowing the execution of an application. Or by blacklisting the application you prevent its execution.

It’s called Santa because it keeps track of which applications are nice (whitelisting) and those that are bad (blacklisting).

Google Santa consists of a kernel extension that monitors system application execution. A userland daemon that makes execution decisions based on the contents of a local SQLite database. Users are notified via a popup if the application was blocked from running. This alert can be made silent.

Why would I want to whitelist/blacklist applications?

The two main reasons are thus:

Security. Prevent unknown and potentially malicious applications for either being installed or run. Either with or without the user's permission or knowledge. Applications must be explicitly added to Santa’s whitelist in order to run.

User application policy management. Within an organisation, you may want to allow users to only run approved and vetted applications on their machines based on their business role.

How do I get started?

You can get started by downloading and installing Google Santa from https://github.com/google/santa/releases. Once installed you can run the command santactl from your Mac’s terminal.

Usage: santactl:
fileinfo — Prints information about a file.
rule — Manually add/remove/check rules.
status — Show Santa status information.
sync — Synchronizes Santa with a configured server.
version — Show Santa component versions.

The santactl command allows you to manage your application execution policies through the rule argument. Santa also provides a useful tool with the fileinfo argument. You can use this to inspect applications and binaries.

Whitelisting applications

After installing Santa, Google Chrome will no longer run. This may be the case for other applications as well. To resolve this you will need to add Google Chrome to Santa’s whitelist.

Firstly, we’ll need to get either the applications hash (SHA256). Used to uniquely identify applications. Or the applications signing certificate.

Certificates are used by developers to cryptographically sign their applications. These signatures can be used to verify the developers of applications. Thereby preventing other developers from claiming ownership of potentially malicious variants. By whitelisting a developers certificate. You can derive trust for all of the future applications signed by the same certificate. This means that you don’t have to continually trust updated versions of applications. They’ll be automatically trusted, provided they were signed by the same certificate.

To start, you can use the santactl fileinfo /Applications/Google\ Chrome.app/ command to interrogate the Google Chrome application. You can substitute any Mac OSX binary or application bundle you like. You’ll end up with something similar to this. Note the parts highlighted in bold.

Path                 : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
SHA-256 : 3f8d74263690ff3b5de96e2af0c4ef81dfd8cd3a1f240fc988c7f23507b206bd
SHA-1 : 99238d0ec393f347e2b55b44344eba49073478e7
Bundle Name : Google Chrome
Bundle Version : 3239.132
Bundle Version Str : 63.0.3239.132
Type : Executable (x86-64)
Code-signed : Yes
Rule : Whitelisted (Binary)
Signing Chain:1. SHA-256 : 345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5
SHA-1 : c9a99324ca3fcb23dbcc36bd5fd4f9753305130a
Common Name : Developer ID Application: Google, Inc. (EQHXZ8M8AV)
Organization : Google, Inc.
Organizational Unit : EQHXZ8M8AV
Valid From : 2017/03/09 21:08:37 +0000
Valid Until : 2022/03/10 21:08:37 +0000
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 22:12:15 +0000
Valid Until : 2027/02/01 22:12:15 +0000
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 22:40:36 +0100
Valid Until : 2035/02/09 21:40:36 +0000

Now, if we just want to trust Google Chrome application as a one-off. We need to take the application’s SHA256. Provided in the output above. This will add Google Chrome to Santa’s whitelist. Meaning that Google Chrome will now run. Enter the command below into your terminal.

sudo santactl rule add --whitelist --sha256 3f8d74263690ff3b5de96e2af0c4ef81dfd8cd3a1f240fc988c7f23507b206bd

However, the problem with this is that if Google Chrome releases an update we’ll have to get the SHA256 of the application again. Then once again, add the new SHA256 to Santa’s whitelist.

To prevent us having to do this with each update of Google Chrome we can opt to whitelist the applications developer certificate. This means each time the developer signs an application with their certificate it will be automatically whitelisted.

sudo santactl rule add --whitelist --certificate 345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5

Blacklisting applications

If you want to prohibit an application from running you can repeat the same steps as described above. Using the --blacklist flag instead of the --whitelist flag. You can also use the --message flag to display a message to user explaining why the application was prevented from executing.

Santa’s configuration

By default, Santa starts in MONITOR mode. Which means that applications will run by default. Unless they are explicitly blacklisted or are not signed with a certificate.

Santa can be moved into a more aggressive LOCKDOWN mode which blocks all applications by default unless they are whitelisted. You’ll most likely want to do this to stop users from installing or running unknown applications.

To put Santa in LOCKDOWN mode you’ll need to modify Santa’s configuration. Firstly, you’ll need to stop the Santa service.

sudo /sbin/kextunload -b com.google.santa-driver
sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist
sudo /bin/launchctl unload /Library/LaunchAgents/com.google.santagui.plist

You can edit the configuration file with vim in order to change the mode. A full list of Santa’s configuration properties are available here: https://santa.readthedocs.io/en/latest/deployment/configuration/

sudo vim /private/var/db/santa/config.plist

However, to quickly put Santa into LOCKDOWN mode you can run the following command:

sudo defaults write /private/var/db/santa/config.plist ClientMode -int 2

Santa will now be in LOCKDOWN mode. Now start the Santa service back up.

sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
sudo /sbin/kextload -b com.google.santa-driver
sudo /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist

All applications will now need to be explicitly added to Santa’s whitelist. To put Santa back in MONITOR mode run:

sudo defaults write /private/var/db/santa/config.plist ClientMode -int 1

Remote management of Santa

By design, Santa is a standalone service and does not come with a management server. Though does provide the functionality for Santa to talk to a remote server (via REST) to download whitelist and blacklist definitions.

Zercurity provides a quick and easy SaaS platform to manage all your Mac OSX endpoints, through one single interface. All included within a simple installer too. Zercurity can manage and monitor your whitelists and blacklists, with cascading policy support through and across teams. It’s free to signup and you get 5 hosts included free.

--

--