{"id":13582330,"url":"https://github.com/groob/moroz","last_synced_at":"2025-03-21T20:05:14.988Z","repository":{"id":18426736,"uuid":"84264810","full_name":"groob/moroz","owner":"groob","description":"Moroz is a Santa server ","archived":false,"fork":false,"pushed_at":"2024-09-20T21:44:31.000Z","size":65,"stargazers_count":132,"open_issues_count":9,"forks_count":28,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-13T22:01:49.133Z","etag":null,"topics":["devops","macadmin","macos","santa","security"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/groob.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-08T01:36:26.000Z","updated_at":"2024-11-27T16:43:19.000Z","dependencies_parsed_at":"2024-01-24T23:08:52.255Z","dependency_job_id":"86045af7-5020-49ad-a157-cf14bc0a6e5c","html_url":"https://github.com/groob/moroz","commit_stats":{"total_commits":26,"total_committers":10,"mean_commits":2.6,"dds":0.6538461538461539,"last_synced_commit":"1c1f511e68658f626ce90eb1157072fb6bf23e13"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/groob%2Fmoroz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/groob%2Fmoroz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/groob%2Fmoroz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/groob%2Fmoroz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/groob","download_url":"https://codeload.github.com/groob/moroz/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244706519,"owners_count":20496571,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","macadmin","macos","santa","security"],"created_at":"2024-08-01T15:02:36.138Z","updated_at":"2025-03-21T20:05:14.940Z","avatar_url":"https://github.com/groob.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n\u003cimg src=\"moroz.png\" alt=\"moroz\"/\u003e\u003cbr/\u003e\n\u003c/p\u003e\n\nMoroz is a server for the [Santa](https://github.com/google/santa) project.\n\n\u003e Santa is a binary allowlisting/blocklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.\n\u003e\n\u003e Santa is a project of Google's Macintosh Operations Team.\n\nSee this [short video](https://www.youtube.com/watch?v=3w3_bcJYWj0) for a demo.\n\n# Configurations\n\nMoroz uses [TOML](https://github.com/toml-lang/toml#example) rule files to specify configuration for Santa.\nThe path to the folder with the configurations can be specified with `-configs /path/to/configs`.\n\nMoroz expects a `global.toml` file which contains a list of rules. The `global` config can be overriden by providing a machine specific config. To do so, name the file for each host with the Santa `machine id` [configuration parameter](https://github.com/google/santa/wiki/Configuration#keys-to-be-used-with-a-tls-server). By default, this is the hardware UUID of the mac.\n\nBelow is a sample configuration file:\n\n```toml\nclient_mode = \"MONITOR\"\n#blocklist_regex = \"^(?:/Users)/.*\"\n#allowlist_regex = \"^(?:/Users)/.*\"\nbatch_size = 100\n\n[[rules]]\nrule_type = \"BINARY\"\npolicy = \"BLOCKLIST\"\nsha256 = \"2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda\"\ncustom_msg = \"blocklist firefox\"\n\n[[rules]]\nrule_type = \"CERTIFICATE\"\npolicy = \"BLOCKLIST\"\nsha256 = \"e7726cf87cba9e25139465df5bd1557c8a8feed5c7dd338342d8da0959b63c8d\"\ncustom_msg = \"blocklist dash app certificate\"\n\n[[rules]]\nrule_type = \"TEAMID\"\npolicy = \"ALLOWLIST\"\nidentifier = \"EQHXZ8M8AV\"\ncustom_msg = \"allow google team id\"\n\n[[rules]]\nrule_type = \"SIGNINGID\"\npolicy = \"ALLOWLIST\"\nidentifier = \"EQHXZ8M8AV:com.google.Chrome\"\ncustom_msg = \"allow google chrome signing id\"\n```\n\n# Creating rules\n\nAcceptable values for client mode:\n```\nMONITOR | LOCKDOWN\n```\n\nValues for `rule_type`:\n```\nBINARY | CERTIFICATE | TEAMID | SIGNINGID\n```\n\nValues for `policy`:\n```\nBLOCKLIST | ALLOWLIST | ALLOWLIST_COMPILER | REMOVE\n```\n\nUse the `santactl` command to get the sha256 value: \n```bash\nsantactl fileinfo /Applications/Firefox.app\n```\n\n# Build\n\nThe commands below assume you have `$GOPATH/bin` in your path.\n\n```bash\ncd cmd/moroz; go build\n```\n\n# Run\n\n`moroz`  \nSee `moroz -h` for a full list of options.\n\n```bash\nUsage of moroz:\n  -configs string\n    \tpath to config folder (default \"../../configs\")\n  -event-logfile string\n    \tpath to file for saving uploaded events (default \"/tmp/santa_events\")\n  -persist-events\n      Enable writing events to disk (default `true`)\n  -http-addr string\n    \thttp address ex: -http-addr=:8080 (default \":8080\")\n  -tls-cert string\n    \tpath to TLS certificate (default \"server.crt\")\n  -tls-key string\n    \tpath to TLS private key (default \"server.key\")\n  -version\n    \tprint version information\n```\n\n# Quickstart\n\nDownload the `moroz` binary from the [Releases](https://github.com/groob/moroz/releases) page.\nCopy the `configs` folder from the repo somewhere locally. It must have the `global.toml` file.\n\n\nGenerate a self-signed certificate which will be used by Santa clients and the server for communication.\n\n```\n./tools/dev/certificate/create\n```\n\nAdd the Santa CN to your hosts file.\n\n```\nsudo echo \"127.0.0.1 santa\" \u003e\u003e /etc/hosts\n```\n\nAdd the self-signed cert to your system roots. \n\n```\n./tools/dev/certificate/add-trusted-cert\n```\n\n## Install Santa:\nThe latest version of Santa is available on the GitHub repo page: https://github.com/google/santa/releases\n\n## Configure Santa:\nYou will need to provide the `SyncBaseURL` settings. See the [Santa repo](https://github.com/google/santa/blob/01df4623c7c534568ca3d310129455ff71cc3eef/Docs/deployment/configuration.md#important) for a complete guide on all the client configuration options.\n\n## Start moroz:\nAssumes you have the `./server.crt` and `./server.key` files.\n\n```\nmoroz -configs /path/to/configs/folder\n```\n\n---\nmoroz icon by [Souvik Bhattacharjee](https://thenounproject.com/souvik502/) from the [Noun Project](https://thenounproject.com/).\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgroob%2Fmoroz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgroob%2Fmoroz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgroob%2Fmoroz/lists"}