From 4eab40902f0985585637958fb56d230b2078db40 Mon Sep 17 00:00:00 2001
From: Yu-Jen Warren Wang <76871022+crimsonpython24@users.noreply.github.com>
Date: Tue, 20 Jan 2026 12:56:39 -0800
Subject: [PATCH 1/4] feat: add even more hardening
---
policies/aide.conf | 159 +++-------
policies/little_snitch_rules.lsrules | 380 ++++++++++++++++++++++++
policies/prefs/santa_base.json | 427 +++++++++++++++------------
policies/santa.mobileconfig | 205 ++++++++++++-
shell/gpg.conf | 14 +-
5 files changed, 884 insertions(+), 301 deletions(-)
create mode 100644 policies/little_snitch_rules.lsrules
diff --git a/policies/aide.conf b/policies/aide.conf
index c3b249a..da913ca 100644
--- a/policies/aide.conf
+++ b/policies/aide.conf
@@ -1,121 +1,79 @@
@@define USER warren
-# Database locations
database_in=file:/opt/local/var/lib/aide/aide.db
database_out=file:/opt/local/var/lib/aide/aide.db.new
-
-# Uncompressed for faster reads
gzip_dbout=no
-
-# Logging
log_level=warning
report_url=file:/opt/local/var/log/aide/aide.log
report_url=stdout
report_level=changed_attributes
report_grouped=true
report_summarize_changes=true
-
-# Performance - use half of available CPU cores
num_workers=50%
-# =============================================================================
-# GROUPS
-# =============================================================================
-
Checksums = sha256
-
-# Full integrity check
Full = p+u+g+ftype+n+i+s+m+c+Checksums
-
-# For config files
ConfigFile = p+u+g+ftype+s+m+c+Checksums
-
-# Directory structure only
DirOnly = p+u+g+ftype+n+i
+LibCheck = p+u+g+ftype+s+m+c+Checksums
-# =============================================================================
-# PERSISTENCE MECHANISMS - PRIMARY
-# =============================================================================
-
-# LaunchDaemons/Agents (most common persistence)
/Library/LaunchDaemons Full
/Library/LaunchAgents Full
/Users/@@{USER}/Library/LaunchAgents Full
-
-# Login items
/Library/Preferences/com.apple.loginwindow.plist ConfigFile
/Users/@@{USER}/Library/Preferences/com.apple.loginitems.plist ConfigFile
-
-# Privileged helper tools
/Library/PrivilegedHelperTools Full
-# =============================================================================
-# PERSISTENCE MECHANISMS - SECONDARY
-# =============================================================================
-
-# Authorization plugins (can intercept login)
/Library/Security Full
-
-# Directory services plugins
/Library/DirectoryServices Full
-
-# Scripting additions (AppleScript injection)
/Library/ScriptingAdditions Full
-
-# Spotlight importers (code execution on file indexing)
/Library/Spotlight Full
-
-# Legacy startup items
/Library/StartupItems Full
-
-# Input managers (deprecated but functional)
/Library/InputManagers Full
-
-# User Automator services
/Users/@@{USER}/Library/Services Full
/Users/@@{USER}/Library/Workflows Full
-
-# Keyboard services / input methods
/Library/Input\ Methods Full
/Users/@@{USER}/Library/Input\ Methods Full
/Library/Keyboard\ Layouts Full
/Users/@@{USER}/Library/Keyboard\ Layouts Full
-# =============================================================================
-# APPLICATIONS
-# =============================================================================
+/Library/QuickLook Full
+/Users/@@{USER}/Library/QuickLook Full
+/Library/ColorPickers Full
+/Users/@@{USER}/Library/ColorPickers Full
+/Library/Internet\ Plug-Ins Full
+/Library/Audio/Plug-Ins Full
+/Users/@@{USER}/Library/Audio/Plug-Ins Full
+/Library/Compositions Full
+/Library/Address\ Book\ Plug-Ins Full
+/Users/@@{USER}/Library/Address\ Book\ Plug-Ins Full
+/Library/Mail/Bundles Full
+/Users/@@{USER}/Library/Mail/Bundles Full
+/Library/PDF\ Services Full
+/Users/@@{USER}/Library/PDF\ Services Full
+/Library/Printers Full
/Applications Full
-
-# Exclude noisy metadata
!/Applications/.DS_Store
!/Applications/.localized
-# =============================================================================
-# MACPORTS BINARIES
-# =============================================================================
-
/opt/local/bin Full
/opt/local/sbin Full
/opt/local/libexec Full
+/opt/local/lib LibCheck
+/opt/local/etc Full
+!/opt/local/etc/unbound/root.key
+!/opt/local/var
+
+/Users/@@{USER}/Library/Application\ Support/Google/Chrome/Default/Extensions DirOnly
+/Users/@@{USER}/Library/Application\ Support/Google/Chrome/Profile\ */Extensions DirOnly
+/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles Full
+!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/storage
+!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/cache2
+!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite
+!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/places.sqlite
+!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/favicons.sqlite
-# =============================================================================
-# HOMEBREW (uncomment if installed)
-# =============================================================================
-
-# Intel Mac:
-# /usr/local/bin Full
-# /usr/local/sbin Full
-
-# Apple Silicon:
-# /opt/homebrew/bin Full
-# /opt/homebrew/sbin Full
-
-# =============================================================================
-# SYSTEM CONFIGURATION
-# =============================================================================
-
-# Shell configs
/Users/@@{USER}/.zshrc ConfigFile
/Users/@@{USER}/.zprofile ConfigFile
/Users/@@{USER}/.zshenv ConfigFile
@@ -125,87 +83,58 @@ DirOnly = p+u+g+ftype+n+i
/Users/@@{USER}/.bash_logout ConfigFile
/Users/@@{USER}/.profile ConfigFile
/Users/@@{USER}/.inputrc ConfigFile
-
-# PATH injection
/private/etc/paths ConfigFile
/private/etc/paths.d Full
-
-# Shell list
/private/etc/shells ConfigFile
-
-# SSH configuration
/Users/@@{USER}/.ssh/config ConfigFile
/Users/@@{USER}/.ssh/authorized_keys ConfigFile
/private/etc/ssh Full
-
-# sudoers
/private/etc/sudoers ConfigFile
/private/etc/sudoers.d Full
-
-# PAM configuration
/private/etc/pam.d Full
-
-# Periodic scripts (cron-like)
/private/etc/periodic Full
-
-# Cron
/private/var/at Full
/usr/lib/cron Full
-
-# DNS
/private/etc/hosts ConfigFile
/private/etc/resolv.conf ConfigFile
-
-# Syslog config
/private/etc/syslog.conf ConfigFile
/private/etc/newsyslog.conf ConfigFile
/private/etc/newsyslog.d Full
/private/etc/asl.conf ConfigFile
/private/etc/asl Full
-# =============================================================================
-# SECURITY TOOLS CONFIG
-# =============================================================================
+/private/etc/launchd.conf ConfigFile
+/Users/@@{USER}/.launchd.conf ConfigFile
+/Users/@@{USER}/.config DirOnly
+/Users/@@{USER}/.gitconfig ConfigFile
+/Users/@@{USER}/.config/git Full
+/private/etc/dyld.conf ConfigFile
+/Library/Preferences/com.apple.*.plist ConfigFile
+!/Library/Preferences/com.apple.networkextension.*.plist
+/Library/Application\ Support/com.apple.TCC Full
+/Users/@@{USER}/Library/Application\ Support/com.apple.TCC Full
-# Santa (if installed)
/var/db/santa Full
-
-# AIDE itself
/opt/local/etc/aide Full
+/Library/Application\ Support/Objective\ Development Full
+/Users/@@{USER}/Library/Application\ Support/Little\ Snitch Full
-# =============================================================================
-# LIBRARY - HIGH-VALUE TARGETS
-# =============================================================================
-
-# Application support - structure only
/Library/Application\ Support$ DirOnly
-
-# System extensions
/Library/SystemExtensions Full
/Library/Extensions Full
-
-# Frameworks
/Library/Frameworks Full
-
-# Screen savers (code execution vector)
/Library/Screen\ Savers Full
/Users/@@{USER}/Library/Screen\ Savers Full
-# =============================================================================
-# EXCLUSIONS
-# =============================================================================
-
-# Caches and temp
!/Library/Caches
!/Users/@@{USER}/Library/Caches
!/private/var/folders
!/private/tmp
!/private/var/tmp
-
-# Containers (TCC protected, causes errors)
!/Users/@@{USER}/Library/Containers
-
-# Logs
!/Library/Logs
!/Users/@@{USER}/Library/Logs
!/Library/Application\ Support/CrashReporter
+!/Users/@@{USER}/.Spotlight-V100
+!/private/var/db/dyld
+!/private/var/db/uuidtext
diff --git a/policies/little_snitch_rules.lsrules b/policies/little_snitch_rules.lsrules
new file mode 100644
index 0000000..1abf32d
--- /dev/null
+++ b/policies/little_snitch_rules.lsrules
@@ -0,0 +1,380 @@
+{
+ "name": "Privacy Hardening Rules",
+ "description": "Blocks telemetry, analytics, and tracking beyond Steven Black's hosts list. Focuses on: macOS phone-home, developer tool telemetry, crash reporting, and fingerprinting services.",
+ "rules": [
+ {
+ "notes": "=== APPLE TELEMETRY (not blocked by hosts lists) ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "xp.apple.com",
+ "xp-cdn.apple.com",
+ "metrics.apple.com",
+ "metrics.icloud.com",
+ "securemetrics.apple.com",
+ "supportmetrics.apple.com",
+ "books-analytics.apple.com",
+ "weather-analytics.apple.com",
