We’re releasing an extension for osquery that lets you manage Google Santa without the need for a separate sync server.
Google Santa is an application whitelist and blacklist system for macOS ideal for deployment across managed fleets. It uses a sync server from which daemons pull rules onto managed computers. However, the sync server provides no functionality for the bulk collection of logs or configuration states. It does not indicate whether all the agents have pulled the latest rules or how often those agents block execution of blacklisted binaries.
In partnership with Palantir, we have integrated Santa into the osquery interface as an extension. Santa can now be managed directly through osquery and no longer requires a separate sync server. Enterprises can use a single interface, osquery, to centrally manage logs and update or review agent configuration.
We’ve described writable access to endpoints as a superfeature of osquery. This extension shows why. Now, it’s possible to add remote management features to the osquery agent, which is normally limited to read-only access. This represents a huge advance in osquery’s capabilities, moving it from the role of strictly monitoring into an active and preventative role. Trail of Bits is pleased to announce the release of the Santa extension into our open-source repository of osquery extensions.
What it can do
Santa gives you fine-grained control over which applications may run on your computer. Add osquery and this extension into the mix, and now you’ve got fine-grained control over which applications may run on your fleet. Lock down endpoints to only run applications signed by a handful of approved certificates, or blacklist known malicious applications before they get a chance to run.
The extension can be loaded at the startup of osquery with the extension command line argument, e.g.,
osqueryi --extension path/to/santa.ext. On loading, it adds two new tables to the database:
santa_events.The tables themselves are straightforward.
santa_rules consists of the three text columns:
type. The type column contains the rule type and may be either certificate or binary.
state is either whitelist or blacklist.
shasum contains either the hash of the binary or the signing certificate’s hash, depending on rule type.
santa_events table has four text columns:
timestamp marks the time the deny event was logged.
path lists the path to the denied application.
shasum displays the hash of the file.
reason shows the type of rule that caused the deny (either binary or certificate).
Time to use it
This extension provides a simplified interface to oversee and control your Santa deployment across your fleet, granting easy access to both rules and events. You can find it and other osquery extensions in our repository of maintained osquery extensions. We’ll continue to add new extensions. Take a look and see what we have available.
Hire us to tailor osquery to your needs
Note: This feature depends on writable tables support for extensions which has not yet been merged. Contact us if you’d like to try this feature now — we create custom binary builds to test upcoming features of osquery for our clients.