Santa User Documentation
| Purpose | The goal of this manual is to assist users in understanding Santa, how to use it effectively, and to offer direction on installation and the various features it offers. |
|---|
| Created | October 18, 2023 |
|---|
What is Santa?
Santa is a project of Google's MacIntosh Operations team, however it is not an official Google product. Santa helps manage who can access certain types of files on your computer.
It's made up of various components:
-
System Extension: This extension either permits or denies attempted executions based on a set of rules stored in a local database.
-
GUI Agent: It alerts you when a program is denied execution.
-
Sync Daemon: Responsible for syncing the local database with a server.
-
Command-Line Utility: Used to manage the system and its rules.
Santa useful features:
-
Multiple Modes: It operates in either Monitor mode, where all program activities are logged, or Lockdown mode, where only explicitly listed programs can run.
-
Event Logging: All program launches are logged for reference.
-
Versatile Rule Types: You can create rules based on attributes like binary hash, signing ID, certificate hash, or team ID. These rules determine which programs can run.
These rule types are listed in order of highest to lowest precedence.
-
Failsafe Certificate Rules: Santa prevents blocking certificates needed for signing in.
-
Component Interaction: The various components communicate with each other using XPC,which is a framework to access a low-level interprocess communication mechanism which communicates through P2P ensuring they work together efficiently.
Components mentioned before are: the daemon, the GUI agents, and command line utility.
For more information about XPC follow link below:
-
Caching: Allowed binaries are cached to reduce processing for subsequent requests.
Santa Installation
To install the Santa App using the terminal here is an example:
curl https://{UNIQUE ORGANIZATION CODE}.apps.raven.dtact.com/install?target=linux|bash
Each organization will be provided with a unique code to get its own endpoint. Please reach out to your designated contact person from the DTACT team for assistance.
To install Santa using XML use the following example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.google.santa</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>MachineID</key>
<string>XXX</string>
<key>MachineOwner</key>
<string>XXX</string>
<key>SyncBaseURL</key>
<string>https://XXX.apps.raven.dtact.com/</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.ManagedClient.preferences.0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>com.google.santa</string>
<key>PayloadDisplayName</key>
<string>com.google.santa</string>
<key>PayloadIdentifier</key>
<string>com.google.santa</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>27F0BA62-7726-4FBB-B1F2-980EC9281F8A</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Using Santa
To use Santa within the Raven Portal go to the Santa App located in the menu at the left side of the Portal. After selecting the Santa App a tab will open with five different sections:
-
Endpoints
-
Events
-
Rules
-
Config
-
Documentation
Each of these section will be explained separately in the next sections.
Endpoints
The Endpoints section gives you an overview of all your Santa endpoints and some description about them like host Id, Santa version, Os version, Mode, when it was created and last time it was updated.
At the right far end you will be able to find a three dotted button which will let you, edit, change the mode and delete the endpoints.
Events
Within this app section, you gain access to a comprehensive overview of both current and historical events that have occurred on your device. When you select a specific event, a dedicated pane unfolds, providing you with detailed insights about the event. This information includes vital details such as the host ID, parent name, file name, and currently logged-in users. For those who prefer a JSON format, this option is also available with just a click.
Additionally, on the far right, you'll find a menu represented by three dots. This menu allows you to establish a binary rule by entering a reference message and specifying the policy, giving you precise control over your device's behavior based on these rules.
Rules
Here you gain access to a list of all the rules that have been created. Each rule comes with a detailed description, which includes attributes such as hash, policy, type, whether it's enabled, and timestamps indicating when it was created and last updated. To go deeper into the specifics of a particular rule, simply click on the rule of interest.
Additionally, on the far right of each rule entry, you will notice a menu represented by three dots. This menu allows you to disable a rule, providing you with the flexibility to adjust rule settings to suit your needs and preferences.
Config
This section of the app is still in development.
Documentation
In this section, you will discover useful resources and references to assist you in the installation process and general knowledge about Santa. These references are designed to guide you through the various steps and offer helpful insights into setting up Santa effectively.