-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathOutsetPrivilegedSantaRules.sh
42 lines (36 loc) · 1.42 KB
/
OutsetPrivilegedSantaRules.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/bin/bash
# This is a login-privileged-every script for Outset that configures Santa to block (after login) certain apps, depending
# on what user they are. Since all Apple software is whitelisted by default by certificate, in order to block these apps,
# you have to block based on binary hash instead. Since Apple software will update over time, keeping a static list of
# hashes isn't helpful. So this calculates the hash based on what versions are currently installed.
# User not to block apps for
safe_user='USERNOTTOBLOCKAPPSFOR'
# Array of offending apps to get hashes for
apps_to_block=(
"/Applications/App Store.app"
"/Applications/FaceTime.app"
"/Applications/Mail.app"
"/Applications/Maps.app"
"/Applications/Messages.app"
"/Applications/Safari.app"
"/Applications/Siri.app"
)
# Get current user
current_user=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')
# Loop through each of the apps to block
for app_to_block in "${apps_to_block[@]}"
do
# Check that the path actually exists
if [[ -a "$app_to_block" ]]; then
# If it exists, get the offending hash
offending_hash=$(/usr/local/bin/santactl fileinfo "$app_to_block" --key SHA-256)
# Put in rule
if [[ "$current_user" == "$safe_user" ]]; then
# Allow this
/usr/local/bin/santactl rule --whitelist --sha256 "$offending_hash"
else
# Block this
/usr/local/bin/santactl rule --blacklist --sha256 "$offending_hash"
fi
fi
done