google/santa google/santa

  • Stars
    star
    4,288
  • Rank 9,550 (Top 0.2 %)
  • Language
    Objective-C
  • License
    Apache License 2.0
  • Created over 9 years ago
  • Updated about 1 month ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
google/santa
github

google

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A binary authorization and monitoring system for macOS

Santa

license CI latest release latest release date downloads

Santa Icon

Santa is a binary authorization system for macOS. It consists of a system extension that monitors for executions, a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.

It is named Santa because it keeps track of binaries that are naughty or nice.

Docs

The Santa docs are stored in the Docs directory and published at https://santa.dev.

The docs include deployment options, details on how parts of Santa work and instructions for developing Santa itself.

Get Help

If you have questions or otherwise need help getting started, the santa-dev group is a great place.

If you believe you have a bug, feel free to report an issue and we'll respond as soon as we can.

If you believe you've found a vulnerability, please read the security policy for disclosure reporting.

Features

  • Multiple modes: In the default MONITOR mode, all binaries except those marked as blocked will be allowed to run, whilst being logged and recorded in the events database. In LOCKDOWN mode, only listed binaries are allowed to run.

  • Event logging: When the kext is loaded, all binary launches are logged. When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.

  • Certificate-based rules, with override levels: Instead of relying on a binary's hash (or 'fingerprint'), executables can be allowed/blocked by their signing certificate. You can therefore allow/block all binaries by a given publisher that were signed with that cert across version updates. A binary can only be allowed by its certificate if its signature validates correctly but a rule for a binary's fingerprint will override a decision for a certificate; i.e. you can allowlist a certificate while blocking a binary signed with that certificate, or vice-versa.

  • Path-based rules (via NSRegularExpression/ICU): This allows a similar feature to that found in Managed Client (the precursor to configuration profiles, which used the same implementation mechanism), Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and not relying on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precedence.

  • Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore automatically allowed. This does not affect binaries from Apple's App Store, which use various certs that change regularly for common apps. Likewise, you cannot block Santa itself, and Santa uses a distinct separate cert than other Google apps.

  • Userland components validate each other: each of the userland components (the daemon, the GUI agent and the command-line utility) communicate with each other using XPC and check that their signing certificates are identical before any communication is accepted.

  • Caching: allowed binaries are cached so the processing required to make a request is only done if the binary isn't already cached.

Intentions and Expectations

No single system or process will stop all attacks, or provide 100% security. Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a large fleet of machines. Independently, Santa can aid in analyzing what is running on your computer.

Santa is part of a defense-in-depth strategy, and you should continue to protect hosts in whatever other ways you see fit.

Security and Performance-Related Features

Known Issues

  • Santa only blocks execution (execve and variants), it doesn't protect against dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or libraries loaded using DYLD_INSERT_LIBRARIES.

  • Scripts: Santa is currently written to ignore any execution that isn't a binary. This is because after weighing the administration cost vs the benefit, we found it wasn't worthwhile. Additionally, a number of applications make use of temporary generated scripts, which we can't possibly allowlist and not doing so would cause problems. We're happy to revisit this (or at least make it an option) if it would be useful to others.

Sync Servers

  • The santactl command-line client includes a flag to synchronize with a management server, which uploads events that have occurred on the machine and downloads new rules. There are several open-source servers you can sync with:

    • Moroz - A simple golang server that serves hardcoded rules from simple configuration files.
    • Rudolph - An AWS-based serverless sync service primarily built on API GW, DynamoDB, and Lambda components to reduce operational burden. Rudolph is designed to be fast, easy-to-use, and cost-efficient.
    • Zentral - A centralized service that pulls data from multiple sources and deploy configurations to multiple services.
    • Zercurity - A dockerized service for managing and monitoring applications across a large fleet utilizing Santa + Osquery.

  • Alternatively, santactl can configure rules locally (without a sync server).

Screenshots

A tool like Santa doesn't really lend itself to screenshots, so here's a video instead.

Santa Block Video

Contributing

Patches to this project are very much welcome. Please see the CONTRIBUTING doc.

Disclaimer

This is not an official Google product.

