Added Santa configs
This commit is contained in:
parent
45791f9bc7
commit
03bc66d113
8 changed files with 447 additions and 1 deletions
47
home/dot_config/santa/README.md
Normal file
47
home/dot_config/santa/README.md
Normal file
|
@ -0,0 +1,47 @@
|
|||
# Santa
|
||||
|
||||
Santa is a macOS security tool that helps handle the process of authorizing binary executions.
|
||||
|
||||
The `.mobileconfig` files in this folder have to be manually clicked on to be loaded or used in conjunction with an managed device provider. For more information on what each `.mobileconfig` does, please see the [Santa Getting Started](https://santa.dev/deployment/getting-started.html) page.
|
||||
|
||||
The original code used to deploy Santa via Ansible can be seen below which shows how to use `santactl` locally to block apps from loading:
|
||||
|
||||
```yaml
|
||||
---
|
||||
- name: 'Ensure {{ app_name }} is installed'
|
||||
become: false
|
||||
community.general.homebrew_cask:
|
||||
name: santa
|
||||
state: "{{ app_state | default('present') }}"
|
||||
accept_external_apps: '{{ allow_external_apps | default(true) }}'
|
||||
sudo_password: '{{ ansible_password | default(omit) }}'
|
||||
|
||||
- name: Copy the MDM Profile to the target
|
||||
become: false
|
||||
copy:
|
||||
src: santa.mobileconfig
|
||||
dest: ~/santa.mobileconfig
|
||||
mode: 0700
|
||||
when: lockdown_mode
|
||||
|
||||
# The `profiles` command, starting in BigSur, does not allow installing Profiles. The command used below allows
|
||||
# partial automation, in that a notification is shown to install the Profile using System Preferences.
|
||||
# However, the step fails. Leaving it here to use if another way to completely automate this is possible
|
||||
# - name: Install the profile # noqa 303
|
||||
# shell: open /System/Library/PreferencePanes/Profiles.prefPane /Users/{{ ansible_user }}/santa.mobileconfig
|
||||
# when: lockdown_mode
|
||||
#
|
||||
# - name: Remove the MDM Profile from the target
|
||||
# become: false
|
||||
# file:
|
||||
# path: ~/santa.mobileconfig
|
||||
# state: absent
|
||||
# when: lockdown_mode
|
||||
|
||||
- name: Ensure Rules are created # noqa 301 305
|
||||
shell: /usr/local/bin/santactl rule {{ '--allow' if lockdown_mode else '--block' }} --path {{ rule }}
|
||||
loop: '{{ allowed_apps if lockdown_mode else blocked_apps }}'
|
||||
loop_control:
|
||||
label: '{{ rule }}'
|
||||
loop_var: rule
|
||||
```
|
12
home/dot_config/santa/install.sh
Normal file
12
home/dot_config/santa/install.sh
Normal file
|
@ -0,0 +1,12 @@
|
|||
#!/usr/bin/env bash
|
||||
# @file Santa Post-Installation Script
|
||||
# @brief Installs various profiles that give Santa the permissions it needs to function.
|
||||
# @description
|
||||
# This script opens all the profiles required for a full Santa installation. It relies on having launched a Santa synchronization
|
||||
# server. If you do not have a Santa synchronization server, you can launch Santa using the `local.santa.mobileconfig` file