+ "notes-analytics.apple.com",
+ "stocks-analytics.apple.com"
+ ]
+ },
+ {
+ "notes": "Apple experiment/feature flags",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "experiment.apple.com",
+ "pancake.apple.com",
+ "seq.apple.com",
+ "bag.apple.com",
+ "init.apple.com"
+ ]
+ },
+ {
+ "notes": "Apple diagnostics",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "radarsubmissions.apple.com",
+ "submit.apple.com",
+ "feedbackws.apple.com",
+ "fba.apple.com",
+ "iad-diagnostics.apple.com"
+ ]
+ },
+ {
+ "notes": "=== CRASH REPORTING SERVICES ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "crashlytics.com",
+ "crashlyticsreports-pa.googleapis.com",
+ "firebase-settings.crashlytics.com",
+ "sessions.bugsnag.com",
+ "notify.bugsnag.com",
+ "api.bugsnag.com",
+ "ingest.sentry.io",
+ "sentry.io",
+ "o0.ingest.sentry.io",
+ "api.rollbar.com",
+ "raygun.io",
+ "api.raygun.io",
+ "crashes.to",
+ "api.instabug.com",
+ "backtrace.io",
+ "submit.backtrace.io"
+ ]
+ },
+ {
+ "notes": "=== ANALYTICS PLATFORMS (beyond ad blockers) ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "amplitude.com",
+ "api.amplitude.com",
+ "api2.amplitude.com",
+ "cdn.amplitude.com",
+ "mixpanel.com",
+ "api.mixpanel.com",
+ "decide.mixpanel.com",
+ "api-js.mixpanel.com",
+ "heap.io",
+ "heapanalytics.com",
+ "cdn.heapanalytics.com",
+ "fullstory.com",
+ "rs.fullstory.com",
+ "edge.fullstory.com",
+ "logrocket.com",
+ "r.lr-ingest.io",
+ "r.lr-in.com",
+ "hotjar.com",
+ "static.hotjar.com",
+ "script.hotjar.com",
+ "vars.hotjar.com",
+ "pendo.io",
+ "app.pendo.io",
+ "cdn.pendo.io",
+ "data.pendo.io"
+ ]
+ },
+ {
+ "notes": "=== DEVELOPER TOOL TELEMETRY ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "dc.services.visualstudio.com",
+ "vortex.data.microsoft.com",
+ "mobile.events.data.microsoft.com",
+ "browser.events.data.microsoft.com",
+ "self.events.data.microsoft.com",
+ "functional.events.data.microsoft.com",
+ "telemetry.eclipse.org",
+ "stats.jetbrains.com",
+ "resources.jetbrains.com"
+ ]
+ },
+ {
+ "notes": "VS Code specific telemetry",
+ "action": "deny",
+ "process": "com.microsoft.VSCode",
+ "remote-domains": [
+ "vscode.dev",
+ "default.exp-tas.com",
+ "vscode-sync.trafficmanager.net",
+ "vscode-sync-insiders.trafficmanager.net"
+ ]
+ },
+ {
+ "notes": "=== ATTRIBUTION / DEEP LINKING ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "app.adjust.com",
+ "app.adjust.io",
+ "app.appsflyer.com",
+ "launches.appsflyer.com",
+ "register.appsflyer.com",
+ "t.appsflyer.com",
+ "branch.io",
+ "api2.branch.io",
+ "cdn.branch.io",
+ "app.link",
+ "bnc.lt",
+ "kochava.com",
+ "control.kochava.com",
+ "tenjin.io",
+ "track.tenjin.io"
+ ]
+ },
+ {
+ "notes": "=== A/B TESTING / FEATURE FLAGS ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "cdn.optimizely.com",
+ "logx.optimizely.com",
+ "launchdarkly.com",
+ "events.launchdarkly.com",
+ "clientsdk.launchdarkly.com",
+ "app.launchdarkly.com",
+ "split.io",
+ "events.split.io",
+ "sdk.split.io",
+ "statsig.com",
+ "api.statsig.com",
+ "featurehub.io",
+ "growthbook.io"
+ ]
+ },
+ {
+ "notes": "=== SESSION RECORDING / HEATMAPS ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "clarity.ms",
+ "mouseflow.com",
+ "api.mouseflow.com",
+ "cdn.mouseflow.com",
+ "luckyorange.com",
+ "w1.luckyorange.com",
+ "settings.luckyorange.net",
+ "smartlook.com",
+ "manager.smartlook.com",
+ "rec.smartlook.com"
+ ]
+ },
+ {
+ "notes": "=== BROWSER FINGERPRINTING SERVICES ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "api.fpjs.io",
+ "fpjs.io",
+ "fingerprintjs.com",
+ "api.fingerprintjs.com",
+ "tls.fingerprintjs.com",
+ "iovation.com",
+ "ci-mpsnare.iovation.com",
+ "mpsnare.iesnare.com",
+ "threatmetrix.com",
+ "h.online-metrix.net",
+ "cdn.riskified.com"
+ ]
+ },
+ {
+ "notes": "=== CUSTOMER DATA PLATFORMS ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "api.segment.io",
+ "cdn.segment.io",
+ "cdn.segment.com",
+ "api.segment.com",
+ "events.rudderstack.com",
+ "hosted.rudderlabs.com",
+ "api.mparticle.com",
+ "jssdks.mparticle.com",
+ "identity.mparticle.com",
+ "t.co"
+ ]
+ },
+ {
+ "notes": "=== NOTIFICATION / ENGAGEMENT SERVICES ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "onesignal.com",
+ "api.onesignal.com",
+ "cdn.onesignal.com",
+ "braze.com",
+ "sdk.iad-01.braze.com",
+ "sdk.iad-02.braze.com",
+ "sdk.iad-03.braze.com",
+ "customer.io",
+ "track.customer.io",
+ "intercom.io",
+ "api-iam.intercom.io",
+ "widget.intercom.io"
+ ]
+ },
+ {
+ "notes": "=== GOOGLE (beyond ad blocking) ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "firebaselogging.googleapis.com",
+ "firebaselogging-pa.googleapis.com",
+ "firebaseremoteconfig.googleapis.com",
+ "firebaseinstallations.googleapis.com",
+ "app-measurement.com",
+ "firebase-settings.crashlytics.com",
+ "play.googleapis.com",
+ "update.googleapis.com",
+ "clientservices.googleapis.com"
+ ]
+ },
+ {
+ "notes": "=== NPM / NODE TELEMETRY ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "api.npms.io",
+ "npmjs.com/npm/@segment",
+ "npm.sentry.io"
+ ]
+ },
+ {
+ "notes": "=== HOMEBREW ANALYTICS ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "formulae.brew.sh"
+ ],
+ "notes_2": "Note: This blocks analytics reporting but may affect formula updates. Consider allowing if needed."
+ },
+ {
+ "notes": "=== CLOUD METADATA (prevents SSRF-like issues in local apps) ===",
+ "action": "deny",
+ "process": "any",
+ "remote-hosts": [
+ "169.254.169.254",
+ "metadata.google.internal"
+ ]
+ },
+ {
+ "notes": "=== TIME-BASED TRACKING (Canvas LMS, etc) ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "inst-fs-iad-prod.inscloudgate.net",
+ "pandastream.com"
+ ]
+ },
+ {
+ "notes": "=== ERROR TRACKING OFTEN MISSED ===",
+ "action": "deny",
+ "process": "any",
+ "remote-domains": [
+ "trackjs.com",
+ "d2zah9y47r7bi2.cloudfront.net",
+ "loggly.com",
+ "logs-01.loggly.com",
+ "datadog.com",
+ "browser-intake-datadoghq.com",
+ "rum.browser-intake-datadoghq.com",
+ "logs.browser-intake-datadoghq.com",
+ "newrelic.com",
+ "bam.nr-data.net",
+ "js-agent.newrelic.com",
+ "dynatrace.com",
+ "bf.dynatrace.com",
+ "elastic-cloud.com",
+ "apm.elastic.co"
+ ]
+ },
+ {
+ "notes": "=== ALLOW: Essential Services ===",
+ "action": "allow",
+ "process": "any",
+ "remote-domains": [
+ "time.apple.com",
+ "time.euro.apple.com",
+ "time.asia.apple.com"
+ ],
+ "notes_2": "NTP - required for accurate time"
+ },
+ {
+ "notes": "Allow OCSP/CRL for certificate validation",
+ "action": "allow",
+ "process": "any",
+ "remote-domains": [
+ "ocsp.apple.com",
+ "ocsp2.apple.com",
+ "crl.apple.com",
+ "valid.apple.com",
+ "ocsp.digicert.com",
+ "ocsp.sectigo.com",
+ "ocsp.comodoca.com",
+ "crl.microsoft.com",
+ "ocsp.msocsp.com"
+ ]
+ },
+ {
+ "notes": "Allow macOS software updates",
+ "action": "allow",
+ "process": "com.apple.softwareupdated",
+ "remote-domains": [
+ "swscan.apple.com",
+ "swdist.apple.com",
+ "swdownload.apple.com",
+ "swcdn.apple.com",
+ "updates.cdn-apple.com",
+ "updates-http.cdn-apple.com"
+ ]
+ },
+ {
+ "notes": "Allow Santa sync (if using a sync server)",
+ "action": "allow",
+ "process": "com.northpolesec.santa.daemon",
+ "remote": "any"
+ },
+ {
+ "notes": "Allow DNSCrypt-proxy",
+ "action": "allow",
+ "process": "dnscrypt-proxy",
+ "remote": "any",
+ "ports": "443,853"
+ },
+ {
+ "notes": "Allow Unbound DNS",
+ "action": "allow",
+ "process": "unbound",
+ "remote-hosts": [
+ "127.0.0.1",
+ "::1"
+ ],
+ "ports": "53,54"
+ }
+ ]
+}
diff --git a/policies/prefs/santa_base.json b/policies/prefs/santa_base.json
index b7b98db..98c1d0a 100644
--- a/policies/prefs/santa_base.json
+++ b/policies/prefs/santa_base.json
@@ -1,184 +1,249 @@
{
- "rules" : [
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.Dictionary",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.Chess",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.AddressBook",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.FaceTime",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.games",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.Home",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.journal",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.mail",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.Maps",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.MobileSMS",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.Music",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.mobilephone",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.Photos",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.podcasts",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.reminders",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.Siri",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.Stickies",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.stocks",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.helpviewer",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
- },
- {
- "policy" : "BLOCKLIST",
- "rule_type" : "SIGNINGID",
- "custom_url" : "",
- "identifier" : "platform:com.apple.TV",
