diff --git a/policies/aide.conf b/policies/aide.conf index c3b249a..e5ed0ba 100644 --- a/policies/aide.conf +++ b/policies/aide.conf @@ -1,121 +1,103 @@ @@define USER warren -# Database locations database_in=file:/opt/local/var/lib/aide/aide.db database_out=file:/opt/local/var/lib/aide/aide.db.new - -# Uncompressed for faster reads gzip_dbout=no - -# Logging log_level=warning report_url=file:/opt/local/var/log/aide/aide.log report_url=stdout report_level=changed_attributes report_grouped=true report_summarize_changes=true - -# Performance - use half of available CPU cores num_workers=50% -# ============================================================================= -# GROUPS -# ============================================================================= - -Checksums = sha256 - -# Full integrity check -Full = p+u+g+ftype+n+i+s+m+c+Checksums - -# For config files +Checksums = sha256+sha512 +Full = p+u+g+ftype+n+i+s+m+c+Checksums+xattrs+acl ConfigFile = p+u+g+ftype+s+m+c+Checksums - -# Directory structure only DirOnly = p+u+g+ftype+n+i +LibCheck = p+u+g+ftype+s+m+c+Checksums+xattrs -# ============================================================================= -# PERSISTENCE MECHANISMS - PRIMARY -# ============================================================================= - -# LaunchDaemons/Agents (most common persistence) /Library/LaunchDaemons Full /Library/LaunchAgents Full /Users/@@{USER}/Library/LaunchAgents Full - -# Login items /Library/Preferences/com.apple.loginwindow.plist ConfigFile /Users/@@{USER}/Library/Preferences/com.apple.loginitems.plist ConfigFile - -# Privileged helper tools /Library/PrivilegedHelperTools Full -# ============================================================================= -# PERSISTENCE MECHANISMS - SECONDARY -# ============================================================================= - -# Authorization plugins (can intercept login) /Library/Security Full - -# Directory services plugins /Library/DirectoryServices Full - -# Scripting additions (AppleScript injection) /Library/ScriptingAdditions Full - -# Spotlight importers (code execution on file indexing) /Library/Spotlight Full - -# Legacy startup items /Library/StartupItems Full - -# Input managers (deprecated but functional) /Library/InputManagers Full - -# User Automator services /Users/@@{USER}/Library/Services Full /Users/@@{USER}/Library/Workflows Full - -# Keyboard services / input methods /Library/Input\ Methods Full /Users/@@{USER}/Library/Input\ Methods Full /Library/Keyboard\ Layouts Full /Users/@@{USER}/Library/Keyboard\ Layouts Full -# ============================================================================= -# APPLICATIONS -# ============================================================================= +/Library/QuickLook Full +/Users/@@{USER}/Library/QuickLook Full +/Library/ColorPickers Full +/Users/@@{USER}/Library/ColorPickers Full +/Library/Internet\ Plug-Ins Full +/Library/Audio/Plug-Ins Full +/Users/@@{USER}/Library/Audio/Plug-Ins Full +/Library/Compositions Full +/Library/Address\ Book\ Plug-Ins Full +/Users/@@{USER}/Library/Address\ Book\ Plug-Ins Full +/Library/Mail/Bundles Full +/Users/@@{USER}/Library/Mail/Bundles Full +/Library/PDF\ Services Full +/Users/@@{USER}/Library/PDF\ Services Full +/Library/Printers Full +/Library/CoreMediaIO/Plug-Ins Full +/Library/Image\ Capture Full +/Library/Filesystems Full +/Library/Apple/System Full +/Library/Apple/usr Full + +/System/Library/LaunchDaemons Full +/System/Library/LaunchAgents Full +/System/Library/Extensions Full +/System/Library/Filesystems Full +/System/Library/Frameworks Full +/System/Library/KernelCollections Full +/System/Library/PrivateFrameworks Full +/System/Library/Sandbox Full +/System/Library/Security Full + +/usr/bin Full +/usr/sbin Full +/usr/lib Full +/usr/libexec Full +/bin Full +/sbin Full /Applications Full - -# Exclude noisy metadata !/Applications/.DS_Store !/Applications/.localized -# ============================================================================= -# MACPORTS BINARIES -# ============================================================================= - /opt/local/bin Full /opt/local/sbin Full /opt/local/libexec Full +/opt/local/lib LibCheck +/opt/local/etc Full +!/opt/local/etc/unbound/root.key +!/opt/local/var + +/Users/@@{USER}/Library/Application\ Support/Google/Chrome/Default/Extensions DirOnly +/Users/@@{USER}/Library/Application\ Support/Google/Chrome/Profile\ */Extensions DirOnly +/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles Full +!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/storage +!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/cache2 +!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite +!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/places.sqlite +!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/favicons.sqlite +!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*.sqlite-wal +!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*.sqlite-shm -# ============================================================================= -# HOMEBREW (uncomment if installed) -# ============================================================================= - -# Intel Mac: -# /usr/local/bin Full -# /usr/local/sbin Full - -# Apple Silicon: -# /opt/homebrew/bin Full -# /opt/homebrew/sbin Full - -# ============================================================================= -# SYSTEM CONFIGURATION -# ============================================================================= - -# Shell configs /Users/@@{USER}/.zshrc ConfigFile /Users/@@{USER}/.zprofile ConfigFile /Users/@@{USER}/.zshenv ConfigFile @@ -125,87 +107,72 @@ DirOnly = p+u+g+ftype+n+i /Users/@@{USER}/.bash_logout ConfigFile /Users/@@{USER}/.profile ConfigFile /Users/@@{USER}/.inputrc ConfigFile - -# PATH injection /private/etc/paths ConfigFile /private/etc/paths.d Full - -# Shell list /private/etc/shells ConfigFile - -# SSH configuration -/Users/@@{USER}/.ssh/config ConfigFile -/Users/@@{USER}/.ssh/authorized_keys ConfigFile +/Users/@@{USER}/.ssh Full +!