github northpolesec/santa 2025.12
v2025.12
on GitHub

23 hours ago

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 Santa will be ending support for macOS 13 (Ventura) in January 2026.

Fixed

❗ Rules received from a sync server with CEL policies using features not supported by the current version of Santa will no longer cause syncing to fail.
❗ Addressed a memory leak in the santasyncservice process.
❗ Window icons are no longer blurry

Changed

↔️ The name for Santa as shown in the macOS settings Privacy & Security Full Disk Access pane is now more descriptive: "Santa Endpoint Security Extension".
↔️ Support for the EnableForkAndExitLogging configuration key has been removed and configurations should migrate to using the Telemetry key.
↔️ The target field in FileAccess telemetry messages emitted by FAA rule violations was switched to be a FileInfo type. This is a wire-, forward-, and backward-compatible protobuf change that now allows consumers to see stat(2) info.

Added

[Workshop Customers] On-Demand Monitor Mode! Admins can configure policies for hosts that allow users to temporarily enter Monitor Mode as needed for a defined period of time. Hosts will automatically revert to Lockdown Mode once the time expires. This enables a much smoother experience for users like developers that need to constantly build & run new binaries without having machines carry permissions for longer than necessary.
➕ CEL policies have access to two new fields which allow for more dynamic and flexible rules: the effective user ID (euid) and current working directory (cwd).
EventDetailURL and EventDetailText can now be set by the sync server.
santactl rule can now be used to check if a given path is covered by a Data FAA rule.
santactl status now displays the current sync interval.
➕ More comprehensive anti-tamper protections.

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation can be found at northpole.dev.

What's Changed

  • ci: Stop running on macos-13, fix lint.sh by @russellhancox in #634
  • Adopt mode transition sync protocol changes by @mlw in #626
  • Remove unnecessary legacy wrapper to get the IO main port by @mlw in #636
  • ObjC timer wrapper. Allow controlling timer restarts. by @mlw in #635
  • Some minor cleanup in santactl headers by @mlw in #637
  • santactl command to temporarily enter Monitor Mode if eligible by @mlw in #638
  • Reenter temporary Monitor Mode on startup if time remaining by @mlw in #639
  • build(deps): bump js-yaml from 3.14.1 to 3.14.2 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #641
  • Rename EnableNATS to EnablePushNotifications by @pmarkowsky in #632
  • Move pinning code to common where it belongs by @mlw in #643
  • santactl status now displays temporary Monitor Mode time remaining by @mlw in #640
  • Support EventDetailURL and EventDetailText in the sync protocol by @mlw in #642
  • Add localization for authorizing temporary monitor mode by @mlw in #644
  • disable v2 check for dev builds by @tburgin in #645
  • Fix issue with bundle hash event URLs by @mlw in #646
  • Improved checks on mode transition policies by @mlw in #647
  • Replace use of internal FieldDescriptorLite type with the public FieldDescriptor. by @dzonder in #648
  • Support exporting FAA rules in debug builds by @mlw in #650
  • Add sync intervals to santactl status with a human-readable output by @pmarkowsky in #649
  • Fix santactl push notification status with NPS Push Service by @pmarkowsky in #652
  • docs: Add FAA configuration docs by @russellhancox in #651
  • Add CEL rules to prevent enabling SSH and Remote Apple Events by @pmarkowsky in #653
  • Simplify the cookbook rules for systemsetup by @pmarkowsky in #654
  • docs: Switch CEL cookbook to use AddedBadge by @russellhancox in #655
  • Support checking if path is covered by a Data FAA rule by @mlw in #656
  • docs: Update js-yaml dep by @russellhancox in #657
  • deps: Update several bazel dependencies by @russellhancox in #659
  • Add santa command handler by @pmarkowsky in #631
  • Set a more readable name for the FDA pane by @mlw in #661
  • Refactor temporary monitor mode logic by @mlw in #660
  • docs: Update dependencies by @russellhancox in #663
  • docs: Delete unused package-lock.json by @russellhancox in #665
  • Add rules to lockdown Docker. by @pmarkowsky in #666
  • santactl/status: Move sync interval field under current sync times by @russellhancox in #664
  • Add stored event types for TMM audit events by @mlw in #662
  • Remove the .png from the docker example by @pmarkowsky in #667
  • Make Timer thread safe and synchronize TemporaryMonitorMode ops by @mlw in #669
  • Adopt flags to reduce Bazel memory footprint in continuous builds by @mlw in #670
  • Split continuous testing action runs by @mlw in #671
  • build(deps): bump node-forge from 1.3.1 to 1.3.2 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #673
  • Emit audit events from TemporaryMonitorMode by @mlw in #672
  • Fix: Switch to using EnableForkAndExitLogging by @pmarkowsky in #674
  • Add support for time duration strings. by @pmarkowsky in #675
  • Temporary Monitor Mode audit events in sync protocol by @mlw in #676
  • santad: Add cwd and euid to CEL context by @russellhancox in #678
  • docs: Update CEL docs to mention euid/cwd fields by @russellhancox in #679
  • Switch target field in FileAccess messages to be FileInfo type by @mlw in #680
  • docs: Remove webpack-dev-server override by @russellhancox in #681
  • Fix some memory leaks in the sync service by @mlw in #683
  • Fix issue in FAA logging that could cause a crash (unreleased) by @mlw in #684
  • santactl/doctor: Improve checking of sync availability by @russellhancox in #682
  • Fix blurry window icons. by @mlw in #685
  • Improved multi monitor support by @mlw in #686
  • Placeholder to handle kill command push notification by @mlw in #688
  • Add support for proc suspend/resume events by @mlw in #690
  • On by default - suspend/resume by @mlw in #691
  • sync: Clear RepeatedPtrFields in EventUpload instead of replacing by @russellhancox in #689
  • santasyncservice: fix crash during telemetry upload by @tburgin in #687
  • Remove message copies during Event Upload message creation by @mlw in #692
  • Helper code sign identifier utilities by @mlw in #693
  • Add classes to support kill command by @mlw in #694
  • Fix rule download issue where success/failure was improperly determined by @mlw in #695
  • Adopt layered errors for Santa Commands by @mlw in #696
  • Decode kill command and encode response by @mlw in #697
  • Add santactl command command by @mlw in #698
  • Remove deprecated EnableForkAndExitLogging config key by @mlw in #699
  • Fix build issue when DEBUG isn't defined by @mlw in #700
  • Fix issue when manually managing rules with santactl rule (unreleased) by @mlw in #701

Full Changelog: 2025.11...2025.12

Check out latest releases or
releases around northpolesec/santa 2025.12

Don't miss a new santa release

NewReleases is sending notifications on new releases.

Get notifications