- "custom_msg" : "",
- "comment" : "",
- "cel_expr" : ""
+ "rules": [
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.Dictionary",
+ "custom_msg": "",
+ "comment": "Dictionary - rarely needed, reduces attack surface"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.Chess",
+ "custom_msg": "",
+ "comment": "Chess"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.AddressBook",
+ "custom_msg": "",
+ "comment": "Contacts - using alternative or disabled"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.FaceTime",
+ "custom_msg": "",
+ "comment": "FaceTime"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.games",
+ "custom_msg": "",
+ "comment": "Game Center"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.Home",
+ "custom_msg": "",
+ "comment": "Home app"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.journal",
+ "custom_msg": "",
+ "comment": "Journal"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.mail",
+ "custom_msg": "",
+ "comment": "Apple Mail - using alternative"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.Maps",
+ "custom_msg": "",
+ "comment": "Maps"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.MobileSMS",
+ "custom_msg": "",
+ "comment": "Messages"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.Music",
+ "custom_msg": "",
+ "comment": "Music"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.mobilephone",
+ "custom_msg": "",
+ "comment": "Phone"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.Photos",
+ "custom_msg": "",
+ "comment": "Photos"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.podcasts",
+ "custom_msg": "",
+ "comment": "Podcasts"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.reminders",
+ "custom_msg": "",
+ "comment": "Reminders"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.Siri",
+ "custom_msg": "",
+ "comment": "Siri"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.Stickies",
+ "custom_msg": "",
+ "comment": "Stickies"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.stocks",
+ "custom_msg": "",
+ "comment": "Stocks"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.helpviewer",
+ "custom_msg": "",
+ "comment": "Help Viewer"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.TV",
+ "custom_msg": "",
+ "comment": "Apple TV"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.news",
+ "custom_msg": "",
+ "comment": "News"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.freeform",
+ "custom_msg": "",
+ "comment": "Freeform"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.amsengagementd",
+ "custom_msg": "",
+ "comment": "Apple Media Services engagement daemon"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.amp.mediasharingd",
+ "custom_msg": "",
+ "comment": "Media sharing daemon"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.ssh",
+ "custom_msg": "",
+ "comment": "SSH client - prevent lockout during key changes"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.ssh-agent",
+ "custom_msg": "",
+ "comment": "SSH agent"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.ssh-add",
+ "custom_msg": "",
+ "comment": "SSH key management"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.ssh-keygen",
+ "custom_msg": "",
+ "comment": "SSH key generation"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.git",
+ "custom_msg": "",
+ "comment": "Git"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "SIGNINGID",
+ "identifier": "platform:com.apple.Terminal",
+ "custom_msg": "",
+ "comment": "Terminal"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "UBF8T346G9",
+ "custom_msg": "",
+ "comment": "Microsoft - VS Code, Office, etc"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "EQHXZ8M8AV",
+ "custom_msg": "",
+ "comment": "Google - Chrome"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "9BNSXJN65R",
+ "custom_msg": "",
+ "comment": "Docker Inc"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "VLUGQBAPZ5",
+ "custom_msg": "",
+ "comment": "Objective Development - Little Snitch"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "KYL8YCVN64",
+ "custom_msg": "",
+ "comment": "WireGuard"
}
]
-}
\ No newline at end of file
+}
diff --git a/policies/santa.mobileconfig b/policies/santa.mobileconfig
index 595ea40..67a0285 100644
--- a/policies/santa.mobileconfig
+++ b/policies/santa.mobileconfig
@@ -17,6 +17,8 @@
PayloadContent
+ ClientMode
+ 2
EnableBadSignatureProtection
EnablePageZeroProtection
@@ -38,15 +40,15 @@
FileAccessPolicyUpdateIntervalSec
300
BannedBlockMessage
- This application has been blocked by Santa security policy.
+ This application has been explicitly blocked by security policy.
UnknownBlockMessage
- This application is not recognized and has been blocked.
+ This application is not recognized. If this is legitimate software, add it to the allowlist.
BannedUSBBlockMessage
This USB device has been blocked by security policy.
RemountUSBBlockMessage
- This USB device has been remounted with restricted permissions.
+ This USB device has been remounted with restricted permissions (noexec, nosuid, nodev).
FileAccessBlockMessage
- File access blocked by security policy.
+ File access blocked by security policy. An unauthorized process attempted to access protected files.
EnableNotificationSilences
EnableSilentMode
@@ -57,6 +59,201 @@
Everything
+
+ StaticRules
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ ALLOWLIST
+ Identifier
+ platform:*
+ Comment
+ Allow all Apple platform binaries
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ ALLOWLIST
+ Identifier
+ platform:com.apple.ssh
+ Comment
+ SSH client
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ ALLOWLIST
+ Identifier
+ platform:com.apple.ssh-agent
+ Comment
+ SSH agent
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ ALLOWLIST
+ Identifier
+ platform:com.apple.ssh-add
+ Comment
+ SSH key management
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ ALLOWLIST
+ Identifier
+ platform:com.apple.ssh-keygen
+ Comment
+ SSH key generation
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/bin
+ Comment
+ MacPorts binaries
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/sbin
+ Comment
+ MacPorts system binaries
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/libexec
+ Comment
+ MacPorts libexec
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/lib
+ Comment
+ MacPorts libraries
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/lib/node_modules
+ Comment
+ Global npm packages (MacPorts node)
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/.npm-global
+ Comment
+ User npm global packages
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/*/node_modules
+ Comment
+ Project node_modules (BROAD - review if concerned)
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/Library/Frameworks/Python.framework
+ Comment
+ MacPorts Python framework
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/.local/bin
+ Comment
+ pipx / user Python scripts
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/.cargo/bin
+ Comment
+ Cargo installed binaries
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/.rustup
+ Comment
+ Rustup toolchains
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/go/bin
+ Comment
+ Go binaries
+
+
+ RuleType
+ TEAMID
+ Policy
+ ALLOWLIST
+ Identifier
+ UBF8T346G9
+ Comment
+ Microsoft (VS Code, etc)
+
+
+ RuleType
+ TEAMID
+ Policy
+ ALLOWLIST
+ Identifier
+ 9BNSXJN65R
+ Comment
+ Docker Inc
+
+
+
PayloadDisplayName
Santa
PayloadIdentifier
diff --git a/shell/gpg.conf b/shell/gpg.conf
index 4539f03..1ddcca5 100644
--- a/shell/gpg.conf
+++ b/shell/gpg.conf
@@ -33,8 +33,20 @@ throw-keyids
default-key 0xD67D4AFF6AABD063
trusted-key 0xD67D4AFF6AABD063
default-recipient-self
+
+min-rsa-length 3072
+disable-pubkey-algo DSA
+
+import-options import-clean
+export-options export-clean
+
keyserver hkps://keys.openpgp.org
-auto-key-locate wkd,dane,local
+keyserver hkps://keyserver.ubuntu.com
+keyserver hkps://pgp.mit.edu
+keyserver-options no-honor-keyserver-url include-revoked
+no-auto-key-retrieve
+auto-key-locate local
+
trust-model tofu+pgp
tofu-default-policy unknown
From 47993114765f946bfa0b5e21b064ff3f322a1f3f Mon Sep 17 00:00:00 2001
From: Yu-Jen Warren Wang <76871022+crimsonpython24@users.noreply.github.com>
Date: Tue, 20 Jan 2026 13:46:19 -0800
Subject: [PATCH 2/4] feat: add more masochist rules
---
policies/aide.conf | 56 ++++++++++++++---
policies/cnssi-1253_cust.yaml | 67 +++++++++++---------
policies/santa.mobileconfig | 115 ++++++++++------------------------
shell/gpg.conf | 17 +++--
4 files changed, 129 insertions(+), 126 deletions(-)
diff --git a/policies/aide.conf b/policies/aide.conf
index da913ca..e5ed0ba 100644
--- a/policies/aide.conf
+++ b/policies/aide.conf
@@ -11,11 +11,11 @@ report_grouped=true
report_summarize_changes=true
num_workers=50%
-Checksums = sha256
-Full = p+u+g+ftype+n+i+s+m+c+Checksums
+Checksums = sha256+sha512
+Full = p+u+g+ftype+n+i+s+m+c+Checksums+xattrs+acl
ConfigFile = p+u+g+ftype+s+m+c+Checksums
DirOnly = p+u+g+ftype+n+i
-LibCheck = p+u+g+ftype+s+m+c+Checksums