|
||||
# which launches Santa in local mode. This mode is not recommended for production use.
|
||||
|
||||
open /System/Library/PreferencePanes/Profiles.prefPane "${XDG_CONFIG_HOME:-$HOME/.config}/santa/server.santa.mobileconfig"
|
||||
open /System/Library/PreferencePanes/Profiles.prefPane "${XDG_CONFIG_HOME:-$HOME/.config}/santa/tcc.configuration-profile-policy.santa.mobileconfig"
|
||||
open /System/Library/PreferencePanes/Profiles.prefPane "${XDG_CONFIG_HOME:-$HOME/.config}/santa/system-extension-policy.santa.mobileconfig"
|
||||
open /System/Library/PreferencePanes/Profiles.prefPane "${XDG_CONFIG_HOME:-$HOME/.config}/santa/notification-settings.santa.mobileconfig"
|
55
home/dot_config/santa/local.santa.mobileconfig
Normal file
55
home/dot_config/santa/local.santa.mobileconfig
Normal file
|
@ -0,0 +1,55 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>PayloadContent</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>PayloadContent</key>
|
||||
<dict>
|
||||
<key>com.google.santa</key>
|
||||
<dict>
|
||||
<key>Forced</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>mcx_preference_settings</key>
|
||||
<dict>
|
||||
<key>ClientMode</key>
|
||||
<integer>2</integer>
|
||||
</dict>
|
||||
</dict>
|
||||
</array>
|
||||
</dict>
|
||||
</dict>
|
||||
<key>PayloadEnabled</key>
|
||||
<true/>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.ManagedClient.preferences</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</array>
|
||||
<key>PayloadDescription</key>
|
||||
<string>com.google.santa</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>com.google.santa</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.google.santa</string>
|
||||
<key>PayloadOrganization</key>
|
||||
<string></string>
|
||||
<key>PayloadRemovalDisallowed</key>
|
||||
<true/>
|
||||
<key>PayloadScope</key>
|
||||
<string>System</string>
|
||||
<key>PayloadType</key>
|
||||
<string>Configuration</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</plist>
|
|
@ -0,0 +1,64 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>PayloadContent</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>NotificationSettings</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>AlertType</key>
|
||||
<integer>1</integer>
|
||||
<key>BadgesEnabled</key>
|
||||
<true/>
|
||||
<key>BundleIdentifier</key>
|
||||
<string>com.google.santa</string>
|
||||
<key>CriticalAlertEnabled</key>
|
||||
<true/>
|
||||
<key>NotificationsEnabled</key>
|
||||
<true/>
|
||||
<key>ShowInLockScreen</key>
|
||||
<true/>
|
||||
<key>ShowInNotificationCenter</key>
|
||||
<true/>
|
||||
<key>SoundsEnabled</key>
|
||||
<false/>
|
||||
</dict>
|
||||
</array>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>Notifications Payload</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.google.santa.notificationsettings.F1817DA0-0044-43DD-9540-36EBC60FDA8F</string>
|
||||
<key>PayloadOrganization</key>
|
||||
<string></string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.notificationsettings</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>510236AE-D7F8-4131-A4CA-5CC930C51866</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</array>
|
||||
<key>PayloadDescription</key>
|
||||
<string>Configures your Mac to automatically enable Notifications settings for Santa</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>Santa Notifications settings</string>
|
||||
<key>PayloadEnabled</key>
|
||||
<true/>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.google.santa.notificationsettings.069CA123-6129-46A5-8FD1-49322E5A5755</string>
|
||||
<key>PayloadOrganization</key>
|
||||
<string></string>
|
||||
<key>PayloadRemovalDisallowed</key>
|
||||
<true/>
|
||||
<key>PayloadScope</key>
|
||||
<string>System</string>
|
||||
<key>PayloadType</key>
|
||||
<string>Configuration</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>069CA123-6129-46A5-8FD1-49322E5A5755</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</plist>
|
115
home/dot_config/santa/server.santa.mobileconfig
Normal file
115
home/dot_config/santa/server.santa.mobileconfig
Normal file
|
@ -0,0 +1,115 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>PayloadContent</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>PayloadContent</key>
|
||||
<dict>
|
||||
<key>com.google.santa</key>
|
||||
<dict>
|
||||
<key>Forced</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>mcx_preference_settings</key>
