Added Santa configs

This commit is contained in:
Brian Zalewski 2023-08-08 04:13:48 -04:00 committed by GitHub
parent 45791f9bc7
commit 03bc66d113
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 447 additions and 1 deletions

View file

@ -0,0 +1,47 @@
# Santa
Santa is a macOS security tool that helps handle the process of authorizing binary executions.
The `.mobileconfig` files in this folder have to be manually clicked on to be loaded or used in conjunction with an managed device provider. For more information on what each `.mobileconfig` does, please see the [Santa Getting Started](https://santa.dev/deployment/getting-started.html) page.
The original code used to deploy Santa via Ansible can be seen below which shows how to use `santactl` locally to block apps from loading:
```yaml
---
- name: 'Ensure {{ app_name }} is installed'
become: false
community.general.homebrew_cask:
name: santa
state: "{{ app_state | default('present') }}"
accept_external_apps: '{{ allow_external_apps | default(true) }}'
sudo_password: '{{ ansible_password | default(omit) }}'
- name: Copy the MDM Profile to the target
become: false
copy:
src: santa.mobileconfig
dest: ~/santa.mobileconfig
mode: 0700
when: lockdown_mode
# The `profiles` command, starting in BigSur, does not allow installing Profiles. The command used below allows
# partial automation, in that a notification is shown to install the Profile using System Preferences.
# However, the step fails. Leaving it here to use if another way to completely automate this is possible
# - name: Install the profile # noqa 303
# shell: open /System/Library/PreferencePanes/Profiles.prefPane /Users/{{ ansible_user }}/santa.mobileconfig
# when: lockdown_mode
#
# - name: Remove the MDM Profile from the target
# become: false
# file:
# path: ~/santa.mobileconfig
# state: absent
# when: lockdown_mode
- name: Ensure Rules are created # noqa 301 305
shell: /usr/local/bin/santactl rule {{ '--allow' if lockdown_mode else '--block' }} --path {{ rule }}
loop: '{{ allowed_apps if lockdown_mode else blocked_apps }}'
loop_control:
label: '{{ rule }}'
loop_var: rule
```

View file

@ -0,0 +1,12 @@
#!/usr/bin/env bash
# @file Santa Post-Installation Script
# @brief Installs various profiles that give Santa the permissions it needs to function.
# @description
# This script opens all the profiles required for a full Santa installation. It relies on having launched a Santa synchronization
# server. If you do not have a Santa synchronization server, you can launch Santa using the `local.santa.mobileconfig` file
# which launches Santa in local mode. This mode is not recommended for production use.
open /System/Library/PreferencePanes/Profiles.prefPane "${XDG_CONFIG_HOME:-$HOME/.config}/santa/server.santa.mobileconfig"
open /System/Library/PreferencePanes/Profiles.prefPane "${XDG_CONFIG_HOME:-$HOME/.config}/santa/tcc.configuration-profile-policy.santa.mobileconfig"
open /System/Library/PreferencePanes/Profiles.prefPane "${XDG_CONFIG_HOME:-$HOME/.config}/santa/system-extension-policy.santa.mobileconfig"
open /System/Library/PreferencePanes/Profiles.prefPane "${XDG_CONFIG_HOME:-$HOME/.config}/santa/notification-settings.santa.mobileconfig"

View file

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.google.santa</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>ClientMode</key>
<integer>2</integer>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>com.google.santa</string>
<key>PayloadDisplayName</key>
<string>com.google.santa</string>
<key>PayloadIdentifier</key>
<string>com.google.santa</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View file

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.google.santa</string>
<key>CriticalAlertEnabled</key>
<true/>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<false/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Notifications Payload</string>
<key>PayloadIdentifier</key>
<string>com.google.santa.notificationsettings.F1817DA0-0044-43DD-9540-36EBC60FDA8F</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>510236AE-D7F8-4131-A4CA-5CC930C51866</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Configures your Mac to automatically enable Notifications settings for Santa</string>
<key>PayloadDisplayName</key>
<string>Santa Notifications settings</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.google.santa.notificationsettings.069CA123-6129-46A5-8FD1-49322E5A5755</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>069CA123-6129-46A5-8FD1-49322E5A5755</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View file

