Added TransitiveWhitelisting explanation to rules.md (#1150)

* Added TransitiveWhitelisting explanation to rules.md Added a section to explain TransitiveWhitelisting and Transitive/Compiler rules * Update docs/concepts/rules.md Co-authored-by: Matt W <436037+mlw@users.noreply.github.com> * Update docs/concepts/rules.md Co-authored-by: Matt W <436037+mlw@users.noreply.github.com> --------- Co-authored-by: Matt W <436037+mlw@users.noreply.github.com>
google · Aug 14, 2023 · 6588c23 · 6588c23
1 parent d82e64a
commit 6588c23
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/docs/concepts/rules.md b/docs/concepts/rules.md
@@ -7,8 +7,7 @@ parent: Concepts
 ## Rule Types
 
 Rules provide the primary evaluation mechanism for allowing and blocking
-binaries with Santa on macOS. There are four types of rules: binary, signing ID,
-certificate, and Team ID.
+binaries with Santa on macOS.
 
 ### Binary Rules
 
@@ -86,6 +85,16 @@ as a single developer account can and frequently will request/rotate between
 multiple different signing certificates and entitlements. This is an even more
 powerful rule with broader reach than individual certificate rules.
 
+### Compiler/Transitive Rules
+
+The transitive allowlist capability of Santa can automatically allowlist any files that are created by a set of specified binaries.  A typical use-case is allowing any binaries compiled with XCode on developer machines to execute, as it would be slow and impractical to use other rule types to permit these.
+
+To begin using transitive allowlisting, `EnableTransitiveRules` should be set to true and Compiler rules (rules with the policy `ALLOWLIST_COMPILER`) should be added to indicate the binaries which will be writing the new files to be allowlisted.  Santa will create and manage Transitive rules in its database automatically, they cannot be created directly.
+
+
+
+
+
 ## Rule Evaluation
 
 When a process is trying to execute, `santad` retrieves information on the