About Google Santa

Santa is a white- and blacklisting daemon for OSX used by Google internally and maintained by the Google Macintosh Operations Team. And gladly they have opensourced the code on Github. In the future there are plans to allow Santa to synchronise rules from a managent server, but this is a work in progress.

Shameless copy from the Github page:
Santa is a binary whitelisting/blacklisting system for Mac OS X. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.

Installation:

Download the release at Github. And install by executing the following commands.

tar vxf santa-0.7.tar.bz2
cd santa-0.7.tar.bz2

# copy configs
sudo cp conf/com.google.santad.plist /Library/LaunchDaemons
sudo cp conf/com.google.santasync.plist /Library/LaunchDaemons
sudo cp conf/com.google.santagui.plist /Library/LaunchAgents
sudo cp conf/com.google.santa.asl.conf /etc/asl
sudo cp conf/config.plist /var/db/santa/config.plist

# set permissions
sudo chmod 600 /var/db/santa/config.plist
sudo chown root:wheel /var/db/santa/config.plist

# copy binaries
sudo cp -r binaries/santa-driver.kext /
sudo cp -r binaries/Santa.app /Applications
sudo cp -r binaries/santad /usr/libexec
sudo cp -r binaries/santactl /usr/sbin

# install kernel driver
sudo kextload /santa-driver.kext
sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
open /Applications/Santa.app

Status:

Now you can verify the status of Santa using santactl.

~/D/santa-0.7 ❯❯❯ santactl status
>>> Versions
santa-driver version           | 0.7
santad version                 | 0.7
santactl version               | 0.7
SantaGUI version               | 0.7

>>> Kernel Info
Kernel cache count             | 44

>>> Database Info
Binary Rules                   | 0
Certificate Rules              | 2
Events Pending Upload          | 4

Reloading

Reloading is currently done by unloading and loading the daemon and kernel extension:

sudo kextunload /santa-driver.kext
sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null
sudo kextload /santa-driver.kext
sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist

Configuration

The file /var/db/santa/config.plist contains the configuration. For a complete list of configuration keys you can take a look at Configuration-Keys. By default Santa wil be started in Monitor mode (Clientmode is set to 1). If you change Clientmode to 2 Santa will run in Lockdown mode and will deny every binary without an allow rule.

Logging

Every application you'll open will be checked by Santa first. You can verify this by tailing /var/log/santa.log.

~/D/santa-0.7 ❯❯❯ tail /var/log/santa.log
[2014-12-13 13:32:48.319Z] I santad: A,C,d91a648d1d15c72fd2b4b9b9d3e995b8743871b1,/usr/bin/du,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:33:14.756Z] I santad: A,C,beea38aed6a868da1e244190b71633b1d8d97d02,/bin/cat,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:34:28.578Z] I santad: A,C,78c2832ac4c7cb8c62a6ab2e27bfc8eda75c3ca2,/usr/bin/find,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:34:28.593Z] I santad: A,C,ba899fd82019d6b37f2a35ee6249a019aeff1219,/usr/bin/grep,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:35:00.450Z] I santad: A,C,622a1048d40d0a45560a8152cef9ca570f2a991d,/usr/bin/tail,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing
[2014-12-13 13:35:23.003Z] I santad: A,C,dfc46609ad71c5387ce6400207fbf16d4ad73f04,/usr/bin/wc,013e2787748a74103d62d2cdbf77a1345517c482,Software Signing

Database

All events and rules will by placed in the Santa databases. These files are being secured by setting the permissions to 0755 for user root and group wheel. The database files are located at:

  • /var/db/santa/rules.db: contains the rules for certificates and binaries
  • /var/db/santa/events.db: contains all occured events

Sync API

  • /preflight/{machineid} (POST)
  • /eventupload/{machineid} (POST)
  • /ruledownload/{machineid}
  • /postflight/{machineid} (POST)

Development

Enable kext-dev-mode.

sh-3.2# nvram bootargs
sh-3.2# nvram: Error getting variable - 'bootargs': (iokit/common) data was not found
sh-3.2# nvram boot-args=kext-dev-mode=1
sh-3.2# nvram boot-args
boot-args	kext-dev-mode=1

Correct permissions and verify extension:

chmod -R 600 santa-driver.kext
chown -R root:wheel santa-driver.kext

sh-3.2# kextutil -n -t santa-driver.kext

Reload:

kextunload santa-driver.kext
kextload santa-driver.kext

Verify if extension is loaded:

kextstat|grep santa
  137    0 0xffffff7f82915000 0x6000     0x6000     com.google.santa-driver (0.7.1) <5 4 3 1>