|
||||
<dict>
|
||||
<key>BannedBlockMessage</key>
|
||||
<string>This application has been banned</string>
|
||||
<key>ClientMode</key>
|
||||
<integer>1</integer>
|
||||
<key>EnablePageZeroProtection</key>
|
||||
<false/>
|
||||
<key>EnableSilentMode</key>
|
||||
<false/>
|
||||
<key>EventDetailText</key>
|
||||
<string>Open sync server</string>
|
||||
<key>EventDetailURL</key>
|
||||
<string>https://santa.{{ .host.domain }}/blockables/%file_sha%</string>
|
||||
<key>FileChangesRegex</key>
|
||||
<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
|
||||
<key>MachineIDKey</key>
|
||||
<string>MachineUUID</string>
|
||||
<key>MachineIDPlist</key>
|
||||
<string>/Library/Preferences/{{ .host.domain }}.santa.machine-mapping.plist</string>
|
||||
<key>MachineOwnerKey</key>
|
||||
<string>Owner</string>
|
||||
<key>MachineOwnerPlist</key>
|
||||
<string>/Library/Preferences/{{ .host.domain }}.santa.machine-mapping.plist</string>
|
||||
<key>ModeNotificationLockdown</key>
|
||||
<string>Entering Lockdown mode</string>
|
||||
<key>ModeNotificationMonitor</key>
|
||||
<string>Entering Monitor mode<br/>Please be careful!</string>
|
||||
<key>MoreInfoURL</key>
|
||||
<string>https://santa.{{ .host.domain }}/moreinfo</string>
|
||||
<key>StaticRules</key>
|
||||
<array>
|
||||
<dict>
|
||||
<!-- Always allow files signed by Google LLC -->
|
||||
<key>identifier</key>
|
||||
<string>EQHXZ8M8AV</string>
|
||||
<key>policy</key>
|
||||
<string>ALLOWLIST</string>
|
||||
<key>rule_type</key>
|
||||
<string>TEAMID</string>
|
||||
</dict>
|
||||
<dict>
|
||||
<!-- Always allow files signed by "Internal Tools Certificate" -->
|
||||
<key>identifier</key>
|
||||
<string>b2617611fb6c008bfe9e05b7a633d4f21c403a0a1a88b514a04c3e5e111be025</string>
|
||||
<key>policy</key>
|
||||
<string>ALLOWLIST</string>
|
||||
<key>rule_type</key>
|
||||
<string>CERTIFICATE</string>
|
||||
</dict>
|
||||
<dict>
|
||||
<!-- Always BLOCK the BundleExample.app binary in Santa's testdata files, for testing -->
|
||||
<key>identifier</key>
|
||||
<string>b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670</string>
|
||||
<key>policy</key>
|
||||
<string>BLOCKLIST</string>
|
||||
<key>rule_type</key>
|
||||
<string>BINARY</string>
|
||||
</dict>
|
||||
</array>
|
||||
<key>SyncBaseURL</key>
|
||||
<string>https://santa.{{ .host.domain }}/api/santa/</string>
|
||||
<key>UnknownBlockMessage</key>
|
||||
<string>This application has been blocked from executing.</string>
|
||||
</dict>
|
||||
</dict>
|
||||
</array>
|
||||
</dict>
|
||||
</dict>
|
||||
<key>PayloadEnabled</key>
|
||||
<true/>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.ManagedClient.preferences</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</array>
|
||||
<key>PayloadDescription</key>
|
||||
<string>com.google.santa</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>com.google.santa</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.google.santa</string>
|
||||
<key>PayloadOrganization</key>
|
||||
<string></string>
|
||||
<key>PayloadRemovalDisallowed</key>
|
||||
<true/>
|
||||
<key>PayloadScope</key>
|
||||
<string>System</string>
|
||||
<key>PayloadType</key>
|
||||
<string>Configuration</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</plist>
|
|
@ -0,0 +1,64 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1">
|
||||
<dict>
|
||||
<!-- See https://developer.apple.com/documentation/devicemanagement/systemextensions for payload descriptions -->
|
||||
<key>PayloadUUID</key>
|
||||
<string>40C19D5B-76D7-4C1C-BC9D-2F7EB29CFF4D</string>
|
||||
<key>PayloadType</key>
|
||||
<string>Configuration</string>
|
||||
<key>PayloadOrganization</key>
|
||||
<string></string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.google.santa.system-extension-policy.40C19D5B-76D7-4C1C-BC9D-2F7EB29CFF4D</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>System Extensions</string>
|
||||
<key>PayloadDescription</key>
|
||||
<string>Configures your Mac to automatically enable Santa's EndpointSecurityExtension</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
<key>PayloadEnabled</key>
|
||||
<true/>
|
||||
<key>PayloadRemovalDisallowed</key>
|
||||
<true/>
|
||||
<key>PayloadScope</key>
|
||||
<string>System</string>
|
||||
<key>PayloadContent</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>PayloadUUID</key>
|
||||
