Checking it twice: Google developing whitelist/blacklist tool for Macs
Google's fledgling whitelisting and blacklisting tool, Santa, is designed to protect Mac users from malware attacks.
According to the developers' GitHub page, the system earned its merry moniker “because it keeps track of binaries that are naughty or nice.” The Register was among the first to report on the tool, which is designed for both individual users and group deployments.
The nascent system, not yet a version 1.0, has two admin modes: “Monitor,” which runs all binaries except blacklisted ones, and “Lockdown," which runs only whitelisted binaries. It offers event logging functionality, as well as certificate- and path-based rules. To prevent sabotage by a bad actor, key components of the tool – a kernel extension that monitors for executions, a userland daemon that makes execution decisions, and a GUI agent – will confirm that all of their signing certificates are identical before communicating with each other.