Rules
The Rules interface provides a comprehensive view of all rules that control execution of binaries across your organization. This centralized dashboard allows administrators to create, monitor, and manage Santa rules at scale.
Overview
The Rules dashboard displays information about each rule:
- Identifier: The unique identifier for the rule (hash, certificate, etc.)
- Comment: Description or purpose of the rule
- Rule Type: Type of rule (Binary, Certificate, Team ID, Signing ID, CDHash)
- Policy: Action to take when the rule is matched (Allowlist, Blocklist, etc.)
Rule Types
Santa supports several types of rules:
- Binary: Rules based on the cryptographic hash of a binary
- Certificate: Rules based on the code signing certificate
- Team ID: Rules based on Apple Developer Team IDs
- Signing ID: Rules based on signing information
- CDHash: Rules based on the CodeDirectory hash of a binary
Rule Policies
Each rule can be configured with one of the following policies:
- Allowlist: Explicitly allow execution
- Allowlist Compiler: Special rule for compiler processes
- Blocklist (Malicious): Block execution due to malicious content
- Blocklist (Policy): Block execution due to policy violation
- Silent Blocklist (Malicious): Block without notification due to malicious content
- Silent Blocklist (Policy): Block without notification due to policy violation
Creating Rules
To create a new rule, click the "Create Rule" button and fill in the required information:
- Rule type
- Identifier (hash, certificate, etc.)
- Policy action
- Optional comment to describe the rule's purpose
Rules take effect immediately after creation. Ensure you've verified the identifier before creating a rule.
Rule Deployment
Once created, rules are automatically distributed to Santa clients during their next sync. The timing depends on your sync server configuration.
For more detailed information about Santa rules and configuration options, visit the Santa Documentation.