+LibCheck = p+u+g+ftype+s+m+c+Checksums+xattrs
/Library/LaunchDaemons Full
/Library/LaunchAgents Full
@@ -52,6 +52,28 @@ LibCheck = p+u+g+ftype+s+m+c+Checksums
/Library/PDF\ Services Full
/Users/@@{USER}/Library/PDF\ Services Full
/Library/Printers Full
+/Library/CoreMediaIO/Plug-Ins Full
+/Library/Image\ Capture Full
+/Library/Filesystems Full
+/Library/Apple/System Full
+/Library/Apple/usr Full
+
+/System/Library/LaunchDaemons Full
+/System/Library/LaunchAgents Full
+/System/Library/Extensions Full
+/System/Library/Filesystems Full
+/System/Library/Frameworks Full
+/System/Library/KernelCollections Full
+/System/Library/PrivateFrameworks Full
+/System/Library/Sandbox Full
+/System/Library/Security Full
+
+/usr/bin Full
+/usr/sbin Full
+/usr/lib Full
+/usr/libexec Full
+/bin Full
+/sbin Full
/Applications Full
!/Applications/.DS_Store
@@ -73,6 +95,8 @@ LibCheck = p+u+g+ftype+s+m+c+Checksums
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/places.sqlite
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/favicons.sqlite
+!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*.sqlite-wal
+!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*.sqlite-shm
/Users/@@{USER}/.zshrc ConfigFile
/Users/@@{USER}/.zprofile ConfigFile
@@ -86,8 +110,9 @@ LibCheck = p+u+g+ftype+s+m+c+Checksums
/private/etc/paths ConfigFile
/private/etc/paths.d Full
/private/etc/shells ConfigFile
-/Users/@@{USER}/.ssh/config ConfigFile
-/Users/@@{USER}/.ssh/authorized_keys ConfigFile
+/Users/@@{USER}/.ssh Full
+!/Users/@@{USER}/.ssh/known_hosts
+!/Users/@@{USER}/.ssh/sockets
/private/etc/ssh Full
/private/etc/sudoers ConfigFile
/private/etc/sudoers.d Full
@@ -102,15 +127,19 @@ LibCheck = p+u+g+ftype+s+m+c+Checksums
/private/etc/newsyslog.d Full
/private/etc/asl.conf ConfigFile
/private/etc/asl Full
+/private/etc/security Full
+/private/etc/pf.conf ConfigFile
+/private/etc/pf.anchors Full
/private/etc/launchd.conf ConfigFile
/Users/@@{USER}/.launchd.conf ConfigFile
-/Users/@@{USER}/.config DirOnly
+/Users/@@{USER}/.config Full
+!/Users/@@{USER}/.config/*/Cache
+!/Users/@@{USER}/.config/**/cache
/Users/@@{USER}/.gitconfig ConfigFile
-/Users/@@{USER}/.config/git Full
/private/etc/dyld.conf ConfigFile
-/Library/Preferences/com.apple.*.plist ConfigFile
-!/Library/Preferences/com.apple.networkextension.*.plist
+/Library/Preferences/com.apple.alf.plist ConfigFile
+/Library/Preferences/com.apple.security.plist ConfigFile
/Library/Application\ Support/com.apple.TCC Full
/Users/@@{USER}/Library/Application\ Support/com.apple.TCC Full
@@ -126,6 +155,13 @@ LibCheck = p+u+g+ftype+s+m+c+Checksums
/Library/Screen\ Savers Full
/Users/@@{USER}/Library/Screen\ Savers Full
+/private/etc/authorization ConfigFile
+/private/etc/auto_master ConfigFile
+/private/etc/fstab ConfigFile
+/private/etc/group ConfigFile
+/private/etc/master.passwd ConfigFile
+/private/etc/passwd ConfigFile
+
!/Library/Caches
!/Users/@@{USER}/Library/Caches
!/private/var/folders
@@ -138,3 +174,5 @@ LibCheck = p+u+g+ftype+s+m+c+Checksums
!/Users/@@{USER}/.Spotlight-V100
!/private/var/db/dyld
!/private/var/db/uuidtext
+!/private/var/db/BootCaches
+!/private/var/db/ConfigurationProfiles/Store
diff --git a/policies/cnssi-1253_cust.yaml b/policies/cnssi-1253_cust.yaml
index 602069c..31ce81b 100644
--- a/policies/cnssi-1253_cust.yaml
+++ b/policies/cnssi-1253_cust.yaml
@@ -1,32 +1,11 @@
-title: "macOS 26.0: Security Configuration - Personal Device (Enhanced)"
+title: "macOS 26.0: Security Configuration - Personal Device (Hardened)"
description: |
- Enhanced version of CNSSI-1253 High for personal device use.
-
- Includes:
- - Core security controls that passed testing
- - SSH server hardening (defense in depth, even though SSH is disabled)
- - Password minimum length (12 chars) and sequence blocking
- - Firewall block-all mode with stealth mode
- - External storage access unrestricted (no limitations)
- - Session unlock restrictions
- - FileVault enforcement
- - WiFi auto-disable when connected to ethernet
- - Secure name resolution (DNS security capability)
- - Log file access protection (prevent non-privileged access)
- - Content reset prevention
- - Allow unsigned/unidentified developer apps (Gatekeeper enabled but permissive)
- - Selected permanent/operational controls (inherent features)
-
- Excluded:
- - Smartcard/MFA (not needed for personal use)
- - Comprehensive auditing (enterprise feature - but log file security included)
- - Media restrictions (optical drives)
- - Enterprise MDM requirements
- - Account modification lockdown (too restrictive)
- - Parental controls (not applicable)
- - Auto security updates (manual control preferred)
- - External storage restrictions (full access allowed)
- - Identified developer requirement (unidentified apps allowed)
+ Key changes from base:
+ - Gatekeeper now requires identified developers (no unsigned apps)
+ - Audit subsystem enabled for security events
+ - Additional USB restrictions
+ - Stricter network controls
+ - Enhanced authentication requirements
authors: "Yu-Jen Wang"
parent_values: "recommended"
@@ -35,6 +14,29 @@ profile:
rules:
- auth_ssh_password_authentication_disable
+ - section: "auditing"
+ rules:
+ - audit_acls_files_configure
+ - audit_acls_folders_configure
+ - audit_auditd_enabled
+ - audit_configure_capacity_notify
+ - audit_failure_halt
+ - audit_files_group_configure
+ - audit_files_mode_configure
+ - audit_files_owner_configure
+ - audit_flags_aa_configure
+ - audit_flags_ad_configure
+ - audit_flags_ex_configure
+ - audit_flags_fm_configure
+ - audit_flags_fr_configure
+ - audit_flags_fw_configure
+ - audit_flags_lo_configure
+ - audit_folder_group_configure
+ - audit_folder_owner_configure
+ - audit_folders_mode_configure
+ - audit_retention_configure
+ - audit_settings_failure_notify
+
- section: "icloud"
rules:
- icloud_addressbook_disable
@@ -68,6 +70,7 @@ profile:
- os_filevault_autologin_disable
- os_firewall_default_deny_require
- os_gatekeeper_enable
+ - os_gatekeeper_require_app_store_allowed
- os_genmoji_disable
- os_handoff_disable
- os_home_folders_default
@@ -78,6 +81,7 @@ profile:
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_ir_support_disable
+ - os_library_validation_enable
- os_loginwindow_adminhostinfo_disabled
- os_mail_smart_reply_disable
- os_mail_summary_disable
@@ -92,6 +96,7 @@ profile:
- os_password_proximity_disable
- os_password_sharing_disable
- os_photos_enhanced_search_disable
+ - os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_privacy_setup_prompt_disable
@@ -112,11 +117,13 @@ profile:
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
+ - os_sshd_key_exchange_algorithm_configure
- os_sshd_login_grace_time_configure
- os_sshd_per_source_penalties_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudoers_timestamp_type_configure
+ - os_sudo_timeout_configure
- os_system_read_only
- os_tftpd_disable
- os_time_server_enabled
@@ -124,7 +131,6 @@ profile:
- os_unlock_active_user_session_disable
- os_uucp_disable
- os_writing_tools_disable
- - os_sudo_timeout_configure
- os_world_writable_system_folder_configure
- os_terminal_secure_keyboard_enable
- os_dictation_disable
@@ -144,6 +150,7 @@ profile:
- system_settings_automatic_login_disable
- system_settings_automatic_logout_enforce
- system_settings_bluetooth_sharing_disable
+ - system_settings_cd_dvd_sharing_disable
- system_settings_content_caching_disable
- system_settings_critical_update_install_enforce
- system_settings_diagnostics_reports_disable
@@ -153,7 +160,7 @@ profile:
- system_settings_find_my_disable
- system_settings_firewall_enable
- system_settings_firewall_stealth_mode_enable
- - system_settings_gatekeeper_override_disallow
+ - system_settings_gatekeeper_identified_developers_allowed
- system_settings_guest_access_smb_disable
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
diff --git a/policies/santa.mobileconfig b/policies/santa.mobileconfig
index 67a0285..9f9abe1 100644
--- a/policies/santa.mobileconfig
+++ b/policies/santa.mobileconfig
@@ -25,6 +25,8 @@
EnableTransitiveRules
+ EnableAllEventUpload
+
BlockUSBMount
RemountUSBMode
@@ -32,34 +34,37 @@
noexec
nosuid
nodev
+ rdonly
OnStartUSBOptions
ForceRemount
FileAccessPolicyPlist
/var/db/santa/faa_policy.plist
FileAccessPolicyUpdateIntervalSec
- 300
+ 60
BannedBlockMessage
- This application has been explicitly blocked by security policy.
+ BLOCKED: This application has been explicitly banned.
UnknownBlockMessage
- This application is not recognized. If this is legitimate software, add it to the allowlist.
+ BLOCKED: Unrecognized binary. Allowlist via santactl if legitimate.
BannedUSBBlockMessage
- This USB device has been blocked by security policy.
+ BLOCKED: USB device banned by policy.
RemountUSBBlockMessage
- This USB device has been remounted with restricted permissions (noexec, nosuid, nodev).
+ USB remounted read-only with noexec/nosuid/nodev.
FileAccessBlockMessage
- File access blocked by security policy. An unauthorized process attempted to access protected files.
+ BLOCKED: Unauthorized file access attempt logged.