More Repositories

1

material-design-icons

Material Design icons by Google (Material Symbols)
49,776
star
2

guava

Google core libraries for Java
Java
48,313
star
3

zx

A tool for writing better scripts
JavaScript
37,928
star
4

styleguide

Style guides for Google-originated open-source projects
HTML
36,487
star
5

leveldb

LevelDB is a fast key-value storage library written at Google that provides an ordered mapping from string keys to string values.
C++
33,564
star
6

material-design-lite

Material Design Components in HTML/CSS/JS
HTML
32,283
star
7

googletest

GoogleTest - Google Testing and Mocking Framework
C++
32,215
star
8

jax

Composable transformations of Python+NumPy programs: differentiate, vectorize, JIT to GPU/TPU, and more
Python
27,869
star
9

python-fire

Python Fire is a library for automatically generating command line interfaces (CLIs) from absolutely any Python object.
Python
26,112
star
10

comprehensive-rust

This is the Rust course used by the Android team at Google. It provides you the material to quickly teach Rust.
Rust
25,973
star
11

mediapipe

Cross-platform, customizable ML solutions for live and streaming media.
C++
25,320
star
12

gson

A Java serialization/deserialization library to convert Java Objects into JSON and back
Java
22,945
star
13

flatbuffers

FlatBuffers: Memory Efficient Serialization Library
C++
21,883
star
14

iosched

The Google I/O Android App
Kotlin
21,792
star
15

ExoPlayer

An extensible media player for Android
Java
21,465
star
16

eng-practices

Google's Engineering Practices documentation
19,741
star
17

web-starter-kit

Web Starter Kit - a workflow for multi-device websites
HTML
18,434
star
18

flexbox-layout

Flexbox for Android
Kotlin
18,141
star
19

fonts

Font files available from Google Fonts, and a public issue tracker for all things Google Fonts
HTML
17,588
star
20

dagger

A fast dependency injector for Android and Java.
Java
17,300
star
21

filament

Filament is a real-time physically based rendering engine for Android, iOS, Windows, Linux, macOS, and WebGL2
C++
16,946
star
22

cadvisor

Analyzes resource usage and performance characteristics of running containers.
Go
16,273
star
23

libphonenumber

Google's common Java, C++ and JavaScript library for parsing, formatting, and validating international phone numbers.
C++
15,728
star
24

gvisor

Application Kernel for Containers
Go
15,047
star
25

WebFundamentals

Former git repo for WebFundamentals on developers.google.com
JavaScript
13,842
star
26

yapf

A formatter for Python files
Python
13,560
star
27

tink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
Java
13,318
star
28

deepdream

13,212
star
29

brotli

Brotli compression format
TypeScript
12,921
star
30

guetzli

Perceptual JPEG encoder
C++
12,863
star
31

guice

Guice (pronounced 'juice') is a lightweight dependency injection framework for Java 11 and above, brought to you by Google.
Java
12,342
star
32

wire

Compile-time Dependency Injection for Go
Go
12,222
star
33

blockly

The web-based visual programming editor.
TypeScript
12,067
star
34

sanitizers

AddressSanitizer, ThreadSanitizer, MemorySanitizer
C
10,754
star
35

grumpy

Grumpy is a Python to Go source code transcompiler and runtime.
Go
10,464
star
36

or-tools

Google's Operations Research tools:
C++
10,405
star
37

dopamine

Dopamine is a research framework for fast prototyping of reinforcement learning algorithms.
Jupyter Notebook
10,367
star
38

auto

A collection of source code generators for Java.
Java
10,234
star
39

go-github

Go library for accessing the GitHub v3 API
Go
9,941
star
40

oss-fuzz

OSS-Fuzz - continuous fuzzing for open source software.
Shell
9,859
star
41

go-cloud

The Go Cloud Development Kit (Go CDK): A library and tools for open cloud development in Go.
Go
9,314
star
42

sentencepiece

Unsupervised text tokenizer for Neural Network-based text generation.
C++
8,657
star
43

re2

RE2 is a fast, safe, thread-friendly alternative to backtracking regular expression engines like those used in PCRE, Perl, and Python. It is a C++ library.
C++
8,190
star
44

traceur-compiler

Traceur is a JavaScript.next-to-JavaScript-of-today compiler
JavaScript
8,182
star
45

tsunami-security-scanner

Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
Java
8,086
star
46

trax

Trax โ€” Deep Learning with Clear Code and Speed
Python
7,943
star
47

skia

Skia is a complete 2D graphic library for drawing Text, Geometries, and Images.
C++
7,874
star
48

benchmark

A microbenchmark support library
C++
7,812
star
49

android-classyshark

Android and Java bytecode viewer
Java
7,468
star
50

pprof

pprof is a tool for visualization and analysis of profiling data
Go
7,408
star
51