<string>98D01A7B-ADC1-43C8-AB8E-8BDC25FCA3C9</string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.system-extension-policy</string>
|
||||
<key>PayloadOrganization</key>
|
||||
<string></string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.google.santa.system-extension-policy.98D01A7B-ADC1-43C8-AB8E-8BDC25FCA3C9</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>System Extensions</string>
|
||||
<key>PayloadDescription</key>
|
||||
<string/>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
<key>PayloadEnabled</key>
|
||||
<true/>
|
||||
<key>AllowUserOverrides</key>
|
||||
<true/>
|
||||
<key>AllowedSystemExtensions</key>
|
||||
<dict>
|
||||
<key>EQHXZ8M8AV</key>
|
||||
<array>
|
||||
<string>com.google.santa.daemon</string>
|
||||
</array>
|
||||
</dict>
|
||||
<key>AllowedSystemExtensionTypes</key>
|
||||
<dict>
|
||||
<key>EQHXZ8M8AV</key>
|
||||
<array>
|
||||
<string>EndpointSecurityExtension</string>
|
||||
</array>
|
||||
</dict>
|
||||
</dict>
|
||||
</array>
|
||||
</dict>
|
||||
</plist>
|
|
@ -0,0 +1,90 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<!-- See https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol for payload descriptions -->
|
||||
<key>PayloadContent</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>PayloadDescription</key>
|
||||
<string>Configures Privacy Preferences Policy Control settings</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>Privacy Preferences Policy Control</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.google.santa.TCC.configuration-profile-policy.2416BA4B-CBFC-4719-B02F-20251B881D6F</string>
|
||||
<key>PayloadOrganization</key>
|
||||
<string></string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.TCC.configuration-profile-policy</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>2416BA4B-CBFC-4719-B02F-20251B881D6F</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
<key>Services</key>
|
||||
<dict>
|
||||
<key>SystemPolicyAllFiles</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>Allowed</key>
|
||||
<true/>
|
||||
<key>CodeRequirement</key>
|
||||
<string>identifier "com.google.santa.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
|
||||
<key>Comment</key>
|
||||
<string></string>
|
||||
<key>Identifier</key>
|
||||
<string>com.google.santa.daemon</string>
|
||||
<key>IdentifierType</key>
|
||||
<string>bundleID</string>
|
||||
<key>StaticCode</key>
|
||||
<false/>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>Allowed</key>
|
||||
<true/>
|
||||
<key>CodeRequirement</key>
|
||||
<string>identifier "com.google.santa.bundleservice" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
|
||||
<key>Comment</key>
|
||||
<string></string>
|
||||
<key>Identifier</key>
|
||||
<string>com.google.santa.bundleservice</string>
|
||||
<key>IdentifierType</key>
|
||||
<string>bundleID</string>
|
||||
<key>StaticCode</key>
|
||||
<false/>
|
||||
</dict>
|
||||
<dict>
|
||||
<key>Allowed</key>
|
||||
<true/>
|
||||
<key>CodeRequirement</key>
|
||||
<string>identifier "com.google.santa" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
|
||||
<key>Comment</key>
|
||||
<string></string>
|
||||
<key>Identifier</key>
|
||||
<string>com.google.santa</string>
|
||||
<key>IdentifierType</key>
|
||||
<string>bundleID</string>
|
||||
<key>StaticCode</key>
|
||||
<false/>
|
||||
</dict>
|
||||
</array>
|
||||
</dict>
|
||||
</dict>
|
||||
</array>
|
||||
<key>PayloadDescription</key>
|
||||
<string>tcc.configuration-profile-policy.santa.example</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>tcc.configuration-profile-policy.santa.example</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>com.google.santa.TCC.configuration-profile-policy.089CBCFB-F2AA-407C-9F2A-A12967FE20BC</string>
|
||||
<key>PayloadOrganization</key>
|
||||
<string></string>
|
||||
<key>PayloadScope</key>
|
||||
<string>System</string>
|
||||
<key>PayloadType</key>
|
||||
<string>Configuration</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>089CBCFB-F2AA-407C-9F2A-A12967FE20BC</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</plist>
|
|
@ -8156,7 +8156,6 @@ softwarePackages:
|
|||
_github: https://github.com/google/santa
|
||||
_home: https://santa.dev/
|
||||
_name: A binary authorization system for MacOS
|
||||
ansible:darwin: professormanhattan.santa
|
||||
cask: santa
|
||||
schema:
|
||||
_bin: schema
|
||||
|
|
Loading…
Reference in a new issue