EnableNotificationSilences
EnableSilentMode
EnableSilentTTYMode
+ FailClosed
+
Telemetry
Everything
-
+
StaticRules
@@ -69,48 +74,22 @@
ALLOWLIST
Identifier
platform:*
- Comment
- Allow all Apple platform binaries
-
-
- RuleType
- SIGNINGID
- Policy
- ALLOWLIST
- Identifier
- platform:com.apple.ssh
- Comment
- SSH client
RuleType
- SIGNINGID
- Policy
- ALLOWLIST
- Identifier
- platform:com.apple.ssh-agent
- Comment
- SSH agent
-
-
- RuleType
- SIGNINGID
+ PATH
Policy
ALLOWLIST
Identifier
- platform:com.apple.ssh-add
- Comment
- SSH key management
+ /opt/local/bin
RuleType
- SIGNINGID
+ PATH
Policy
ALLOWLIST
Identifier
- platform:com.apple.ssh-keygen
- Comment
- SSH key generation
+ /opt/local/sbin
RuleType
@@ -118,9 +97,7 @@
Policy
ALLOWLIST
Identifier
- /opt/local/bin
- Comment
- MacPorts binaries
+ /opt/local/libexec
RuleType
@@ -128,9 +105,7 @@
Policy
ALLOWLIST
Identifier
- /opt/local/sbin
- Comment
- MacPorts system binaries
+ /opt/local/lib
RuleType
@@ -138,9 +113,7 @@
Policy
ALLOWLIST
Identifier
- /opt/local/libexec
- Comment
- MacPorts libexec
+ /opt/local/lib/node_modules
RuleType
@@ -148,9 +121,7 @@
Policy
ALLOWLIST
Identifier
- /opt/local/lib
- Comment
- MacPorts libraries
+ /opt/local/Library/Frameworks/Python.framework
RuleType
@@ -158,9 +129,7 @@
Policy
ALLOWLIST
Identifier
- /opt/local/lib/node_modules
- Comment
- Global npm packages (MacPorts node)
+ /Users/warren/.npm-global
RuleType
@@ -168,9 +137,7 @@
Policy
ALLOWLIST
Identifier
- /Users/warren/.npm-global
- Comment
- User npm global packages
+ /Users/warren/.local/bin
RuleType
@@ -178,9 +145,7 @@
Policy
ALLOWLIST
Identifier
- /Users/warren/*/node_modules
- Comment
- Project node_modules (BROAD - review if concerned)
+ /Users/warren/.cargo/bin
RuleType
@@ -188,9 +153,7 @@
Policy
ALLOWLIST
Identifier
- /opt/local/Library/Frameworks/Python.framework
- Comment
- MacPorts Python framework
+ /Users/warren/.rustup
RuleType
@@ -198,39 +161,31 @@
Policy
ALLOWLIST
Identifier
- /Users/warren/.local/bin
- Comment
- pipx / user Python scripts
+ /Users/warren/go/bin
RuleType
- PATH
+ TEAMID
Policy
ALLOWLIST
Identifier
- /Users/warren/.cargo/bin
- Comment
- Cargo installed binaries
+ UBF8T346G9
RuleType
- PATH
+ TEAMID
Policy
ALLOWLIST
Identifier
- /Users/warren/.rustup
- Comment
- Rustup toolchains
+ EQHXZ8M8AV
RuleType
- PATH
+ TEAMID
Policy
ALLOWLIST
Identifier
- /Users/warren/go/bin
- Comment
- Go binaries
+ 9BNSXJN65R
RuleType
@@ -238,9 +193,7 @@
Policy
ALLOWLIST
Identifier
- UBF8T346G9
- Comment
- Microsoft (VS Code, etc)
+ VLUGQBAPZ5
RuleType
@@ -248,9 +201,7 @@
Policy
ALLOWLIST
Identifier
- 9BNSXJN65R
- Comment
- Docker Inc
+ KYL8YCVN64
diff --git a/shell/gpg.conf b/shell/gpg.conf
index 1ddcca5..7f2eda8 100644
--- a/shell/gpg.conf
+++ b/shell/gpg.conf
@@ -25,7 +25,11 @@ s2k-cipher-algo AES256
s2k-count 65011712
no-symkey-cache
weak-digest SHA1
+weak-digest RIPEMD160
disable-cipher-algo 3DES
+disable-cipher-algo IDEA
+disable-cipher-algo CAST5
+disable-cipher-algo BLOWFISH
require-cross-certification
require-secmem
@@ -36,19 +40,22 @@ default-recipient-self
min-rsa-length 3072
disable-pubkey-algo DSA
+disable-pubkey-algo ELGAMAL
-import-options import-clean
-export-options export-clean
+import-options import-clean import-minimal
+export-options export-clean export-minimal
keyserver hkps://keys.openpgp.org
-keyserver hkps://keyserver.ubuntu.com
-keyserver hkps://pgp.mit.edu
-keyserver-options no-honor-keyserver-url include-revoked
+keyserver-options no-honor-keyserver-url include-revoked no-include-attributes timeout=10
no-auto-key-retrieve
auto-key-locate local
trust-model tofu+pgp
tofu-default-policy unknown
+completes-needed 2
+marginals-needed 5
+max-cert-depth 3
+no-auto-check-trustdb
# verbose
# list-options show-unusable-subkeys
From 754959110233541488eff7bf1b02c88d81494eaa Mon Sep 17 00:00:00 2001
From: Yu-Jen Warren Wang <76871022+crimsonpython24@users.noreply.github.com>
Date: Wed, 21 Jan 2026 16:00:21 -0800
Subject: [PATCH 3/4] fix: edit some keys bc bored in class
---
policies/faa_policy.plist | 310 +++++++++++++++++++++---------------
policies/santa.mobileconfig | 37 ++---
2 files changed, 202 insertions(+), 145 deletions(-)
diff --git a/policies/faa_policy.plist b/policies/faa_policy.plist
index 6c40666..82037cd 100644
--- a/policies/faa_policy.plist
+++ b/policies/faa_policy.plist
@@ -3,7 +3,7 @@
Version
- v1.0
+ v2.0
WatchItems
ChromeCookies
@@ -62,6 +62,10 @@
Path
/Users/*/Library/Application Support/Google/Chrome/*/Login Data-journal
+
+ Path
+ /Users/*/Library/Application Support/Google/Chrome/*/Web Data
+
Options
@@ -130,23 +134,25 @@
- SlackSecrets
+ FirefoxSecrets
Paths
Path
- /Users/*/Library/Application Support/Slack/Cookies
+ /Users/*/Library/Application Support/Firefox/Profiles/*/cookies.sqlite
Path
- /Users/*/Library/Application Support/Slack/Local Storage
- IsPrefix
-
+ /Users/*/Library/Application Support/Firefox/Profiles/*/key4.db
Path
- /Users/*/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/Cookies
+ /Users/*/Library/Application Support/Firefox/Profiles/*/logins.json
+
+
+ Path
+ /Users/*/Library/Application Support/Firefox/Profiles/*/cert9.db
Options
@@ -162,32 +168,30 @@
SigningID
- com.tinyspeck.slackmacgap
+ org.mozilla.firefox
TeamID
- BQR82RBBHL
-
-
- SigningID
- com.apple.mdworker_shared
- PlatformBinary
-
+ 43AQ936H96
- DiscordSecrets
+ SlackSecrets
Paths
Path
- /Users/*/Library/Application Support/discord/Cookies
+ /Users/*/Library/Application Support/Slack/Cookies
Path
- /Users/*/Library/Application Support/discord/Local Storage
+ /Users/*/Library/Application Support/Slack/Local Storage
IsPrefix
+
+ Path
+ /Users/*/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/Cookies
+
Options
@@ -202,29 +206,23 @@
SigningID
- com.hnc.Discord
+ com.tinyspeck.slackmacgap
TeamID
- 53Q6R32WPB
-
-
- SigningID
- com.apple.mdworker_shared
- PlatformBinary
-
+ BQR82RBBHL
- SlackResources
+ DiscordSecrets
Paths
Path
- /Applications/Slack.app/Contents/Resources/app.asar
+ /Users/*/Library/Application Support/discord/Cookies
Path
- /Applications/Slack.app/Contents/Resources/app
+ /Users/*/Library/Application Support/discord/Local Storage
IsPrefix
@@ -232,7 +230,7 @@
Options
AllowReadAccess
-
+
AuditOnly
RuleType
@@ -240,29 +238,29 @@
Processes
-
- TeamID
- BQR82RBBHL
-
SigningID
- com.apple.installer
- PlatformBinary
-
+ com.hnc.Discord
+ TeamID
+ 53Q6R32WPB
- DiscordResources
+ ElectronAppResources
Paths
+
+ Path
+ /Applications/Slack.app/Contents/Resources/app.asar
+
Path
/Applications/Discord.app/Contents/Resources/app.asar
Path
- /Applications/Discord.app/Contents/Resources/app
+ /Applications/Visual Studio Code.app/Contents/Resources/app
IsPrefix
@@ -280,38 +278,12 @@
TeamID
- 53Q6R32WPB
-
-
- SigningID
- com.apple.installer
- PlatformBinary
-
+ BQR82RBBHL
-
-
- VSCodeResources
-
- Paths
-
- Path
- /Applications/Visual Studio Code.app/Contents/Resources/app
- IsPrefix
-
+ TeamID
+ 53Q6R32WPB
-
- Options
-
- AllowReadAccess
-
- AuditOnly
-
- RuleType
- PathsWithAllowedProcesses
-
- Processes
-
TeamID
UBF8T346G9
@@ -390,10 +362,6 @@
Path
/Users/*/.ssh/config
-
- Path
- /Users/*/.ssh/known_hosts
-
Path
/Users/*/.ssh/authorized_keys
@@ -436,17 +404,43 @@
- AWSCredentials
+ GPGPrivateKeys
Paths
Path
- /Users/*/.aws/credentials
+ /Users/*/.gnupg/private-keys-v1.d
+ IsPrefix
+
+
+
+ Path
+ /Users/*/.gnupg/secring.gpg
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+
+ Processes
+
+
+
+ PasswordStore
+
+ Paths
+
Path
- /Users/*/.aws/config
+ /Users/*/.password-store
+ IsPrefix
+
Options
@@ -460,18 +454,34 @@
Processes
+
+ SigningID
+ com.apple.git
+ PlatformBinary
+
+
SigningID
com.apple.Terminal
PlatformBinary
+
+
+ CloudCredentials
+
+ Processes
+
SigningID
- com.apple.python3
+ com.apple.Terminal
PlatformBinary
+
+ TeamID
+ 9BNSXJN65R
+
GitCredentials
@@ -532,13 +542,19 @@
- HostsFile
+ Sudoers
Paths
Path
- /private/etc/hosts
+ /private/etc/sudoers
+
+
+ Path
+ /private/etc/sudoers.d
+ IsPrefix
+
Options
@@ -546,7 +562,7 @@
AllowReadAccess
AuditOnly
-
+
RuleType
PathsWithAllowedProcesses
@@ -554,27 +570,25 @@
SigningID
- com.apple.vim
+ com.apple.sudo
PlatformBinary
SigningID
- com.apple.nano
+ com.apple.visudo
PlatformBinary
- SystemLaunchAgents
+ HostsFile
Paths
Path
- /Library/LaunchAgents
- IsPrefix
-
+ /private/etc/hosts
Options
@@ -590,19 +604,19 @@
SigningID
- com.apple.installer
+ com.apple.vim
PlatformBinary
SigningID
- com.apple.launchctl
+ com.apple.nano
PlatformBinary
- SystemLaunchDaemons
+ LaunchDaemons
Paths
@@ -612,13 +626,25 @@
IsPrefix
+
+ Path
+ /Library/LaunchAgents
+ IsPrefix
+
+
+
+ Path
+ /Users/*/Library/LaunchAgents
+ IsPrefix
+
+
Options
AllowReadAccess
AuditOnly
-
+
RuleType
PathsWithAllowedProcesses
@@ -666,7 +692,6 @@
Processes
-
PeriodicScripts
@@ -679,12 +704,6 @@
IsPrefix
-
- Path
- /usr/local/etc/periodic
- IsPrefix
-
-
Options
@@ -705,41 +724,14 @@
- RCScripts
+ RCScriptsEmond
Paths
-
- Path
- /private/etc/rc.common
-
Path
/private/etc/rc.local
-
- Path
- /private/etc/rc.shutdown.local
-
-
- Options
-
- AllowReadAccess
-
- AuditOnly
-
- RuleType
- PathsWithAllowedProcesses
-
- Processes
-
-
-
-
- Emond
-
- Paths
-
Path
/private/etc/emond.d
@@ -758,7 +750,6 @@
Processes
-
ShellRCFiles
@@ -831,6 +822,75 @@
PlatformBinary
+
+ SigningID
+ com.apple.zsh
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.bash
+ PlatformBinary
+
+
+
+
+ Keychain
+
+ Paths
+
+
+ Path
+ /Users/*/Library/Keychains
+ IsPrefix
+
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+
+ Processes
+
+
+ SigningID
+ com.apple.security
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.securityd
+ PlatformBinary
+
+
+
+
+ TCC
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+
+ Processes
+
+
+ SigningID
+ com.apple.tccd
+ PlatformBinary
+
+
diff --git a/policies/santa.mobileconfig b/policies/santa.mobileconfig
index 9f9abe1..75ab125 100644
--- a/policies/santa.mobileconfig
+++ b/policies/santa.mobileconfig
@@ -19,6 +19,8 @@
ClientMode
2
+ FailClosed
+
EnableBadSignatureProtection
EnablePageZeroProtection
@@ -27,6 +29,7 @@
EnableAllEventUpload
+
BlockUSBMount
RemountUSBMode
@@ -38,33 +41,35 @@
OnStartUSBOptions
ForceRemount
+
FileAccessPolicyPlist
/var/db/santa/faa_policy.plist
FileAccessPolicyUpdateIntervalSec
60
+
BannedBlockMessage
- BLOCKED: This application has been explicitly banned.