closure-compiler

A JavaScript checker and optimizer.
Java
7,245
star
52

agera

Reactive Programming for Android
Java
7,227
star
53

accompanist

A collection of extension libraries for Jetpack Compose
Kotlin
7,210
star
54

magika

Detect file content types with deep learning
Python
7,171
star
55

flutter-desktop-embedding

Experimental plugins for Flutter for Desktop
C++
7,109
star
56

latexify_py

A library to generate LaTeX expression from Python code.
Python
6,953
star
57

diff-match-patch

Diff Match Patch is a high-performance library in multiple languages that manipulates plain text.
Python
6,918
star
58

lovefield

Lovefield is a relational database for web apps. Written in JavaScript, works cross-browser. Provides SQL-like APIs that are fast, safe, and easy to use.
JavaScript
6,847
star
59

glog

C++ implementation of the Google logging module
C++
6,797
star
60

jsonnet

Jsonnet - The data templating language
Jsonnet
6,742
star
61

error-prone

Catch common Java mistakes as compile-time errors
Java
6,690
star
62

model-viewer

Easily display interactive 3D models on the web and in AR!
TypeScript
6,473
star
63

gops

A tool to list and diagnose Go processes currently running on your system
Go
6,375
star
64

draco

Draco is a library for compressing and decompressing 3D geometric meshes and point clouds. It is intended to improve the storage and transmission of 3D graphics.
C++
6,188
star
65

automl

Google Brain AutoML
Jupyter Notebook
6,153
star
66

gopacket

Provides packet processing capabilities for Go
Go
6,082
star
67

physical-web

The Physical Web: walk up and use anything
Java
6,017
star
68

j2objc

A Java to iOS Objective-C translation tool and runtime.
Java
5,976
star
69

grafika

Grafika test app
Java
5,964
star
70

snappy

A fast compressor/decompressor
C++
5,940
star
71

ios-webkit-debug-proxy

A DevTools proxy (Chrome Remote Debugging Protocol) for iOS devices (Safari Remote Web Inspector).
C
5,848
star
72

osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
Go
5,826
star
73

seesaw

Seesaw v2 is a Linux Virtual Server (LVS) based load balancing platform.
Go
5,599
star
74

seq2seq

A general-purpose encoder-decoder framework for Tensorflow
Python
5,577
star
75

EarlGrey

๐Ÿต iOS UI Automation Test Framework
Objective-C
5,570
star
76

flax

Flax is a neural network library for JAX that is designed for flexibility.
Python
5,493
star
77

google-java-format

Reformats Java source code to comply with Google Java Style.
Java
5,366
star
78

wireit

Wireit upgrades your npm/pnpm/yarn scripts to make them smarter and more efficient.
TypeScript
5,280
star
79

battery-historian

Battery Historian is a tool to analyze battery consumers using Android "bugreport" files.
Go
5,249
star
80

clusterfuzz

Scalable fuzzing infrastructure.
Python
5,201
star
81

bbr

5,156
star
82

gumbo-parser

An HTML5 parsing library in pure C99
HTML
5,141
star
83

syzkaller

syzkaller is an unsupervised coverage-guided kernel fuzzer
Go
5,111
star
84

git-appraise

Distributed code review system for Git repos
Go
5,090
star
85

google-authenticator

Open source version of Google Authenticator (except the Android app)
Java
5,077
star
86

gemma.cpp

lightweight, standalone C++ inference engine for Google's Gemma models.
C++
5,076
star
87

uuid

Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
Go
4,994
star
88

gts

โ˜‚๏ธ TypeScript style guide, formatter, and linter.
TypeScript
4,930
star
89

gemma_pytorch

The official PyTorch implementation of Google's Gemma models
Python
4,920
star
90

closure-library

Google's common JavaScript library
JavaScript
4,837
star
91

cameraview

[DEPRECATED] Easily integrate Camera features into your Android app
Java
4,734
star
92

grr

GRR Rapid Response: remote live forensics for incident response
Python
4,641
star
93

liquidfun

2D physics engine for games
C++
4,559
star
94

pytype

A static type analyzer for Python code
Python
4,528
star
95

gxui

An experimental Go cross platform UI library.
Go
4,450
star
96

bloaty

Bloaty: a size profiler for binaries
C++
4,386
star
97

clasp

๐Ÿ”— Command Line Apps Script Projects
TypeScript
4,336
star
98

ko

Build and deploy Go applications on Kubernetes
Go
4,329
star
99

google-ctf

Google CTF
Go
4,246
star
100

tamperchrome

Tamper Dev is an extension that allows you to intercept and edit HTTP/HTTPS requests and responses as they happen without the need of a proxy. Works across all operating systems (including Chrome OS).
TypeScript
4,148
star