This does not affect binaries from Apple’s App Store, which use various certs that change regularly for common apps.
DAEMON SYNC APP UPDATE
The binaries in every OS update (and in some cases entire new versions) are therefore automatically allowed. pid 1, and therefore all components used in macOS. Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a.Path-based rules (via NSRegularExpression/ICU): Binaries can be allowed/blocked based on the path they are launched from by matching against a configurable regex.you can allowlist a certificate while blocking a binary signed with that certificate, or vice-versa. A binary can only be allowed by its certificate if its signature validates correctly but a rule for a binary’s fingerprint will override a decision for a certificate i.e. You can therefore allow/block all binaries by a given publisher that were signed with that cert across version updates. Certificate-based rules, with override levels: Instead of relying on a binary’s hash (or ‘fingerprint’), executables can be allowed/blocked by their signing certificate.When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation. Event logging: All binary launches are logged.In LOCKDOWN mode, only listed binaries are allowed to run. Multiple modes: In the default MONITOR mode, all binaries except those marked as blocked will be allowed to run, whilst being logged and recorded in the events database.It is named Santa because it keeps track of binaries that are naughty or nice.
It consists of a system extension that allows or denies attempted executions using a set of rules stored in a local database, a GUI agent that notifies the user in case of a block decision, a sync daemon responsible for syncing the database and a server, and a command-line utility for managing the system. Santa is a binary authorization system for macOS.
0 kommentar(er)