+ BLOCKED: This binary is explicitly banned.
UnknownBlockMessage
- BLOCKED: Unrecognized binary. Allowlist via santactl if legitimate.
+ BLOCKED: Unrecognized binary. Run 'santactl rule --allow --path /path/to/binary' if legitimate.
BannedUSBBlockMessage
- BLOCKED: USB device banned by policy.
+ BLOCKED: USB device banned.
RemountUSBBlockMessage
USB remounted read-only with noexec/nosuid/nodev.
FileAccessBlockMessage
- BLOCKED: Unauthorized file access attempt logged.
+ BLOCKED: Unauthorized file access attempt.
+
EnableNotificationSilences
EnableSilentMode
EnableSilentTTYMode
- FailClosed
-
+
Telemetry
Everything
-
+
StaticRules
@@ -113,7 +118,7 @@
Policy
ALLOWLIST
Identifier
- /opt/local/lib/node_modules
+ /opt/local/Library/Frameworks
RuleType
@@ -121,7 +126,7 @@
Policy
ALLOWLIST
Identifier
- /opt/local/Library/Frameworks/Python.framework
+ /Users/warren/.cargo/bin
RuleType
@@ -129,7 +134,7 @@
Policy
ALLOWLIST
Identifier
- /Users/warren/.npm-global
+ /Users/warren/.rustup
RuleType
@@ -145,15 +150,7 @@
Policy
ALLOWLIST
Identifier
- /Users/warren/.cargo/bin
-
-
- RuleType
- PATH
- Policy
- ALLOWLIST
- Identifier
- /Users/warren/.rustup
+ /Users/warren/go/bin
RuleType
@@ -161,7 +158,7 @@
Policy
ALLOWLIST
Identifier
- /Users/warren/go/bin
+ /Users/warren/.npm-global
RuleType
From c5a817746c837b98e4f43cee15d7e752157dc735 Mon Sep 17 00:00:00 2001
From: Yu-Jen Warren Wang <76871022+crimsonpython24@users.noreply.github.com>
Date: Wed, 21 Jan 2026 20:07:18 -0800
Subject: [PATCH 4/4] breaking: add even more rules
---
policies/faa_policy.plist | 646 ++++++++++++++++++++++++++++++++-
policies/prefs/rules.json | 100 +++++
policies/prefs/santa_base.json | 249 -------------
policies/santa.mobileconfig | 358 ++++++++++++++++--
4 files changed, 1065 insertions(+), 288 deletions(-)
create mode 100644 policies/prefs/rules.json
delete mode 100644 policies/prefs/santa_base.json
diff --git a/policies/faa_policy.plist b/policies/faa_policy.plist
index 82037cd..7ee422c 100644
--- a/policies/faa_policy.plist
+++ b/policies/faa_policy.plist
@@ -3,7 +3,13 @@
Version
- v2.0
+ v2.1-hardened
+
+ EventDetailURL
+ https://security.internal/faa/%hostname%/%rule_name%/%file_identifier%
+ EventDetailText
+ Report Issue
+
WatchItems
ChromeCookies
@@ -18,6 +24,14 @@
Path
/Users/*/Library/Application Support/Google/Chrome/*/Cookies-journal
+
+ Path
+ /Users/*/Library/Application Support/Google/Chrome/*/Network/Cookies
+
+
+ Path
+ /Users/*/Library/Application Support/Google/Chrome/*/Network/Cookies-journal
+
Options
@@ -27,6 +41,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Chrome cookies are protected. Only Chrome can access this file.
Processes
@@ -50,6 +66,7 @@
+
ChromeLoginData
Paths
@@ -66,6 +83,10 @@
Path
/Users/*/Library/Application Support/Google/Chrome/*/Web Data
+
+ Path
+ /Users/*/Library/Application Support/Google/Chrome/*/Web Data-journal
+
Options
@@ -75,6 +96,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Chrome login data is protected.
Processes
@@ -92,6 +115,7 @@
+
ChromeExtensions
Paths
@@ -111,6 +135,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Chrome extensions directory is write-protected.
Processes
@@ -132,8 +158,15 @@
PlatformBinary
+
+ SigningID
+ com.apple.mds
+ PlatformBinary
+
+
+
FirefoxSecrets
Paths
@@ -142,6 +175,10 @@
Path
/Users/*/Library/Application Support/Firefox/Profiles/*/cookies.sqlite
+
+ Path
+ /Users/*/Library/Application Support/Firefox/Profiles/*/cookies.sqlite-journal
+
Path
/Users/*/Library/Application Support/Firefox/Profiles/*/key4.db
@@ -154,6 +191,10 @@
Path
/Users/*/Library/Application Support/Firefox/Profiles/*/cert9.db
+
+ Path
+ /Users/*/Library/Application Support/Firefox/Profiles/*/signons.sqlite
+
Options
@@ -163,6 +204,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Firefox credentials are protected.
Processes
@@ -174,6 +217,56 @@
+
+ SafariSecrets
+
+ Paths
+
+
+ Path
+ /Users/*/Library/Cookies/Cookies.binarycookies
+
+
+ Path
+ /Users/*/Library/Safari/LocalStorage
+ IsPrefix
+
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+ BlockMessage
+ Safari cookies are protected.
+
+ Processes
+
+
+ SigningID
+ com.apple.Safari
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.Safari.SandboxBroker
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.WebKit.Networking
+ PlatformBinary
+
+
+
+
+
SlackSecrets
Paths
@@ -182,6 +275,10 @@
Path
/Users/*/Library/Application Support/Slack/Cookies
+
+ Path
+ /Users/*/Library/Application Support/Slack/Cookies-journal
+
Path
/Users/*/Library/Application Support/Slack/Local Storage
@@ -201,6 +298,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Slack credentials are protected.
Processes
@@ -210,8 +309,15 @@
TeamID
BQR82RBBHL
+
+ SigningID
+ com.tinyspeck.slackmacgap.helper
+ TeamID
+ BQR82RBBHL
+
+
DiscordSecrets
Paths
@@ -235,6 +341,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Discord credentials are protected.
Processes
@@ -246,6 +354,7 @@
+
ElectronAppResources
Paths
@@ -273,6 +382,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Electron app resources are protected from modification.
Processes
@@ -296,6 +407,7 @@
+
SSHPrivateKeys
Paths
@@ -316,6 +428,10 @@
Path
/Users/*/.ssh/*_ecdsa
+
+ Path
+ /Users/*/.ssh/*_dsa
+
Options
@@ -325,6 +441,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ SSH private keys are protected.
Processes
@@ -346,14 +464,33 @@
PlatformBinary
+
+ SigningID
+ com.apple.ssh-keygen
+ PlatformBinary
+
+
SigningID
com.apple.git
PlatformBinary
+
+ SigningID
+ com.apple.scp
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.sftp
+ PlatformBinary
+
+
+
SSHConfig
Paths
@@ -366,15 +503,21 @@
Path
/Users/*/.ssh/authorized_keys
+
+ Path
+ /Users/*/.ssh/known_hosts
+
Options
AllowReadAccess
AuditOnly
-
+
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ SSH config files are write-protected.
