Intro to Santa with Fleetsmith
Important: Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information. Click here to view the Fleetsmith OSS Acknowledgements: App Catalog Apps.
Santa is an open source project from Google’s Macintosh Operations Team. You can use this approve/block listing system on macOS to analyze, control, and block apps. Santa can be configured to prevent users from using malicious, high risk, or prohibited apps.
Two configuration modes: Local and remote
Fleetsmith offers many Santa configuration options. You access them in Fleetsmith through two configuration modes: local (in which settings are distributed directly to the Santa configuration files on each computer) and remote (in which Santa is configured to contact a sync server to receive its rules).
Fleetsmith recommends you enable Page Zero protection, an option that’s available for both modes. This programming tool protects against certain types of errors, along with the security vulnerabilities (code injection) that can arise from them. There are some existing mitigations for the potential attacks, but blocking all binaries without it provides a higher level of assurance. Fleetsmith recommends enabling this feature because the security gains are meaningful, while the blocked binaries are likely to be legacy, outdated, or rare, making user disruption minimal.
For local configuration mode, these options are available:
Blocklist binary file hashes: A comma-separated values (.csv) list of SHA-256 binary hashes. This is the most granular rule and will blocklist individual binaries. Even a small change in a binary will alter the SHA-256 hash, invalidating the rule from applying to it.
Blocklist certificate hashes: A .csv list of SHA-256 binary hashes of signing certificates. This is a powerful rule type that has a much broader reach than an individual binary rule, allowing you to blocklist all apps signed by a particular code signing certificate.
Blocklist file paths: A .csv list of binary or app file paths. Fleetsmith processes these into a list of SHA-256 hashes of the binary or app bundle located at each path to pass to Santa as blocklist rules.
Blocklist file path regex: An ICU-format regular expression (regex) to create a blocklisted scope, which blocks all binaries located within a matching file system path or subdirectory.
File changes regex: An ICU-format regular expression (regex) to include logs of file changes at matching file system paths. By default, all executions and file system mounts are automatically logged in Santa. Using this regex, you can also include the file operations of the specified paths.
For remote configuration mode, these options are available:
Sync server type: A setting that specifies the type of sync server your Santa clients will connect to. Fleetsmith currently supports configuring for Upvote or Moroz servers. Upvote implements social voting through G Suite accounts to determine rules for unknown binaries, and requires being hosted on Google App Engine (GAE). Moroz distributes global or per-computer rule sets and can be hosted anywhere.
Server hostname: The fully qualified domain name for the sync server you want to connect to. Fleetsmith prepends “https://” to the domain, and the Santa endpoint for the server type selected is appended. For Moroz, Fleetsmith specifies port 8080.
Client certificate: Santa can be configured to present a PKCS #12 certificate to authenticate itself to the sync server. Currently, only Upvote has a stub allowing administrators to write a client authentication function, so this option is Upvote specific and optional. Fleetsmith recommends implementing this certificate to prevent potential attackers from conducting denial of service attacks or finding out what rules are implemented. This concern is mitigated in Moroz because it reveals only global rules to unknown clients and doesn’t receive events. The certificate uploaded here is distributed to each computer in Fleetsmith.
Client certificate password: The password corresponding to the distributed client certificate. In System Preferences, it’s possible for end users to see this password in plain text.
Client computer owner: Santa can identify the user of its computer to Upvote. If local user name is chosen, the short name of the user account most frequently logged into the computer is presented. This option requires implementing a function in Upvote to map short names to email addresses. The other choice is to have Santa present the email address of the user the computer is assigned to in the Fleetsmith Admin Console. If a given computer doesn’t have a user assigned to it in Fleetsmith, the configuration falls back to the local user name option.
Root certificate: Fleetsmith requires that you implement SSL pinning of the certificate authority (CA) if you’re using Moroz as your sync server. The CA you pin here is uploaded in PEM format. For Upvote, Fleetsmith automatically pins GAE’s CA.
Client computer ID: Moroz defaults to identifying computers by their hardware UUID. With this option, you can have computers identify themselves by their serial number instead. If you do this, be sure you update the corresponding rules in Moroz.
You can also configure the user interface settings for Santa in Fleetsmith. These are described in the selected app’s configuration page.
What are the security benefits of implementing Santa with a sync server?
Santa and either Upvote or Moroz can be configured and deployed fairly quickly to immediately grant benefits by blocking known malicious binaries across your entire fleet with ease and flexibility. Particularly with Upvote, this is only the start of a longer process that will reap progressively stronger security assurances.
Upvote’s documentation details this strategy of progressive lockdown. But the process is first to spend some time monitoring your fleet with Santa to understand all the binaries being executed on it, then build an initial approved list. After a specified period, the Santa clients can be shifted into lockdown mode without blocking any of the apps seen in the initial monitoring period. Once the entire fleet is in lockdown and without large disruptions to users, an administrator can be assured that all of the apps running across the fleet is known to be safe.
This begins an ongoing state where the database of approved and blocked apps in Upvote grows over time as users install and use new apps in the fleet. The social voting model Upvote uses allows users to start using new tools, and get them approved by Santa, without the administrative overhead normally associated with centrally-managed binary management tools. If a user does approve a piece of malware, the need for a critical mass of approvals before a global approve list is enacted slows its spread through the fleet, granting administrators more time to respond, alleviate, and proactively block new threats.
How can I block the download or installation of a specific installer with Santa?
The best way to accomplish this is to block the hash of the specific installer.
Can’t I just block the path to the installer?
Technically yes, it’s possible to block the path to the installer with Santa. However this isn’t the most secure way, as this is easy to bypass (by relocating or renaming the app). And there may even be a race condition between the installer arriving on the storage device and the App Store automatically opening it before Santa has a chance to:
Check that a binary exists at that path
Get the hash for the binary at that path
Blocklist the hash of that binary
For those reasons, blocklisting the hash of the installer is the best way to guarantee that it gets blocked. That way it’s already in a list of binaries that are unacceptable, so it won’t matter if it is, or isn’t, on the storage device. As soon as a user or the App Store attempts to launch it, Santa will already know about it and be able to block it from loading.
How do I manually obtain the SHA-256 binary hash for an installer?
If you’re unable to locate the SHA-256 binary hash for an installer online, you can download the installer onto your device and use the Terminal app to retrieve the SHA-256 binary hash. Depending on your macOS version, one of the three commands below should work to obtain the SHA-256 binary hash for an installer:
openssl sha -sha256 <file>
openssl sha256 <file>
shasum -a 256 <file>
Be sure to replace <file> with the path to the installer. The SHA-256 hash will be unique for a given version of the installer.
How do I find an installer’s path?
If you’ve downloaded the app from the App Store, launch the app and then check the Open Files and Ports tab in Activity Monitor. To do this:
1. Launch Activity Monitor, then double-click the app name in the list of processes.
2. Click Open Files and Ports and look for the path to the binary (It usually appears near the top).
3. Enter that path in the Terminal command above.
How can I add Santa to a configuration profile and configure the settings in Fleetsmith?
1. In the Fleetsmith Admin Console, click Apps & Settings, then click Google Santa.
2. Click the Add to Profile menu, select the profile you want to add Santa to, then click Add.
3. Click Configure to set up your desired settings.
How do I remove the blocklist from my fleet?
To remove the blocklist from your fleet, Fleetsmith recommends leaving Santa configured in a blank state. Santa then sends a blank blocklist to all devices in your fleet before removing Santa from the profile.