Google Santa, is an application whitelisting and blacklisting service for Mac OSX. Application whitelisting and blacklisting is a technique where you can deem applications to be either trustworthy. Therefore, allowing the execution of an application. Or by blacklisting the application you prevent its execution.

It’s called Santa because it keeps track of which applications are nice (whitelisting) and those that are bad (blacklisting).

Google Santa consists of a kernel extension that monitors system application execution. A userland daemon that makes execution decisions based on the contents of a local SQLite database. Users are notified via a popup if the application was blocked from running. This alert can be made silent.

Why would I want to whitelist/blacklist applications?

The two main reasons are thus:

Security. Prevent unknown and potentially malicious applications for either being installed or run. Either with or without the user's permission or knowledge. Applications must be explicitly added to Santa’s whitelist in order to run.

User application policy management. Within an organisation, you may want to allow users to only run approved and vetted applications on their machines based on their business role.

How do I get started?

You can get started by downloading and installing Google Santa from https://github.com/google/santa/releases. Once installed you can run the command from your Mac’s terminal.

The command allows you to manage your application execution policies through the argument. Santa also provides a useful tool with the argument. You can use this to inspect applications and binaries.

Whitelisting applications

After installing Santa, Google Chrome will no longer run. This may be the case for other applications as well. To resolve this you will need to add Google Chrome to Santa’s whitelist.

Firstly, we’ll need to get either the applications hash (SHA256). Used to uniquely identify applications. Or the applications signing certificate.

Certificates are used by developers to cryptographically sign their applications. These signatures can be used to verify the developers of applications. Thereby preventing other developers from claiming ownership of potentially malicious variants. By whitelisting a developers certificate. You can derive trust for all of the future applications signed by the same certificate. This means that you don’t have to continually trust updated versions of applications. They’ll be automatically trusted, provided they were signed by the same certificate.

To start, you can use the command to interrogate the Google Chrome application. You can substitute any Mac OSX binary or application bundle you like. You’ll end up with something similar to this. Note the parts highlighted in bold.

Now, if we just want to trust Google Chrome application as a one-off. We need to take the application’s SHA256. Provided in the output above. This will add Google Chrome to Santa’s whitelist. Meaning that Google Chrome will now run. Enter the command below into your terminal.

However, the problem with this is that if Google Chrome releases an update we’ll have to get the SHA256 of the application again. Then once again, add the new SHA256 to Santa’s whitelist.

To prevent us having to do this with each update of Google Chrome we can opt to whitelist the applications developer certificate. This means each time the developer signs an application with their certificate it will be automatically whitelisted.

Blacklisting applications

If you want to prohibit an application from running you can repeat the same steps as described above. Using the flag instead of the flag. You can also use the flag to display a message to user explaining why the application was prevented from executing.

Santa’s configuration

By default, Santa starts in MONITOR mode. Which means that applications will run by default. Unless they are explicitly blacklisted or are not signed with a certificate.

Santa can be moved into a more aggressive LOCKDOWN mode which blocks all applications by default unless they are whitelisted. You’ll most likely want to do this to stop users from installing or running unknown applications.

To put Santa in LOCKDOWN mode you’ll need to modify Santa’s configuration. Firstly, you’ll need to stop the Santa service.

You can edit the configuration file with in order to change the mode. A full list of Santa’s configuration properties are available here: https://santa.readthedocs.io/en/latest/deployment/configuration/

However, to quickly put Santa into LOCKDOWN mode you can run the following command:

Santa will now be in LOCKDOWN mode. Now start the Santa service back up.

All applications will now need to be explicitly added to Santa’s whitelist. To put Santa back in MONITOR mode run:

Remote management of Santa

By design, Santa is a standalone service and does not come with a management server. Though does provide the functionality for Santa to talk to a remote server (via REST) to download whitelist and blacklist definitions.

Zercurity provides a quick and easy SaaS platform to manage all your Mac OSX endpoints, through one single interface. All included within a simple installer too. Zercurity can manage and monitor your whitelists and blacklists, with cascading policy support through and across teams. It’s free to signup and you get 5 hosts included free.

Real-time security and compliance delivered.