Processes
@@ -384,6 +527,12 @@
PlatformBinary
+
+ SigningID
+ com.apple.ssh-keygen
+ PlatformBinary
+
+
SigningID
com.apple.Terminal
@@ -402,8 +551,14 @@
PlatformBinary
+
+ TeamID
+ UBF8T346G9
+
+
+
GPGPrivateKeys
Paths
@@ -418,6 +573,10 @@
Path
/Users/*/.gnupg/secring.gpg
+
+ Path
+ /Users/*/.gnupg/trustdb.gpg
+
Options
@@ -427,11 +586,40 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ GPG private keys are protected.
Processes
+
+ BinaryPath
+ /opt/local/bin/gpg
+
+
+ BinaryPath
+ /opt/local/bin/gpg2
+
+
+ BinaryPath
+ /opt/local/libexec/gnupg/gpg-agent
+
+
+ BinaryPath
+ /usr/local/bin/gpg
+
+
+ BinaryPath
+ /usr/local/bin/gpg-agent
+
+
+ SigningID
+ com.apple.git
+ PlatformBinary
+
+
+
PasswordStore
Paths
@@ -466,10 +654,50 @@
PlatformBinary
+
+ BinaryPath
+ /opt/local/bin/gpg
+
CloudCredentials
+ Paths
+
+
+ Path
+ /Users/*/.aws/credentials
+
+
+ Path
+ /Users/*/.aws/config
+
+
+ Path
+ /Users/*/.config/gcloud
+ IsPrefix
+
+
+
+ Path
+ /Users/*/.azure
+ IsPrefix
+
+
+
+ Path
+ /Users/*/.kube/config
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+
Processes
@@ -484,6 +712,7 @@
+
GitCredentials
Paths
@@ -492,6 +721,10 @@
Path
/Users/*/.git-credentials
+
+ Path
+ /Users/*/.gitconfig
+
Options
@@ -501,6 +734,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Git credentials are protected.
Processes
@@ -510,8 +745,21 @@
PlatformBinary
+
+ SigningID
+ com.apple.vim
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.nano
+ PlatformBinary
+
+
+
PAMConfig
Paths
@@ -531,6 +779,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ PAM configuration is protected from modification.
Processes
@@ -542,6 +792,7 @@
+
Sudoers
Paths
@@ -556,6 +807,12 @@
IsPrefix
+
+ Path
+ /private/var/db/sudo/ts
+ IsPrefix
+
+
Options
@@ -565,6 +822,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Sudoers configuration is protected. Use visudo.
Processes
@@ -590,15 +849,21 @@
Path
/private/etc/hosts
+
+ Path
+ /private/etc/resolv.conf
+
Options
AllowReadAccess
AuditOnly
-
+
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Network configuration files are protected.
Processes
@@ -614,8 +879,15 @@
PlatformBinary
+
+ SigningID
+ com.apple.configd
+ PlatformBinary
+
+
+
LaunchDaemons
Paths
@@ -638,6 +910,18 @@
IsPrefix
+
+ Path
+ /System/Library/LaunchDaemons
+ IsPrefix
+
+
+
+ Path
+ /System/Library/LaunchAgents
+ IsPrefix
+
+
Options
@@ -647,6 +931,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ LaunchAgents/Daemons are protected from modification.
Processes
@@ -664,6 +950,7 @@
+
CronJobs
Paths
@@ -689,11 +976,20 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Cron jobs are protected from direct modification.
Processes
+
+ SigningID
+ com.apple.crontab
+ PlatformBinary
+
+
+
PeriodicScripts
Paths
@@ -713,6 +1009,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Periodic scripts are protected.
Processes
@@ -724,6 +1022,7 @@
+
RCScriptsEmond
Paths
@@ -732,6 +1031,10 @@
Path
/private/etc/rc.local
+
+ Path
+ /private/etc/rc.common
+
Path
/private/etc/emond.d
@@ -747,11 +1050,13 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Startup scripts are protected.
Processes
-
-
+
+
ShellRCFiles
Paths
@@ -768,6 +1073,10 @@
Path
/Users/*/.zprofile
+
+ Path
+ /Users/*/.zlogin
+
Path
/Users/*/.bashrc
@@ -776,6 +1085,10 @@
Path
/Users/*/.bash_profile
+
+ Path
+ /Users/*/.bash_login
+
Path
/Users/*/.profile
@@ -784,6 +1097,10 @@
Path
/private/etc/zshrc
+
+ Path
+ /private/etc/zshenv
+
Path
/private/etc/bashrc
@@ -798,9 +1115,11 @@
AllowReadAccess
AuditOnly
-
+
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ Shell configuration files are protected.
Processes
@@ -834,8 +1153,293 @@
PlatformBinary
+
+ TeamID
+ UBF8T346G9
+
+ LoginLogoutHooks
+
+ Paths
+
+
+ Path
+ /private/var/root/Library/Preferences/com.apple.loginwindow.plist
+
+
+ Path
+ /Users/*/Library/Preferences/com.apple.loginwindow.plist
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+ BlockMessage
+ Login hooks are protected.
+
+ Processes
+
+
+ SigningID
+ com.apple.cfprefsd
+ PlatformBinary
+
+
+
+
+ SpotlightImporters
+
+ Paths
+
+
+ Path
+ /Users/*/Library/Spotlight
+ IsPrefix
+
+
+
+ Path
+ /Library/Spotlight
+ IsPrefix
+
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ EnableSilentMode
+
+ RuleType
+ PathsWithAllowedProcesses
+ BlockMessage
+ Spotlight plugin installation blocked.
+
+ Processes
+
+
+ SigningID
+ com.apple.mds
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.mdworker
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.mdworker_shared
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.mdimport
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.installer
+ PlatformBinary
+
+
+
+
+ AuthorizationPlugins
+
+ Paths
+
+
+ Path
+ /Library/Security/SecurityAgentPlugins
+ IsPrefix
+
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+ BlockMessage
+ Authorization plugins directory is protected.
+
+ Processes
+
+
+ SigningID
+ com.apple.installer
+ PlatformBinary
+
+
+
+
+ ScriptingAdditions
+
+ Paths
+
+
+ Path
+ /Library/ScriptingAdditions
+ IsPrefix
+
+
+
+ Path
+ /Users/*/Library/ScriptingAdditions
+ IsPrefix
+
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+ BlockMessage
+ Scripting additions directory is protected.
+
+ Processes
+
+
+ SigningID
+ com.apple.installer
+ PlatformBinary
+
+
+
+
+ InputMethods
+
+ Paths
+
+
+ Path
+ /Library/Input Methods
+ IsPrefix
+
+
+
+ Path
+ /Users/*/Library/Input Methods
+ IsPrefix
+
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+ BlockMessage
+ Input methods directory is protected.
+
+ Processes
+
+
+ SigningID
+ com.apple.installer
+ PlatformBinary
+
+
+
+
+ DockerSettings
+
+ Paths
+
+
+ Path
+ /Users/*/Library/Group Containers/group.com.docker
+ IsPrefix
+
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+ BlockMessage
+ Docker Desktop settings are protected.
+
+ Processes
+
+
+ TeamID
+ 9BNSXJN65R
+
+
+
+ KernelExtensions
+
+ Paths
+
+
+ Path
+ /Library/Extensions
+ IsPrefix
+
+
+
+ Path
+ /Library/StagedExtensions
+ IsPrefix
+
+
+
+ Options
+
+ AllowReadAccess
+
+ AuditOnly
+
+ RuleType
+ PathsWithAllowedProcesses
+ BlockMessage
+ Kernel extension directories are protected.
+
+ Processes
+
+
+ SigningID
+ com.apple.installer
+ PlatformBinary
+
+
+
+ SigningID
+ com.apple.kextutil
+ PlatformBinary
+
+
+
+
+
Keychain
Paths
@@ -846,6 +1450,12 @@
IsPrefix
+
+ Path
+ /Library/Keychains
+ IsPrefix
+
+
Options
@@ -870,10 +1480,32 @@
PlatformBinary
+
+ SigningID
+ com.apple.KeychainAccess
+ PlatformBinary
+
+
+
TCC
+ Paths
+
+
+ Path
+ /Library/Application Support/com.apple.TCC/TCC.db
+
+
+ Path
+ /Users/*/Library/Application Support/com.apple.TCC/TCC.db
+
+
+ Path
+ /private/var/db/locationd/clients.plist
+
+
Options
AllowReadAccess
@@ -882,6 +1514,8 @@
RuleType
PathsWithAllowedProcesses
+ BlockMessage
+ TCC database is protected.
