By Eduard Kovacs on November 24, 2014
Google's Macintosh Operations Team announced the availability of the source code for "Santa," a tool designed for whitelisting and blacklisting binaries on Apple's Mac OS X operating systems.
Threats designed to target devices running Mac OS X are increasingly common and increasingly successful. A perfect example is the recently-uncovered WireLurker
malware which is believed to have infected hundreds of thousands of devices in China.
, named so because it "keeps track of binaries that are naughty and nice," is just one of the many tools and scripts
developed by Google's Macintosh Operations Team for managing and tracking a fleet of Mac computers in a corporate environment. The search engine company uses tens of thousands of Macs and managing them is not an easy task.
Santa is not an official Google product and it's not even at version 1.0 due to some issues that still need to be addressed, but the project looks promising. The tool has four main components: a kernel extension for monitoring executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a graphical user interface (GUI) agent that notifies the user when an execution is blocked, and a command-line utility that's used to manage the system and synchronize the database with a server.
The tool is designed to run in two modes: monitor and lockdown. In the "monitor" mode, all binaries are allowed to run, except for those that are blacklisted. In "lockdown" mode, only whitelisted binaries can be executed.