What is Google Santa?

Why would I want to whitelist/blacklist applications?

How do I get started?

Usage: santactl:
fileinfo — Prints information about a file.
rule — Manually add/remove/check rules.
status — Show Santa status information.
sync — Synchronizes Santa with a configured server.
version — Show Santa component versions.

Whitelisting applications

Path                 : /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
SHA-256 : 3f8d74263690ff3b5de96e2af0c4ef81dfd8cd3a1f240fc988c7f23507b206bd
SHA-1 : 99238d0ec393f347e2b55b44344eba49073478e7
Bundle Name : Google Chrome
Bundle Version : 3239.132
Bundle Version Str : 63.0.3239.132
Type : Executable (x86-64)
Code-signed : Yes
Rule : Whitelisted (Binary)
Signing Chain:1. SHA-256 : 345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5
SHA-1 : c9a99324ca3fcb23dbcc36bd5fd4f9753305130a
Common Name : Developer ID Application: Google, Inc. (EQHXZ8M8AV)
Organization : Google, Inc.
Organizational Unit : EQHXZ8M8AV
Valid From : 2017/03/09 21:08:37 +0000
Valid Until : 2022/03/10 21:08:37 +0000
2. SHA-256 : 7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f
SHA-1 : 3b166c3b7dc4b751c9fe2afab9135641e388e186
Common Name : Developer ID Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2012/02/01 22:12:15 +0000
Valid Until : 2027/02/01 22:12:15 +0000
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 22:40:36 +0100
Valid Until : 2035/02/09 21:40:36 +0000
sudo santactl rule add --whitelist --sha256 3f8d74263690ff3b5de96e2af0c4ef81dfd8cd3a1f240fc988c7f23507b206bd
sudo santactl rule add --whitelist --certificate 345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5

Blacklisting applications

Santa’s configuration

sudo /sbin/kextunload -b com.google.santa-driver
sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist
sudo /bin/launchctl unload /Library/LaunchAgents/com.google.santagui.plist
sudo vim /private/var/db/santa/config.plist
sudo defaults write /private/var/db/santa/config.plist ClientMode -int 2
sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
sudo /sbin/kextload -b com.google.santa-driver
sudo /bin/launchctl load /Library/LaunchAgents/com.google.santagui.plist
sudo defaults write /private/var/db/santa/config.plist ClientMode -int 1

Remote management of Santa

--

--

--

Real-time security and compliance delivered.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

RECAP AMA

{UPDATE} Fishing Paradiso Hack Free Resources Generator

{UPDATE} Freddy's Nightmare Calls FNAF Hack Free Resources Generator

Fairyproof’s Review of Risks Associated with the Recently Airdropped Tokens

{UPDATE} Tomb Hero Quest mask Hack Free Resources Generator

The best extensions for browser privacy and security

My company’s Gmail was hacked and we nearly lost $20,000

Fake job postings are being used to extort money and personal information, according to the FBI

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Zercurity

Zercurity

Real-time security and compliance delivered.

More from Medium

Detecting and Responding to Spring4Shell with Splunk

Best Practices for Protecting Your Business from Cybercrime

Device Security 101: Cloud, Networking, & Physical Security Essentials

Splunk Enterprise — Knowledge Objects