/Users/@@{USER}/.ssh/known_hosts +!/Users/@@{USER}/.ssh/sockets /private/etc/ssh Full - -# sudoers /private/etc/sudoers ConfigFile /private/etc/sudoers.d Full - -# PAM configuration /private/etc/pam.d Full - -# Periodic scripts (cron-like) /private/etc/periodic Full - -# Cron /private/var/at Full /usr/lib/cron Full - -# DNS /private/etc/hosts ConfigFile /private/etc/resolv.conf ConfigFile - -# Syslog config /private/etc/syslog.conf ConfigFile /private/etc/newsyslog.conf ConfigFile /private/etc/newsyslog.d Full /private/etc/asl.conf ConfigFile /private/etc/asl Full +/private/etc/security Full +/private/etc/pf.conf ConfigFile +/private/etc/pf.anchors Full + +/private/etc/launchd.conf ConfigFile +/Users/@@{USER}/.launchd.conf ConfigFile +/Users/@@{USER}/.config Full +!/Users/@@{USER}/.config/*/Cache +!/Users/@@{USER}/.config/**/cache +/Users/@@{USER}/.gitconfig ConfigFile +/private/etc/dyld.conf ConfigFile +/Library/Preferences/com.apple.alf.plist ConfigFile +/Library/Preferences/com.apple.security.plist ConfigFile +/Library/Application\ Support/com.apple.TCC Full +/Users/@@{USER}/Library/Application\ Support/com.apple.TCC Full -# ============================================================================= -# SECURITY TOOLS CONFIG -# ============================================================================= - -# Santa (if installed) /var/db/santa Full - -# AIDE itself /opt/local/etc/aide Full +/Library/Application\ Support/Objective\ Development Full +/Users/@@{USER}/Library/Application\ Support/Little\ Snitch Full -# ============================================================================= -# LIBRARY - HIGH-VALUE TARGETS -# ============================================================================= - -# Application support - structure only /Library/Application\ Support$ DirOnly - -# System extensions /Library/SystemExtensions Full /Library/Extensions Full - -# Frameworks /Library/Frameworks Full - -# Screen savers (code execution vector) /Library/Screen\ Savers Full /Users/@@{USER}/Library/Screen\ Savers Full -# ============================================================================= -# EXCLUSIONS -# ============================================================================= +/private/etc/authorization ConfigFile +/private/etc/auto_master ConfigFile +/private/etc/fstab ConfigFile +/private/etc/group ConfigFile +/private/etc/master.passwd ConfigFile +/private/etc/passwd ConfigFile -# Caches and temp !/Library/Caches !/Users/@@{USER}/Library/Caches !/private/var/folders !/private/tmp !/private/var/tmp - -# Containers (TCC protected, causes errors) !/Users/@@{USER}/Library/Containers - -# Logs !/Library/Logs !/Users/@@{USER}/Library/Logs !/Library/Application\ Support/CrashReporter +!/Users/@@{USER}/.Spotlight-V100 +!/private/var/db/dyld +!/private/var/db/uuidtext +!/private/var/db/BootCaches +!/private/var/db/ConfigurationProfiles/Store diff --git a/policies/cnssi-1253_cust.yaml b/policies/cnssi-1253_cust.yaml index 602069c..31ce81b 100644 --- a/policies/cnssi-1253_cust.yaml +++ b/policies/cnssi-1253_cust.yaml @@ -1,32 +1,11 @@ -title: "macOS 26.0: Security Configuration - Personal Device (Enhanced)" +title: "macOS 26.0: Security Configuration - Personal Device (Hardened)" description: | - Enhanced version of CNSSI-1253 High for personal device use. - - Includes: - - Core security controls that passed testing - - SSH server hardening (defense in depth, even though SSH is disabled) - - Password minimum length (12 chars) and sequence blocking - - Firewall block-all mode with stealth mode - - External storage access unrestricted (no limitations) - - Session unlock restrictions - - FileVault enforcement - - WiFi auto-disable when connected to ethernet - - Secure name resolution (DNS security capability) - - Log file access protection (prevent non-privileged access) - - Content reset prevention - - Allow unsigned/unidentified developer apps (Gatekeeper enabled but permissive) - - Selected permanent/operational controls (inherent features) - - Excluded: - - Smartcard/MFA (not needed for personal use) - - Comprehensive auditing (enterprise feature - but log file security included) - - Media restrictions (optical drives) - - Enterprise MDM requirements - - Account modification lockdown (too restrictive) - - Parental controls (not applicable) - - Auto security updates (manual control preferred) - - External storage restrictions (full access allowed) - - Identified developer requirement (unidentified apps allowed) + Key changes from base: + - Gatekeeper now requires identified developers (no unsigned apps) + - Audit subsystem enabled for security events + - Additional USB restrictions + - Stricter network controls + - Enhanced authentication requirements authors: "Yu-Jen Wang" parent_values: "recommended" @@ -35,6 +14,29 @@ profile: rules: - auth_ssh_password_authentication_disable + - section: "auditing" + rules: + - audit_acls_files_configure + - audit_acls_folders_configure + - audit_auditd_enabled + - audit_configure_capacity_notify + - audit_failure_halt + - audit_files_group_configure + - audit_files_mode_configure + - audit_files_owner_configure + - audit_flags_aa_configure + - audit_flags_ad_configure + - audit_flags_ex_configure + - audit_flags_fm_configure + - audit_flags_fr_configure + - audit_flags_fw_configure + - audit_flags_lo_configure + - audit_folder_group_configure + - audit_folder_owner_configure + - audit_folders_mode_configure + - audit_retention_configure + - audit_settings_failure_notify + - section: "icloud" rules: - icloud_addressbook_disable @@ -68,6 +70,7 @@ profile: - os_filevault_autologin_disable - os_firewall_default_deny_require - os_gatekeeper_enable + - os_gatekeeper_require_app_store_allowed - os_genmoji_disable - os_handoff_disable - os_home_folders_default @@ -78,6 +81,7 @@ profile: - os_install_log_retention_configure - os_iphone_mirroring_disable - os_ir_support_disable + - os_library_validation_enable - os_loginwindow_adminhostinfo_disabled - os_mail_smart_reply_disable - os_mail_summary_disable @@ -92,6 +96,7 @@ profile: - os_password_proximity_disable - os_password_sharing_disable - os_photos_enhanced_search_disable + - os_policy_banner_loginwindow_enforce - os_policy_banner_ssh_configure - os_policy_banner_ssh_enforce - os_privacy_setup_prompt_disable @@ -112,11 +117,13 @@ profile: - os_sshd_channel_timeout_configure - os_sshd_client_alive_count_max_configure - os_sshd_client_alive_interval_configure + - os_sshd_key_exchange_algorithm_configure - os_sshd_login_grace_time_configure - os_sshd_per_source_penalties_configure - os_sshd_permit_root_login_configure - os_sshd_unused_connection_timeout_configure - os_sudoers_timestamp_type_configure + - os_sudo_timeout_configure - os_system_read_only - os_tftpd_disable - os_time_server_enabled @@ -124,7 +131,6 @@ profile: - os_unlock_active_user_session_disable - os_uucp_disable - os_writing_tools_disable - - os_sudo_timeout_configure - os_world_writable_system_folder_configure - os_terminal_secure_keyboard_enable - os_dictation_disable @@ -144,6 +150,7 @@ profile: - system_settings_automatic_login_disable - system_settings_automatic_logout_enforce - system_settings_bluetooth_sharing_disable + - system_settings_cd_dvd_sharing_disable - system_settings_content_caching_disable - system_settings_critical_update_install_enforce - system_settings_diagnostics_reports_disable @@ -153,7 +160,7 @@ profile: - system_settings_find_my_disable - system_settings_firewall_enable - system_settings_firewall_stealth_mode_enable - - system_settings_gatekeeper_override_disallow + - system_settings_gatekeeper_identified_developers_allowed - system_settings_guest_access_smb_disable - system_settings_guest_account_disable - system_settings_hot_corners_disable diff --git a/policies/faa_policy.plist b/policies/faa_policy.plist index 6c40666..7ee422c 100644 --- a/policies/faa_policy.plist +++ b/policies/faa_policy.plist @@ -3,7 +3,13 @@ Version - v1.0 + v2.1-hardened + + EventDetailURL + https://security.internal/faa/%hostname%/%rule_name%/%file_identifier% + EventDetailText + Report Issue + WatchItems ChromeCookies @@ -18,6 +24,14 @@ Path /Users/*/Library/Application Support/Google/Chrome/*/Cookies-journal + + Path + /Users/*/Library/Application Support/Google/Chrome/*/Network/Cookies + + + Path + /Users/*/Library/Application Support/Google/Chrome/*/Network/Cookies-journal + Options @@ -27,6 +41,8 @@ RuleType PathsWithAllowedProcesses + BlockMessage + Chrome cookies are protected. Only Chrome can access this file. Processes @@ -50,6 +66,7 @@ + ChromeLoginData Paths @@ -62,6 +79,14 @@ Path /Users/*/Library/Application Support/Google/Chrome/*/Login Data-journal + + Path + /Users/*/Library/Application Support/Google/Chrome/*/Web Data + + + Path + /Users/*/Library/Application Support/Google/Chrome/*/Web Data-journal + Options @@ -71,6 +96,8 @@ RuleType PathsWithAllowedProcesses + BlockMessage + Chrome login data is protected. Processes @@ -88,6 +115,7 @@ + ChromeExtensions Paths @@ -107,6 +135,8 @@ RuleType PathsWithAllowedProcesses + BlockMessage + Chrome extensions directory is write-protected. Processes @@ -128,25 +158,42 @@ PlatformBinary + + SigningID + com.apple.mds + PlatformBinary + + - SlackSecrets + + FirefoxSecrets Paths Path - /Users/*/Library/Application Support/Slack/Cookies + /Users/*/Library/Application Support/Firefox/Profiles/*/cookies.sqlite Path - /Users/*/Library/Application Support/Slack/Local Storage - IsPrefix - + /Users/*/Library/Application Support/Firefox/Profiles/*/cookies.sqlite-journal Path - /Users/*/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/Cookies + /Users/*/Library/Application Support/Firefox/Profiles/*/key4.db + + + Path + /Users/*/Library/Application Support/Firefox/Profiles/*/logins.json + + + Path + /Users/*/Library/Application Support/Firefox/Profiles/*/cert9.db + + + Path + /Users/*/Library/Application Support/Firefox/Profiles/*/signons.sqlite Options @@ -157,34 +204,31 @@ RuleType PathsWithAllowedProcesses + BlockMessage + Firefox credentials are protected. Processes SigningID - com.tinyspeck.slackmacgap + org.mozilla.firefox TeamID - BQR82RBBHL - - - SigningID - com.apple.mdworker_shared - PlatformBinary - + 43AQ936H96 - DiscordSecrets + + SafariSecrets Paths Path - /Users/*/Library/Application Support/discord/Cookies + /Users/*/Library/Cookies/Cookies.binarycookies Path - /Users/*/Library/Application Support/discord/Local Storage + /Users/*/Library/Safari/LocalStorage IsPrefix @@ -197,72 +241,94 @@ RuleType PathsWithAllowedProcesses + BlockMessage + Safari cookies are protected. Processes SigningID - com.hnc.Discord - TeamID - 53Q6R32WPB + com.apple.Safari + PlatformBinary + SigningID - com.apple.mdworker_shared + com.apple.Safari.SandboxBroker + PlatformBinary + + + + SigningID + com.apple.WebKit.Networking PlatformBinary - SlackResources + + SlackSecrets Paths Path - /Applications/Slack.app/Contents/Resources/app.asar + /Users/*/Library/Application Support/Slack/Cookies + + + Path + /Users/*/Library/Application Support/Slack/Cookies-journal Path - /Applications/Slack.app/Contents/Resources/app + /Users/*/Library/Application Support/Slack/Local Storage IsPrefix + + Path + /Users/*/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/Cookies + Options AllowReadAccess - + AuditOnly RuleType PathsWithAllowedProcesses + BlockMessage + Slack credentials are protected. Processes + SigningID + com.tinyspeck.slackmacgap TeamID BQR82RBBHL SigningID - com.apple.installer - PlatformBinary - + com.tinyspeck.slackmacgap.helper + TeamID + BQR82RBBHL - DiscordResources + + DiscordSecrets Paths Path - /Applications/Discord.app/Contents/Resources/app.asar + /Users/*/Library/Application Support/discord/Cookies Path - /Applications/Discord.app/Contents/Resources/app + /Users/*/Library/Application Support/discord/Local Storage IsPrefix @@ -270,30 +336,37 @@ Options AllowReadAccess - + AuditOnly RuleType