About Google Santa

Santa is a white- and blacklisting daemon for OSX used by Google internally and maintained by the Google Macintosh Operations Team. And gladly they have opensourced the code on Github. In the future there are plans to allow Santa to synchronise rules from a managent server, but this is a work in progress.

Shameless copy from the Github page:
Santa is a binary whitelisting/blacklisting system for Mac OS X. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.

Installation:

Download the release at Github. And install by executing the following commands.

tar vxf santa-0.7.tar.bz2  
cd santa-0.7.tar.bz2

# copy configs
sudo cp conf/com.google.santad.plist /Library/LaunchDaemons  
sudo cp conf/com.google.santasync.plist /Library/LaunchDaemons  
sudo cp conf/com.google.santagui.plist /Library/LaunchAgents  
sudo cp conf/com.google.santa.asl.conf /etc/asl  
sudo cp conf/config.plist /var/db/santa/config.plist

# set permissions
sudo chmod 600 /var/db/santa/config.plist  
sudo chown root:wheel /var/db/santa/config.plist

# copy binaries
sudo cp -r binaries/santa-driver.kext /  
sudo cp -r binaries/Santa.app /Applications  
sudo cp -r binaries/santad /usr/libexec  
sudo cp -r binaries/santactl /usr/sbin

# install kernel driver
sudo kextload /santa-driver.kext  
sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist  
open /Applications/Santa.app  

Status:

Now you can verify the status of Santa using santactl.

~/D/santa-0.7 ❯❯❯ santactl status
>>> Versions
santa-driver version           | 0.7  
santad version                 | 0.7  
santactl version               | 0.7  
SantaGUI version               | 0.7

>>> Kernel Info
Kernel cache count             | 44

>>> Database Info
Binary Rules                   | 0  
Certificate Rules              | 2  
Events Pending Upload          | 4  

Reloading

Reloading is currently done by unloading and loading the daemon and kernel extension:

sudo kextunload /santa-driver.kext  
sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null  
sudo kextload /santa-driver.kext  
sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist  

Configuration

The file /var/db/santa/config.plist contains the configuration. For a complete list of configuration keys you can take a look at Configuration-Keys. By default Santa wil be started in Monitor mode (Clientmode is set to 1). If you change Clientmode to 2 Santa will run in Lockdown mode and will deny every binary without an allow rule.

Logging

Every application you'll open will be checked by Santa first. You can verify this by tailing /var/log/santa.log.

~/D/santa-0.7 ❯❯❯ tail /var/log/santa.log
[2014-12-13 13:32:48.319Z] I santad: A,C,d91a648d1d15c72fd2b4b9b9d3e995b8743871b1,/usr/bin/du,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:33:14.756Z] I santad: A,C,beea38aed6a868da1e244190b71633b1d8d97d02,/bin/cat,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:34:28.578Z] I santad: A,C,78c2832ac4c7cb8c62a6ab2e27bfc8eda75c3ca2,/usr/bin/find,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:34:28.593Z] I santad: A,C,ba899fd82019d6b37f2a35ee6249a019aeff1219,/usr/bin/grep,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:35:00.450Z] I santad: A,C,622a1048d40d0a45560a8152cef9ca570f2a991d,/usr/bin/tail,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:35:23.003Z] I santad: A,C,dfc46609ad71c5387ce6400207fbf16d4ad73f04,/usr/bin/wc,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing

Database

All events and rules will by placed in the Santa databases. These files are being secured by setting the permissions to 0755 for user root and group wheel. The database files are located at:

  • /var/db/santa/rules.db: contains the rules for certificates and binaries
  • /var/db/santa/events.db: contains all occured events

Sync API

  • /preflight/{machineid} (POST)
  • /eventupload/{machineid} (POST)
  • /ruledownload/{machineid}
  • /postflight/{machineid} (POST)

Development

Enable kext-dev-mode.

sh-3.2# nvram bootargs  
sh-3.2# nvram: Error getting variable - 'bootargs': (iokit/common) data was not found  
sh-3.2# nvram boot-args=kext-dev-mode=1  
sh-3.2# nvram boot-args  
boot-args    kext-dev-mode=1  

Correct permissions and verify extension:

chmod -R 600 santa-driver.kext  
chown -R root:wheel santa-driver.kext

sh-3.2# kextutil -n -t santa-driver.kext  

Reload:

kextunload santa-driver.kext  
kextload santa-driver.kext  

Verify if extension is loaded:

kextstat|grep santa  
  137    0 0xffffff7f82915000 0x6000     0x6000     com.google.santa-driver (0.7.1) <5 4 3 1>