@ -0,0 +1,115 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.google.santa</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>BannedBlockMessage</key>
<string>This application has been banned</string>
<key>ClientMode</key>
<integer>1</integer>
<key>EnablePageZeroProtection</key>
<false/>
<key>EnableSilentMode</key>
<false/>
<key>EventDetailText</key>
<string>Open sync server</string>
<key>EventDetailURL</key>
<string>https://santa.{{ .host.domain }}/blockables/%file_sha%</string>
<key>FileChangesRegex</key>
<string>^/(?!(?:private/tmp|Library/(?:Caches|Managed Installs/Logs|(?:Managed )?Preferences))/)</string>
<key>MachineIDKey</key>
<string>MachineUUID</string>
<key>MachineIDPlist</key>
<string>/Library/Preferences/{{ .host.domain }}.santa.machine-mapping.plist</string>
<key>MachineOwnerKey</key>
<string>Owner</string>
<key>MachineOwnerPlist</key>
<string>/Library/Preferences/{{ .host.domain }}.santa.machine-mapping.plist</string>
<key>ModeNotificationLockdown</key>
<string>Entering Lockdown mode</string>
<key>ModeNotificationMonitor</key>
<string>Entering Monitor mode&lt;br/&gt;Please be careful!</string>
<key>MoreInfoURL</key>
<string>https://santa.{{ .host.domain }}/moreinfo</string>
<key>StaticRules</key>
<array>
<dict>
<!-- Always allow files signed by Google LLC -->
<key>identifier</key>
<string>EQHXZ8M8AV</string>
<key>policy</key>
<string>ALLOWLIST</string>
<key>rule_type</key>
<string>TEAMID</string>
</dict>
<dict>
<!-- Always allow files signed by "Internal Tools Certificate" -->
<key>identifier</key>
<string>b2617611fb6c008bfe9e05b7a633d4f21c403a0a1a88b514a04c3e5e111be025</string>
<key>policy</key>
<string>ALLOWLIST</string>
<key>rule_type</key>
<string>CERTIFICATE</string>
</dict>
<dict>
<!-- Always BLOCK the BundleExample.app binary in Santa's testdata files, for testing -->
<key>identifier</key>
<string>b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670</string>
<key>policy</key>
<string>BLOCKLIST</string>
<key>rule_type</key>
<string>BINARY</string>
</dict>
</array>
<key>SyncBaseURL</key>
<string>https://santa.{{ .host.domain }}/api/santa/</string>
<key>UnknownBlockMessage</key>
<string>This application has been blocked from executing.</string>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>0342c558-a101-4a08-a0b9-40cc00039ea5</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>com.google.santa</string>
<key>PayloadDisplayName</key>
<string>com.google.santa</string>
<key>PayloadIdentifier</key>
<string>com.google.santa</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>9020fb2d-cab3-420f-9268-acca4868bdd0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View file

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<!-- See https://developer.apple.com/documentation/devicemanagement/systemextensions for payload descriptions -->
<key>PayloadUUID</key>
<string>40C19D5B-76D7-4C1C-BC9D-2F7EB29CFF4D</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadIdentifier</key>
<string>com.google.santa.system-extension-policy.40C19D5B-76D7-4C1C-BC9D-2F7EB29CFF4D</string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadDescription</key>
<string>Configures your Mac to automatically enable Santa's EndpointSecurityExtension</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>98D01A7B-ADC1-43C8-AB8E-8BDC25FCA3C9</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadIdentifier</key>
<string>com.google.santa.system-extension-policy.98D01A7B-ADC1-43C8-AB8E-8BDC25FCA3C9</string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>EQHXZ8M8AV</key>
<array>
<string>com.google.santa.daemon</string>
</array>
</dict>
<key>AllowedSystemExtensionTypes</key>
<dict>
<key>EQHXZ8M8AV</key>
<array>
<string>EndpointSecurityExtension</string>
</array>
</dict>
</dict>
</array>
</dict>
</plist>

View file

@ -0,0 +1,90 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- See https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol for payload descriptions -->
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures Privacy Preferences Policy Control settings</string>
<key>PayloadDisplayName</key>
<string>Privacy Preferences Policy Control</string>
<key>PayloadIdentifier</key>
<string>com.google.santa.TCC.configuration-profile-policy.2416BA4B-CBFC-4719-B02F-20251B881D6F</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>2416BA4B-CBFC-4719-B02F-20251B881D6F</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.google.santa.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.google.santa.daemon</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.google.santa.bundleservice" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.google.santa.bundleservice</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.google.santa" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.google.santa</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>tcc.configuration-profile-policy.santa.example</string>
<key>PayloadDisplayName</key>
<string>tcc.configuration-profile-policy.santa.example</string>
<key>PayloadIdentifier</key>
<string>com.google.santa.TCC.configuration-profile-policy.089CBCFB-F2AA-407C-9F2A-A12967FE20BC</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>089CBCFB-F2AA-407C-9F2A-A12967FE20BC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

View file

@ -8156,7 +8156,6 @@ softwarePackages:
_github: https://github.com/google/santa _github: https://github.com/google/santa
_home: https://santa.dev/ _home: https://santa.dev/
_name: A binary authorization system for MacOS _name: A binary authorization system for MacOS
ansible:darwin: professormanhattan.santa
cask: santa cask: santa
schema: schema:
_bin: schema _bin: schema