PathsWithAllowedProcesses + BlockMessage + Discord credentials are protected. Processes + SigningID + com.hnc.Discord TeamID 53Q6R32WPB - - SigningID - com.apple.installer - PlatformBinary - - - VSCodeResources + + ElectronAppResources Paths + + Path + /Applications/Slack.app/Contents/Resources/app.asar + + + Path + /Applications/Discord.app/Contents/Resources/app.asar + Path /Applications/Visual Studio Code.app/Contents/Resources/app @@ -309,9 +382,19 @@ RuleType PathsWithAllowedProcesses + BlockMessage + Electron app resources are protected from modification. Processes + + TeamID + BQR82RBBHL + + + TeamID + 53Q6R32WPB + TeamID UBF8T346G9 @@ -324,6 +407,7 @@ + SSHPrivateKeys Paths @@ -344,6 +428,10 @@ Path /Users/*/.ssh/*_ecdsa + + Path + /Users/*/.ssh/*_dsa + Options @@ -353,6 +441,8 @@ RuleType PathsWithAllowedProcesses + BlockMessage + SSH private keys are protected. Processes @@ -374,14 +464,33 @@ PlatformBinary + + SigningID + com.apple.ssh-keygen + PlatformBinary + + SigningID com.apple.git PlatformBinary + + SigningID + com.apple.scp + PlatformBinary + + + + SigningID + com.apple.sftp + PlatformBinary + + + SSHConfig Paths @@ -392,11 +501,11 @@ Path - /Users/*/.ssh/known_hosts + /Users/*/.ssh/authorized_keys Path - /Users/*/.ssh/authorized_keys + /Users/*/.ssh/known_hosts Options @@ -404,9 +513,11 @@ AllowReadAccess AuditOnly - + RuleType PathsWithAllowedProcesses + BlockMessage + SSH config files are write-protected. Processes @@ -416,6 +527,12 @@ PlatformBinary + + SigningID + com.apple.ssh-keygen + PlatformBinary + + SigningID com.apple.Terminal @@ -434,19 +551,31 @@ PlatformBinary + + TeamID + UBF8T346G9 + - AWSCredentials + + + GPGPrivateKeys Paths Path - /Users/*/.aws/credentials + /Users/*/.gnupg/private-keys-v1.d + IsPrefix + Path - /Users/*/.aws/config + /Users/*/.gnupg/secring.gpg + + + Path + /Users/*/.gnupg/trustdb.gpg Options @@ -454,33 +583,52 @@ AllowReadAccess AuditOnly - + RuleType PathsWithAllowedProcesses + BlockMessage + GPG private keys are protected. Processes - SigningID - com.apple.Terminal - PlatformBinary - + BinaryPath + /opt/local/bin/gpg + + + BinaryPath + /opt/local/bin/gpg2 + + + BinaryPath + /opt/local/libexec/gnupg/gpg-agent + + + BinaryPath + /usr/local/bin/gpg + + + BinaryPath + /usr/local/bin/gpg-agent SigningID - com.apple.python3 + com.apple.git PlatformBinary - GitCredentials + + PasswordStore Paths Path - /Users/*/.git-credentials + /Users/*/.password-store + IsPrefix + Options @@ -488,7 +636,7 @@ AllowReadAccess AuditOnly - + RuleType PathsWithAllowedProcesses @@ -500,25 +648,53 @@ PlatformBinary + + SigningID + com.apple.Terminal + PlatformBinary + + + + BinaryPath + /opt/local/bin/gpg + - PAMConfig + CloudCredentials Paths Path - /private/etc/pam.d + /Users/*/.aws/credentials + + + Path + /Users/*/.aws/config + + + Path + /Users/*/.config/gcloud + IsPrefix + + + + Path + /Users/*/.azure IsPrefix + + Path + /Users/*/.kube/config + Options AllowReadAccess - - AuditOnly + AuditOnly + RuleType PathsWithAllowedProcesses @@ -526,32 +702,49 @@ SigningID - com.apple.installer + com.apple.Terminal PlatformBinary + + TeamID + 9BNSXJN65R + - HostsFile + + GitCredentials Paths Path - /private/etc/hosts + /Users/*/.git-credentials + + + Path + /Users/*/.gitconfig Options AllowReadAccess - + AuditOnly - + RuleType PathsWithAllowedProcesses + BlockMessage + Git credentials are protected. Processes + + SigningID + com.apple.git + PlatformBinary + + SigningID com.apple.vim @@ -566,13 +759,14 @@ - SystemLaunchAgents + + PAMConfig Paths Path - /Library/LaunchAgents + /private/etc/pam.d IsPrefix @@ -582,9 +776,11 @@ AllowReadAccess AuditOnly - + RuleType PathsWithAllowedProcesses + BlockMessage + PAM configuration is protected from modification. Processes @@ -594,21 +790,26 @@ PlatformBinary - - SigningID - com.apple.launchctl - PlatformBinary - - - SystemLaunchDaemons + + Sudoers Paths Path - /Library/LaunchDaemons + /private/etc/sudoers + + + Path + /private/etc/sudoers.d + IsPrefix + + + + Path + /private/var/db/sudo/ts IsPrefix @@ -618,41 +819,39 @@ AllowReadAccess AuditOnly - + RuleType PathsWithAllowedProcesses + BlockMessage + Sudoers configuration is protected. Use visudo. Processes SigningID - com.apple.installer + com.apple.sudo PlatformBinary SigningID - com.apple.launchctl + com.apple.visudo PlatformBinary - CronJobs + HostsFile Paths Path - /private/var/at/tabs - IsPrefix - + /private/etc/hosts Path - /usr/lib/cron/tabs - IsPrefix - + /private/etc/resolv.conf Options @@ -663,25 +862,63 @@ RuleType PathsWithAllowedProcesses + BlockMessage + Network configuration files are protected. Processes - - - - - PeriodicScripts - - Paths - Path - /private/etc/periodic + SigningID + com.apple.vim + PlatformBinary + + + + SigningID + com.apple.nano + PlatformBinary + + + + SigningID + com.apple.configd + PlatformBinary + + + + + + LaunchDaemons + + Paths + + + Path + /Library/LaunchDaemons IsPrefix Path - /usr/local/etc/periodic + /Library/LaunchAgents + IsPrefix + + + + Path + /Users/*/Library/LaunchAgents + IsPrefix + + + + Path + /System/Library/LaunchDaemons + IsPrefix + + + + Path + /System/Library/LaunchAgents IsPrefix @@ -694,6 +931,8 @@ RuleType PathsWithAllowedProcesses + BlockMessage + LaunchAgents/Daemons are protected from modification. Processes @@ -703,23 +942,63 @@ PlatformBinary + + SigningID + com.apple.launchctl + PlatformBinary + + - RCScripts + + CronJobs Paths Path - /private/etc/rc.common + /private/var/at/tabs + IsPrefix + Path - /private/etc/rc.local + /usr/lib/cron/tabs + IsPrefix + + + Options + + AllowReadAccess + + AuditOnly + + RuleType + PathsWithAllowedProcesses + BlockMessage + Cron jobs are protected from direct modification. + + Processes + + + SigningID + com.apple.crontab + PlatformBinary + + + + + + PeriodicScripts + + Paths + Path - /private/etc/rc.shutdown.local + /private/etc/periodic + IsPrefix + Options @@ -730,16 +1009,32 @@ RuleType PathsWithAllowedProcesses + BlockMessage + Periodic scripts are protected. Processes - + + SigningID + com.apple.installer + PlatformBinary + + - Emond + + RCScriptsEmond Paths + + Path + /private/etc/rc.local + + + Path + /private/etc/rc.common + Path /private/etc/emond.d @@ -755,12 +1050,13 @@ RuleType PathsWithAllowedProcesses + BlockMessage + Startup scripts are protected. Processes - - - + + ShellRCFiles Paths @@ -777,6 +1073,10 @@ Path /Users/*/.zprofile + + Path + /Users/*/.zlogin + Path /Users/*/.bashrc @@ -785,6 +1085,10 @@ Path /Users/*/.bash_profile + + Path + /Users/*/.bash_login + Path /Users/*/.profile @@ -793,6 +1097,10 @@ Path /private/etc/zshrc + + Path + /private/etc/zshenv + Path /private/etc/bashrc @@ -807,9 +1115,11 @@ AllowReadAccess AuditOnly - + RuleType PathsWithAllowedProcesses + BlockMessage + Shell configuration files are protected. Processes @@ -831,6 +1141,390 @@ PlatformBinary + + SigningID + com.apple.zsh + PlatformBinary + + + + SigningID + com.apple.bash + PlatformBinary + + + + TeamID + UBF8T346G9 + + + + LoginLogoutHooks + + Paths + + + Path + /private/var/root/Library/Preferences/com.apple.loginwindow.plist + + + Path + /Users/*/Library/Preferences/com.apple.loginwindow.plist + + + Options + + AllowReadAccess + + AuditOnly + + RuleType + PathsWithAllowedProcesses + BlockMessage + Login hooks are protected. + + Processes + + + SigningID + com.apple.cfprefsd + PlatformBinary + + + + + SpotlightImporters + + Paths + + + Path + /Users/*/Library/Spotlight + IsPrefix + + + + Path + /Library/Spotlight + IsPrefix + + + + Options + + AllowReadAccess + + AuditOnly + + EnableSilentMode + + RuleType + PathsWithAllowedProcesses + BlockMessage + Spotlight plugin installation blocked. + + Processes + + + SigningID + com.apple.mds + PlatformBinary + + + + SigningID + com.apple.mdworker + PlatformBinary + + + + SigningID + com.apple.mdworker_shared + PlatformBinary + + + + SigningID + com.apple.mdimport + PlatformBinary + + + + SigningID + com.apple.installer + PlatformBinary + + + + + AuthorizationPlugins + + Paths + + + Path + /Library/Security/SecurityAgentPlugins + IsPrefix + + + + Options + + AllowReadAccess + + AuditOnly + + RuleType + PathsWithAllowedProcesses + BlockMessage + Authorization plugins directory is protected. + + Processes + + + SigningID + com.apple.installer + PlatformBinary + + + + + ScriptingAdditions + + Paths + + + Path + /Library/ScriptingAdditions + IsPrefix + + + + Path + /Users/*/Library/ScriptingAdditions + IsPrefix + + + + Options + + AllowReadAccess + + AuditOnly + + RuleType + PathsWithAllowedProcesses + BlockMessage + Scripting additions directory is protected. + + Processes + + + SigningID + com.apple.installer + PlatformBinary + + + + + InputMethods + + Paths + + + Path + /Library/Input Methods + IsPrefix + + + + Path + /Users/*/Library/Input Methods + IsPrefix + + + + Options + + AllowReadAccess + + AuditOnly + + RuleType + PathsWithAllowedProcesses + BlockMessage + Input methods directory is protected. + + Processes + + + SigningID + com.apple.installer + PlatformBinary + + + + + DockerSettings + + Paths + + + Path + /Users/*/Library/Group Containers/group.com.docker + IsPrefix + + + + Options + + AllowReadAccess + + AuditOnly + + RuleType + PathsWithAllowedProcesses + BlockMessage + Docker Desktop settings are protected. + + Processes + + + TeamID + 9BNSXJN65R + + + + KernelExtensions + + Paths + + + Path + /Library/Extensions + IsPrefix + + + + Path + /Library/StagedExtensions + IsPrefix + + + + Options + + AllowReadAccess + + AuditOnly + + RuleType + PathsWithAllowedProcesses + BlockMessage + Kernel extension directories are protected. + + Processes + + + SigningID + com.apple.installer + PlatformBinary + + + + SigningID + com.apple.kextutil + PlatformBinary + + + + + + Keychain + + Paths + + + Path + /Users/*/Library/Keychains + IsPrefix + + + + Path + /Library/Keychains + IsPrefix + + + + Options + + AllowReadAccess + + AuditOnly + + RuleType + PathsWithAllowedProcesses + + Processes + + + SigningID + com.apple.security + PlatformBinary + + + + SigningID + com.apple.securityd + PlatformBinary + + + + SigningID + com.apple.KeychainAccess + PlatformBinary + + + + + + TCC + + Paths + + + Path + /Library/Application Support/com.apple.TCC/TCC.db + + + Path + /Users/*/Library/Application Support/com.apple.TCC/TCC.db + + + Path + /private/var/db/locationd/clients.plist + + + Options + + AllowReadAccess + + AuditOnly + + RuleType + PathsWithAllowedProcesses + BlockMessage + TCC database is protected. + + Processes + + + SigningID + com.apple.tccd + PlatformBinary + + diff --git a/policies/little_snitch_rules.lsrules b/policies/little_snitch_rules.lsrules new file mode 100644 index 0000000..1abf32d --- /dev/null +++ b/policies/little_snitch_rules.lsrules @@ -0,0 +1,380 @@ +{ + "name": "Privacy Hardening Rules", + "description": "Blocks telemetry, analytics, and tracking beyond Steven Black's hosts list. Focuses on: macOS phone-home, developer tool telemetry, crash reporting, and fingerprinting services.", + "rules": [ + { + "notes": "=== APPLE TELEMETRY (not blocked by hosts lists) ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "xp.apple.com", + "xp-cdn.apple.com", + "metrics.apple.com", + "metrics.icloud.com", + "securemetrics.apple.com", + "supportmetrics.apple.com", + "books-analytics.apple.com", + "weather-analytics.apple.com", + "notes-analytics.apple.com", + "stocks-analytics.apple.com" + ] + }, + { + "notes": "Apple experiment/feature flags", + "action": "deny", + "process": "any", + "remote-domains": [ + "experiment.apple.com", + "pancake.apple.com", + "seq.apple.com", + "bag.apple.com", + "init.apple.com" + ] + }, + { + "notes": "Apple diagnostics", + "action": "deny", + "process": "any", + "remote-domains": [ + "radarsubmissions.apple.com", + "submit.apple.com", + "feedbackws.apple.com", + "fba.apple.com", + "iad-diagnostics.apple.com" + ] + }, + { + "notes": "=== CRASH REPORTING SERVICES ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "crashlytics.com", + "crashlyticsreports-pa.googleapis.com", + "firebase-settings.crashlytics.com", + "sessions.bugsnag.com", + "notify.bugsnag.com", + "api.bugsnag.com", + "ingest.sentry.io", + "sentry.io", + "o0.ingest.sentry.io", + "api.rollbar.com", + "raygun.io", + "api.raygun.io", + "crashes.to", + "api.instabug.com", + "backtrace.io", + "submit.backtrace.io" + ] + }, + { + "notes": "=== ANALYTICS PLATFORMS (beyond ad blockers) ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "amplitude.com", + "api.amplitude.com", + "api2.amplitude.com", + "cdn.amplitude.com", + "mixpanel.com", + "api.mixpanel.com", + "decide.mixpanel.com", + "api-js.mixpanel.com", + "heap.io", + "heapanalytics.com", + "cdn.heapanalytics.com", + "fullstory.com", + "rs.fullstory.com", + "edge.fullstory.com", + "logrocket.com", + "r.lr-ingest.io", + "r.lr-in.com", + "hotjar.com", + "static.hotjar.com", + "script.hotjar.com", + "vars.hotjar.com", + "pendo.io", + "app.pendo.io", + "cdn.pendo.io", + "data.pendo.io" + ] + }, + { + "notes": "=== DEVELOPER TOOL TELEMETRY ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "dc.services.visualstudio.com", + "vortex.data.microsoft.com", + "mobile.events.data.microsoft.com", + "browser.events.data.microsoft.com", + "self.events.data.microsoft.com", + "functional.events.data.microsoft.com", + "telemetry.eclipse.org", + "stats.jetbrains.com", + "resources.jetbrains.com" + ] + }, + { + "notes": "VS Code specific telemetry", + "action": "deny", + "process": "com.microsoft.VSCode", + "remote-domains": [ + "vscode.dev", + "default.exp-tas.com", + "vscode-sync.trafficmanager.net", + "vscode-sync-insiders.trafficmanager.net" + ] + }, + { + "notes": "=== ATTRIBUTION / DEEP LINKING ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "app.adjust.com", + "app.adjust.io", + "app.appsflyer.com", + "launches.appsflyer.com", + "register.appsflyer.com", + "t.appsflyer.com", + "branch.io", + "api2.branch.io", + "cdn.branch.io", + "app.link", + "bnc.lt", + "kochava.com", + "control.kochava.com", + "tenjin.io", + "track.tenjin.io" + ] + }, + { + "notes": "=== A/B TESTING / FEATURE FLAGS ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "cdn.optimizely.com", + "logx.optimizely.com", + "launchdarkly.com", + "events.launchdarkly.com", + "clientsdk.launchdarkly.com", + "app.launchdarkly.com", + "split.io", + "events.split.io", + "sdk.split.io", + "statsig.com", + "api.statsig.com", + "featurehub.io", + "growthbook.io" + ] + }, + { + "notes": "=== SESSION RECORDING / HEATMAPS ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "clarity.ms", + "mouseflow.com", + "api.mouseflow.com", + "cdn.mouseflow.com", + "luckyorange.com", + "w1.luckyorange.com", + "settings.luckyorange.net", + "smartlook.com", + "manager.smartlook.com", + "rec.smartlook.com" + ] + }, + { + "notes": "=== BROWSER FINGERPRINTING SERVICES ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "api.fpjs.io", + "fpjs.io", + "fingerprintjs.com", + "api.fingerprintjs.com", + "tls.fingerprintjs.com", + "iovation.com", + "ci-mpsnare.iovation.com", + "mpsnare.iesnare.com", + "threatmetrix.com", + "h.online-metrix.net", + "cdn.riskified.com" + ] + }, + { + "notes": "=== CUSTOMER DATA PLATFORMS ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "api.segment.io", + "cdn.segment.io", + "cdn.segment.com", + "api.segment.com", + "events.rudderstack.com", + "hosted.rudderlabs.com", + "api.mparticle.com", + "jssdks.mparticle.com", + "identity.mparticle.com", + "t.co" + ] + }, + { + "notes": "=== NOTIFICATION / ENGAGEMENT SERVICES ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "onesignal.com", + "api.onesignal.com", + "cdn.onesignal.com", + "braze.com", + "sdk.iad-01.braze.com", + "sdk.iad-02.braze.com", + "sdk.iad-03.braze.com", + "customer.io", + "track.customer.io", + "intercom.io", + "api-iam.intercom.io", + "widget.intercom.io" + ] + }, + { + "notes": "=== GOOGLE (beyond ad blocking) ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "firebaselogging.googleapis.com", + "firebaselogging-pa.googleapis.com", + "firebaseremoteconfig.googleapis.com", + "firebaseinstallations.googleapis.com", + "app-measurement.com", + "firebase-settings.crashlytics.com", + "play.googleapis.com", + "update.googleapis.com", + "clientservices.googleapis.com" + ] + }, + { + "notes": "=== NPM / NODE TELEMETRY ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "api.npms.io", + "npmjs.com/npm/@segment", + "npm.sentry.io" + ] + }, + { + "notes": "=== HOMEBREW ANALYTICS ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "formulae.brew.sh" + ], + "notes_2": "Note: This blocks analytics reporting but may affect formula updates. Consider allowing if needed." + }, + { + "notes": "=== CLOUD METADATA (prevents SSRF-like issues in local apps) ===", + "action": "deny", + "process": "any", + "remote-hosts": [ + "169.254.169.254", + "metadata.google.internal" + ] + }, + { + "notes": "=== TIME-BASED TRACKING (Canvas LMS, etc) ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "inst-fs-iad-prod.inscloudgate.net", + "pandastream.com" + ] + }, + { + "notes": "=== ERROR TRACKING OFTEN MISSED ===", + "action": "deny", + "process": "any", + "remote-domains": [ + "trackjs.com", + "d2zah9y47r7bi2.cloudfront.net", + "loggly.com", + "logs-01.loggly.com", + "datadog.com", + "browser-intake-datadoghq.com", + "rum.browser-intake-datadoghq.com", + "logs.browser-intake-datadoghq.com", + "newrelic.com", + "bam.nr-data.net", + "js-agent.newrelic.com", + "dynatrace.com", + "bf.dynatrace.com", + "elastic-cloud.com", + "apm.elastic.co" + ] + }, + { + "notes": "=== ALLOW: Essential Services ===", + "action": "allow", + "process": "any", + "remote-domains": [ + "time.apple.com", + "time.euro.apple.com", + "time.asia.apple.com" + ], + "notes_2": "NTP - required for accurate time" + }, + { + "notes": "Allow OCSP/CRL for certificate validation", + "action": "allow", + "process": "any", + "remote-domains": [ + "ocsp.apple.com", + "ocsp2.apple.com", + "crl.apple.com", + "valid.apple.com", + "ocsp.digicert.com", + "ocsp.sectigo.com", + "ocsp.comodoca.com", + "crl.microsoft.com", + "ocsp.msocsp.com" + ] + }, + { + "notes": "Allow macOS software updates", + "action": "allow", + "process": "com.apple.softwareupdated", + "remote-domains": [ + "swscan.apple.com", + "swdist.apple.com", + "swdownload.apple.com", + "swcdn.apple.com", + "updates.cdn-apple.com", + "updates-http.cdn-apple.com" + ] + }, + { + "notes": "Allow Santa sync (if using a sync server)", + "action": "allow", + "process": "com.northpolesec.santa.daemon", + "remote": "any" + }, + { + "notes": "Allow DNSCrypt-proxy", + "action": "allow", + "process": "dnscrypt-proxy", + "remote": "any", + "ports": "443,853" + }, + { + "notes": "Allow Unbound DNS", + "action": "allow", + "process": "unbound", + "remote-hosts": [ + "127.0.0.1", + "::1" + ], + "ports": "53,54" + } + ] +} diff --git a/policies/prefs/rules.json b/policies/prefs/rules.json new file mode 100644 index 0000000..4bfe6b8 --- /dev/null +++ b/policies/prefs/rules.json @@ -0,0 +1,100 @@ +{ + "_meta": { + "description": "Santa supplementary rules for sync server or santactl", + "version": "2.1", + "note": "Add in additional vendors & hash-based rules" + }, + + "rules": [ + { "_section": "Additional team id allowlists" }, + { + "_note": "Core vendors (Microsoft, Google, Docker, Little Snitch, WireGuard) are in StaticRules" + }, + { + "policy": "ALLOWLIST", + "rule_type": "TEAMID", + "identifier": "43AQ936H96", + "comment": "Mozilla - Firefox, Thunderbird" + }, + { + "policy": "ALLOWLIST", + "rule_type": "TEAMID", + "identifier": "BQR82RBBHL", + "comment": "Slack Technologies" + }, + { + "policy": "ALLOWLIST", + "rule_type": "TEAMID", + "identifier": "53Q6R32WPB", + "comment": "Discord Inc" + }, + { + "policy": "ALLOWLIST", + "rule_type": "TEAMID", + "identifier": "2UYBER83LD", + "comment": "Anthropic - Claude" + }, + { + "policy": "ALLOWLIST", + "rule_type": "TEAMID", + "identifier": "QWY4LRW926", + "comment": "AgileBits - 1Password" + }, + { + "policy": "ALLOWLIST", + "rule_type": "TEAMID", + "identifier": "N82Y98DJSN", + "comment": "Zoom Video Communications" + }, + { + "policy": "ALLOWLIST", + "rule_type": "TEAMID", + "identifier": "P5TKG74YM7", + "comment": "JetBrains - IntelliJ, PyCharm, etc" + }, + + { "_section": "cdhash version locks" }, + { + "_note": "Lock critical binaries to specific versions. Get hash: codesign -dvvv /path/to/binary 2>&1 | grep CDHash" + }, + { + "policy": "ALLOWLIST", + "rule_type": "CDHASH", + "identifier": "REPLACE_WITH_SSH_CDHASH", + "comment": "TEMPLATE: Lock /usr/bin/ssh to specific version", + "_enabled": false + }, + { + "policy": "ALLOWLIST", + "rule_type": "CDHASH", + "identifier": "REPLACE_WITH_SUDO_CDHASH", + "comment": "TEMPLATE: Lock /usr/bin/sudo to specific version", + "_enabled": false + }, + + { "_section": "SHA256 Blacklist Template" }, + { "_note": "Add known malware SHA256 hashes from open sources" }, + + { + "policy": "BLOCKLIST", + "rule_type": "BINARY", + "identifier": "REPLACE_WITH_MALWARE_SHA256", + "custom_msg": "Known malware blocked.", + "comment": "TEMPLATE: Add malware hashes", + "_enabled": false + }, + + { "_section": "Certificate Blacklist Template" }, + { + "_note": "Block all binaries signed with a compromised/revoked certificate" + }, + { + "policy": "BLOCKLIST", + "rule_type": "CERTIFICATE", + "identifier": "REPLACE_WITH_CERT_SHA256", + "custom_msg": "Blocked: Signed with untrusted certificate.", + "comment": "TEMPLATE: Block compromised signing certificates", + "_enabled": false + } + ] +} diff --git a/policies/prefs/santa_base.json b/policies/prefs/santa_base.json deleted file mode 100644 index b7b98db..0000000 --- a/policies/prefs/santa_base.json +++ /dev/null @@ -1,184 +0,0 @@ -{ - "rules" : [ - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.Dictionary", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.Chess", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.AddressBook", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.FaceTime", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.games", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.Home", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.journal", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.mail", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.Maps", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.MobileSMS", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.Music", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.mobilephone", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.Photos", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.podcasts", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.reminders", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.Siri", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.Stickies", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.stocks", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.helpviewer", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - }, - { - "policy" : "BLOCKLIST", - "rule_type" : "SIGNINGID", - "custom_url" : "", - "identifier" : "platform:com.apple.TV", - "custom_msg" : "", - "comment" : "", - "cel_expr" : "" - } - ] -} \ No newline at end of file diff --git a/policies/santa.mobileconfig b/policies/santa.mobileconfig index 595ea40..df71927 100644 --- a/policies/santa.mobileconfig +++ b/policies/santa.mobileconfig @@ -17,12 +17,19 @@ PayloadContent + ClientMode + 2 + FailClosed + EnableBadSignatureProtection EnablePageZeroProtection EnableTransitiveRules + EnableAllEventUpload + + BlockUSBMount RemountUSBMode @@ -30,33 +37,463 @@ noexec nosuid nodev + rdonly OnStartUSBOptions ForceRemount + FileAccessPolicyPlist /var/db/santa/faa_policy.plist FileAccessPolicyUpdateIntervalSec - 300 + 60 + BannedBlockMessage - This application has been blocked by Santa security policy. + BLOCKED: This binary is explicitly banned by security policy. UnknownBlockMessage - This application is not recognized and has been blocked. + BLOCKED: Unrecognized binary. Contact IT if this is legitimate software. BannedUSBBlockMessage - This USB device has been blocked by security policy. + BLOCKED: USB storage devices are restricted. RemountUSBBlockMessage - This USB device has been remounted with restricted permissions. + USB remounted with security restrictions (read-only, no execution). FileAccessBlockMessage - File access blocked by security policy. + BLOCKED: Unauthorized file access attempt detected. + EnableNotificationSilences EnableSilentMode EnableSilentTTYMode + Telemetry Everything + + StaticRules + + + RuleType + SIGNINGID + Policy + ALLOWLIST + Identifier + platform:com.apple.osascript + CELProgram + ( + args.join(" ").lowerAscii().matches(".