Google’s Macintosh Operations team have been working on a security application destined for Apple’s OS X ecosystem and has managed to attract the attention of the open-source community in the process.
Dubbed “Santa,” the tool is a binary whitelisting and blacklisting tool for macOS.
The software consists of a “kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server,” according to the project’s page.
Santa is still in the pre-1.0 stage, but the team is hard at work writing tests, debugging and finishing up a security audit.
“It is named Santa because it keeps track of binaries that are naughty or nice,” Google’s team says.
As noted by the Register, both individual and mass-deployments are being kept in mind, as the Santa platform allows admins to manage a single accepted-and-rejected binary database.
Santa can also be used in different modes. The scanner’s defaults setting allows all binaries to run except those marked as blacklisted, while in “lockdown” mode, only whitelisted binaries are permitted.
Santa also supports event logging, certificate-based rules with override functionality, path-based rules and failsafe certificate rules — which prevent issues such as blocking automatic Mac updates.
Google’s Macintosh Operations team says:
“No single system or process will stop all attacks, or provide 100 percent security. Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system.
As a centrally managed component, Santa can help stop the spread of malware among a larger fleet of machines. Independently, Santa can aid in analyzing what is running on your computer.
Santa is part of a defense-in-depth strategy, and you should continue to protect hosts in whatever other ways you see fit.”
The security software is hosted on GitHib for people interested in poking around the code or setting up initial installations.