Processes
diff --git a/policies/prefs/rules.json b/policies/prefs/rules.json
new file mode 100644
index 0000000..4bfe6b8
--- /dev/null
+++ b/policies/prefs/rules.json
@@ -0,0 +1,100 @@
+{
+ "_meta": {
+ "description": "Santa supplementary rules for sync server or santactl",
+ "version": "2.1",
+ "note": "Add in additional vendors & hash-based rules"
+ },
+
+ "rules": [
+ { "_section": "Additional team id allowlists" },
+ {
+ "_note": "Core vendors (Microsoft, Google, Docker, Little Snitch, WireGuard) are in StaticRules"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "43AQ936H96",
+ "comment": "Mozilla - Firefox, Thunderbird"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "BQR82RBBHL",
+ "comment": "Slack Technologies"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "53Q6R32WPB",
+ "comment": "Discord Inc"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "2UYBER83LD",
+ "comment": "Anthropic - Claude"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "QWY4LRW926",
+ "comment": "AgileBits - 1Password"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "N82Y98DJSN",
+ "comment": "Zoom Video Communications"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "TEAMID",
+ "identifier": "P5TKG74YM7",
+ "comment": "JetBrains - IntelliJ, PyCharm, etc"
+ },
+
+ { "_section": "cdhash version locks" },
+ {
+ "_note": "Lock critical binaries to specific versions. Get hash: codesign -dvvv /path/to/binary 2>&1 | grep CDHash"
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "CDHASH",
+ "identifier": "REPLACE_WITH_SSH_CDHASH",
+ "comment": "TEMPLATE: Lock /usr/bin/ssh to specific version",
+ "_enabled": false
+ },
+ {
+ "policy": "ALLOWLIST",
+ "rule_type": "CDHASH",
+ "identifier": "REPLACE_WITH_SUDO_CDHASH",
+ "comment": "TEMPLATE: Lock /usr/bin/sudo to specific version",
+ "_enabled": false
+ },
+
+ { "_section": "SHA256 Blacklist Template" },
+ { "_note": "Add known malware SHA256 hashes from open sources" },
+
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "BINARY",
+ "identifier": "REPLACE_WITH_MALWARE_SHA256",
+ "custom_msg": "Known malware blocked.",
+ "comment": "TEMPLATE: Add malware hashes",
+ "_enabled": false
+ },
+
+ { "_section": "Certificate Blacklist Template" },
+ {
+ "_note": "Block all binaries signed with a compromised/revoked certificate"
+ },
+ {
+ "policy": "BLOCKLIST",
+ "rule_type": "CERTIFICATE",
+ "identifier": "REPLACE_WITH_CERT_SHA256",
+ "custom_msg": "Blocked: Signed with untrusted certificate.",
+ "comment": "TEMPLATE: Block compromised signing certificates",
+ "_enabled": false
+ }
+ ]
+}
diff --git a/policies/prefs/santa_base.json b/policies/prefs/santa_base.json
deleted file mode 100644
index 98c1d0a..0000000
--- a/policies/prefs/santa_base.json
+++ /dev/null
@@ -1,249 +0,0 @@
-{
- "rules": [
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.Dictionary",
- "custom_msg": "",
- "comment": "Dictionary - rarely needed, reduces attack surface"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.Chess",
- "custom_msg": "",
- "comment": "Chess"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.AddressBook",
- "custom_msg": "",
- "comment": "Contacts - using alternative or disabled"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.FaceTime",
- "custom_msg": "",
- "comment": "FaceTime"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.games",
- "custom_msg": "",
- "comment": "Game Center"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.Home",
- "custom_msg": "",
- "comment": "Home app"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.journal",
- "custom_msg": "",
- "comment": "Journal"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.mail",
- "custom_msg": "",
- "comment": "Apple Mail - using alternative"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.Maps",
- "custom_msg": "",
- "comment": "Maps"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.MobileSMS",
- "custom_msg": "",
- "comment": "Messages"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.Music",
- "custom_msg": "",
- "comment": "Music"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.mobilephone",
- "custom_msg": "",
- "comment": "Phone"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.Photos",
- "custom_msg": "",
- "comment": "Photos"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.podcasts",
- "custom_msg": "",
- "comment": "Podcasts"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.reminders",
- "custom_msg": "",
- "comment": "Reminders"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.Siri",
- "custom_msg": "",
- "comment": "Siri"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.Stickies",
- "custom_msg": "",
- "comment": "Stickies"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.stocks",
- "custom_msg": "",
- "comment": "Stocks"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.helpviewer",
- "custom_msg": "",
- "comment": "Help Viewer"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.TV",
- "custom_msg": "",
- "comment": "Apple TV"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.news",
- "custom_msg": "",
- "comment": "News"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.freeform",
- "custom_msg": "",
- "comment": "Freeform"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.amsengagementd",
- "custom_msg": "",
- "comment": "Apple Media Services engagement daemon"
- },
- {
- "policy": "BLOCKLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.amp.mediasharingd",
- "custom_msg": "",
- "comment": "Media sharing daemon"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.ssh",
- "custom_msg": "",
- "comment": "SSH client - prevent lockout during key changes"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.ssh-agent",
- "custom_msg": "",
- "comment": "SSH agent"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.ssh-add",
- "custom_msg": "",
- "comment": "SSH key management"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.ssh-keygen",
- "custom_msg": "",
- "comment": "SSH key generation"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.git",
- "custom_msg": "",
- "comment": "Git"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "SIGNINGID",
- "identifier": "platform:com.apple.Terminal",
- "custom_msg": "",
- "comment": "Terminal"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "TEAMID",
- "identifier": "UBF8T346G9",
- "custom_msg": "",
- "comment": "Microsoft - VS Code, Office, etc"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "TEAMID",
- "identifier": "EQHXZ8M8AV",
- "custom_msg": "",
- "comment": "Google - Chrome"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "TEAMID",
- "identifier": "9BNSXJN65R",
- "custom_msg": "",
- "comment": "Docker Inc"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "TEAMID",
- "identifier": "VLUGQBAPZ5",
- "custom_msg": "",
- "comment": "Objective Development - Little Snitch"
- },
- {
- "policy": "ALLOWLIST",
- "rule_type": "TEAMID",
- "identifier": "KYL8YCVN64",
- "custom_msg": "",
- "comment": "WireGuard"
- }
- ]
-}
diff --git a/policies/santa.mobileconfig b/policies/santa.mobileconfig
index 75ab125..df71927 100644
--- a/policies/santa.mobileconfig
+++ b/policies/santa.mobileconfig
@@ -29,7 +29,7 @@
EnableAllEventUpload
-
+
BlockUSBMount
RemountUSBMode
@@ -48,15 +48,15 @@
60
BannedBlockMessage
- BLOCKED: This binary is explicitly banned.
+ BLOCKED: This binary is explicitly banned by security policy.
UnknownBlockMessage
- BLOCKED: Unrecognized binary. Run 'santactl rule --allow --path /path/to/binary' if legitimate.
+ BLOCKED: Unrecognized binary. Contact IT if this is legitimate software.
BannedUSBBlockMessage
- BLOCKED: USB device banned.
+ BLOCKED: USB storage devices are restricted.
RemountUSBBlockMessage
- USB remounted read-only with noexec/nosuid/nodev.
+ USB remounted with security restrictions (read-only, no execution).
FileAccessBlockMessage
- BLOCKED: Unauthorized file access attempt.
+ BLOCKED: Unauthorized file access attempt detected.
EnableNotificationSilences
@@ -64,12 +64,12 @@
EnableSilentTTYMode
-
+
Telemetry
Everything
-
+
StaticRules
@@ -78,88 +78,299 @@
Policy
ALLOWLIST
Identifier
- platform:*
+ platform:com.apple.osascript
+ CELProgram
+ (
+ args.join(" ").lowerAscii().matches(".*\\W+with\\W+hidden\\W+answer.*") ||
+ args.join(" ").lowerAscii().contains("password")
+ ) &&
+ args.join(" ").lowerAscii().matches(".*\\W+display\\W+dialog.*") ? BLOCKLIST : ALLOWLIST
+
RuleType
- PATH
+ SIGNINGID
Policy
ALLOWLIST
Identifier
- /opt/local/bin
+ platform:com.apple.spctl
+ CELProgram
+ [
+ '--global-disable',
+ '--master-disable',
+ '--disable',
+ '--add',
+ '--remove'
+ ].exists(flag, flag in args) ? BLOCKLIST : ALLOWLIST
+
RuleType
- PATH
+ SIGNINGID
Policy
ALLOWLIST
Identifier
- /opt/local/sbin
+ platform:com.apple.touch
+ CELProgram
+ args.exists(arg, arg in ['-a', '-m', '-r', '-A', '-t']) &&
+ args.join(" ").contains("Library/Launch") ? BLOCKLIST : ALLOWLIST
+
RuleType
- PATH
+ SIGNINGID
Policy
ALLOWLIST
Identifier
- /opt/local/libexec
+ platform:com.apple.systemsetup
+ CELProgram
+ args.join(" ").contains("-setremotelogin on") ||
+ args.join(" ").contains("-setremoteappleevents on") ? BLOCKLIST : ALLOWLIST
+
RuleType
- PATH
+ SIGNINGID
Policy
ALLOWLIST
Identifier
- /opt/local/lib
+ platform:com.apple.mount_apfs
+ CELProgram
+ '-s' in args &&
+ args.exists(arg, arg.contains("com.apple.TimeMachine.")) ? BLOCKLIST : ALLOWLIST
+
RuleType
- PATH
+ SIGNINGID
Policy
ALLOWLIST
Identifier
- /opt/local/Library/Frameworks
+ platform:com.apple.tmutil
+ CELProgram
+ 'localsnapshot' in args ? BLOCKLIST : ALLOWLIST
+
+
RuleType
- PATH
+ SIGNINGID
Policy
ALLOWLIST
Identifier
- /Users/warren/.cargo/bin
+ platform:*
RuleType
- PATH
+ SIGNINGID
Policy
- ALLOWLIST
+ BLOCKLIST
Identifier
- /Users/warren/.rustup
+ platform:com.apple.Dictionary
RuleType
- PATH
+ SIGNINGID
Policy
- ALLOWLIST
+ BLOCKLIST
Identifier
- /Users/warren/.local/bin
+ platform:com.apple.Chess
RuleType
- PATH
+ SIGNINGID
Policy
- ALLOWLIST
+ BLOCKLIST
Identifier
- /Users/warren/go/bin
+ platform:com.apple.AddressBook
RuleType
- PATH
+ SIGNINGID
Policy
- ALLOWLIST
+ BLOCKLIST
Identifier
- /Users/warren/.npm-global
+ platform:com.apple.FaceTime
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.gamecenter
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.Home
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.journal
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.mail
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.Maps
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.MobileSMS
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.Music
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.Photos
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.podcasts
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.reminders
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.Siri
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.Stickies
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.stocks
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.TV
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.news
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.freeform
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.amsengagementd
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.amp.mediasharingd
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ BLOCKLIST
+ Identifier
+ platform:com.apple.helpviewer
+
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ ALLOWLIST_COMPILER
+ Identifier
+ platform:com.apple.ld
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ ALLOWLIST_COMPILER
+ Identifier
+ platform:com.apple.lipo
+
+
+ RuleType
+ SIGNINGID
+ Policy
+ ALLOWLIST_COMPILER
+ Identifier
+ platform:com.apple.security.codesign
+
+
RuleType
TEAMID
@@ -200,6 +411,87 @@
Identifier
KYL8YCVN64
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/bin
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/sbin
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/libexec
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/lib
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /opt/local/Library/Frameworks
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/.cargo/bin
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/.rustup
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/.local/bin
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/go/bin
+
+
+ RuleType
+ PATH
+ Policy
+ ALLOWLIST
+ Identifier
+ /Users/warren/.npm-global
+
PayloadDisplayName