*\\W+with\\W+hidden\\W+answer.*") || + args.join(" ").lowerAscii().contains("password") + ) && + args.join(" ").lowerAscii().matches(".*\\W+display\\W+dialog.*") ? BLOCKLIST : ALLOWLIST + + + + RuleType + SIGNINGID + Policy + ALLOWLIST + Identifier + platform:com.apple.spctl + CELProgram + [ + '--global-disable', + '--master-disable', + '--disable', + '--add', + '--remove' + ].exists(flag, flag in args) ? BLOCKLIST : ALLOWLIST + + + + RuleType + SIGNINGID + Policy + ALLOWLIST + Identifier + platform:com.apple.touch + CELProgram + args.exists(arg, arg in ['-a', '-m', '-r', '-A', '-t']) && + args.join(" ").contains("Library/Launch") ? BLOCKLIST : ALLOWLIST + + + + RuleType + SIGNINGID + Policy + ALLOWLIST + Identifier + platform:com.apple.systemsetup + CELProgram + args.join(" ").contains("-setremotelogin on") || + args.join(" ").contains("-setremoteappleevents on") ? BLOCKLIST : ALLOWLIST + + + + RuleType + SIGNINGID + Policy + ALLOWLIST + Identifier + platform:com.apple.mount_apfs + CELProgram + '-s' in args && + args.exists(arg, arg.contains("com.apple.TimeMachine.")) ? BLOCKLIST : ALLOWLIST + + + + RuleType + SIGNINGID + Policy + ALLOWLIST + Identifier + platform:com.apple.tmutil + CELProgram + 'localsnapshot' in args ? BLOCKLIST : ALLOWLIST + + + + + RuleType + SIGNINGID + Policy + ALLOWLIST + Identifier + platform:* + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.Dictionary + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.Chess + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.AddressBook + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.FaceTime + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.gamecenter + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.Home + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.journal + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.mail + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.Maps + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.MobileSMS + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.Music + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.Photos + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.podcasts + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.reminders + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.Siri + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.Stickies + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.stocks + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.TV + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.news + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.freeform + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.amsengagementd + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.amp.mediasharingd + + + RuleType + SIGNINGID + Policy + BLOCKLIST + Identifier + platform:com.apple.helpviewer + + + + RuleType + SIGNINGID + Policy + ALLOWLIST_COMPILER + Identifier + platform:com.apple.ld + + + RuleType + SIGNINGID + Policy + ALLOWLIST_COMPILER + Identifier + platform:com.apple.lipo + + + RuleType + SIGNINGID + Policy + ALLOWLIST_COMPILER + Identifier + platform:com.apple.security.codesign + + + + RuleType + TEAMID + Policy + ALLOWLIST + Identifier + UBF8T346G9 + + + RuleType + TEAMID + Policy + ALLOWLIST + Identifier + EQHXZ8M8AV + + + RuleType + TEAMID + Policy + ALLOWLIST + Identifier + 9BNSXJN65R + + + RuleType + TEAMID + Policy + ALLOWLIST + Identifier + VLUGQBAPZ5 + + + RuleType + TEAMID + Policy + ALLOWLIST + Identifier + KYL8YCVN64 + + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /opt/local/bin + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /opt/local/sbin + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /opt/local/libexec + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /opt/local/lib + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /opt/local/Library/Frameworks + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /Users/warren/.cargo/bin + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /Users/warren/.rustup + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /Users/warren/.local/bin + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /Users/warren/go/bin + + + RuleType + PATH + Policy + ALLOWLIST + Identifier + /Users/warren/.npm-global + + + PayloadDisplayName Santa PayloadIdentifier diff --git a/shell/gpg.conf b/shell/gpg.conf index 4539f03..7f2eda8 100644 --- a/shell/gpg.conf +++ b/shell/gpg.conf @@ -25,7 +25,11 @@ s2k-cipher-algo AES256 s2k-count 65011712 no-symkey-cache weak-digest SHA1 +weak-digest RIPEMD160 disable-cipher-algo 3DES +disable-cipher-algo IDEA +disable-cipher-algo CAST5 +disable-cipher-algo BLOWFISH require-cross-certification require-secmem @@ -33,10 +37,25 @@ throw-keyids default-key 0xD67D4AFF6AABD063 trusted-key 0xD67D4AFF6AABD063 default-recipient-self + +min-rsa-length 3072 +disable-pubkey-algo DSA +disable-pubkey-algo ELGAMAL + +import-options import-clean import-minimal +export-options export-clean export-minimal + keyserver hkps://keys.openpgp.org -auto-key-locate wkd,dane,local +keyserver-options no-honor-keyserver-url include-revoked no-include-attributes timeout=10 +no-auto-key-retrieve +auto-key-locate local + trust-model tofu+pgp tofu-default-policy unknown +completes-needed 2 +marginals-needed 5 +max-cert-depth 3 +no-auto-check-trustdb # verbose # list-options show-unusable-subkeys