Santa – A binary whitelisting/blacklisting system for Mac OS X

Security on Mac operating system is still important as other systems that we use. Hardening Mac systems and applying security updates is important to fix security vulnerabilities on the operating system. If you are a Mac user you can check Santa.

Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database.

Some of the features using this tool are:

  • Santa runs in two modes MONITOR mode where it monitor all binaries and the  marked as blacklisted will be allowed to run, whilst being logged and recorded in the events database. Second mode is in LOCKDOWN mode, only whitelisted binaries are allowed to run.
  • Event logging: When the kext is loaded, all binary launches are logged. When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.
  • Certificate-based rules, with override levels: Instead of relying on a binaries hash (or ‘fingerprint’), executables can be whitelisted/blacklisted by their signing certificate.
  • Path-based rules (via NSRegularExpression/ICU): This allows a similar feature as Managed Client for OS X’s (the precursor to configuration profiles, which used the same implementation mechanism) Application Launch Restrictions via the mcxalr binary.
  • Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore auto-whitelisted.

Santa A binary whitelisting/blacklisting system for Mac OS X

Santa is a project of Google’s Macintosh Operations Team.You can read more and download this tool over this link: