From 6588c2342bc91e56365d502682f3c502394db448 Mon Sep 17 00:00:00 2001 From: p-harrison Date: Mon, 14 Aug 2023 17:04:24 +0100 Subject: [PATCH] Added TransitiveWhitelisting explanation to rules.md (#1150) * Added TransitiveWhitelisting explanation to rules.md Added a section to explain TransitiveWhitelisting and Transitive/Compiler rules * Update docs/concepts/rules.md Co-authored-by: Matt W <436037+mlw@users.noreply.github.com> * Update docs/concepts/rules.md Co-authored-by: Matt W <436037+mlw@users.noreply.github.com> --------- Co-authored-by: Matt W <436037+mlw@users.noreply.github.com> --- docs/concepts/rules.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/concepts/rules.md b/docs/concepts/rules.md index 42dcb3aa1..913a6e938 100644 --- a/docs/concepts/rules.md +++ b/docs/concepts/rules.md @@ -7,8 +7,7 @@ parent: Concepts ## Rule Types Rules provide the primary evaluation mechanism for allowing and blocking -binaries with Santa on macOS. There are four types of rules: binary, signing ID, -certificate, and Team ID. +binaries with Santa on macOS. ### Binary Rules @@ -86,6 +85,16 @@ as a single developer account can and frequently will request/rotate between multiple different signing certificates and entitlements. This is an even more powerful rule with broader reach than individual certificate rules. +### Compiler/Transitive Rules + +The transitive allowlist capability of Santa can automatically allowlist any files that are created by a set of specified binaries. A typical use-case is allowing any binaries compiled with XCode on developer machines to execute, as it would be slow and impractical to use other rule types to permit these. + +To begin using transitive allowlisting, `EnableTransitiveRules` should be set to true and Compiler rules (rules with the policy `ALLOWLIST_COMPILER`) should be added to indicate the binaries which will be writing the new files to be allowlisted. Santa will create and manage Transitive rules in its database automatically, they cannot be created directly. + + + + + ## Rule Evaluation When a process is trying to execute, `santad` retrieves information on the