Notes
Important
The binaries initially uploaded for this release only contained the arm64 slice. We have updated the binaries to be universal and also include the x86_64 slice as well. You may need to re-download the latest binaries if deploying to Intel Macs.
If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.
Santa documentation has undergone a complete overhaul and can be found at northpole.dev.
Announcements
📣 (BETA) Common Expression Language (CEL) has been added as a supported policy type! This is a powerful new feature that expands what can be expressed in a rule. Please see our CEL documentation for more details and examples, as well as the Rule schema for information on how to populate the expression.
- North Pole Security Workshop customers have access to a fully integrated CEL evaluator and playground in the rule editor.
📣 We've created a Config Generator to help admins craft Santa configuration!
Fixed
❗ Overzealous caching of executables matching compiler rules could cause transitively created executables to not have rules automatically created
❗ On rare occasions, and only when transitive rules or standalone mode were enabled, Santa could potentially exclude some events from the EventUpload phase of syncing
❗ A very rare crash could occur if an XPC connection went invalid before it finished being established
❗ FAA rules with paths that contained glob characters could cause a memory leak
Changed
↔️ santactl status output, including JSON output via the --json flag, has been slightly changed to provide better data grouping and more consistent output across the groups
↔️ Log messages have been more tightly integrated into Apple's Unified Logging System, meaning the EnableDebugLogging configuration key is no longer needed. Debug logs can be viewed along with other log messages using appropriate arguments with the log(1) command.
↔️ Timestamps in santactl fileinfo now default to UTC. This can be changed to use the local system timezone by using the --localtz flag.
↔️ More Santa files are now included in the tamper resistance protections, including the rules and events databases and the sync state plist.
↔️ Rule information returned by santactl fileinfo and santactl rule now shows the matched rule, not the decision, since this is often heavily influenced by runtime information that isn't available during a static check
↔️ Links in the UnknownBlockMessage and BannedBlockMessage configuration keys that are displayed when an execution is blocked are now clickable
Added
➕ (BETA) Rules can now include CEL policies! See our CEL documentation for more details and examples.
➕ Santa now emits distributed notifications when FAA policy violations occur, similar to the notifications that are sent when executions are blocked.
➕ A clean sync can now be initiated from the "About" UI dialog by holding the Option key when clicking the "Sync" button
➕ Executable signing timestamps were added to sync preflight messages and santactl fileinfo output
➕ Paths for Proc FAA rules now also support glob characters in the same way as Data FAA rules.
➕ New checks were added to santactl doctor to look for potential sync server certificate and communication issues
➕ Primary user groups can now be defined by the MachineOwnerGroups or MachineOwnerGroupsKey configuration key. This value is included in preflight requests to allow sync servers to improve rule targeting.
What's Changed
- docs: add back troubleshooting.md by @tburgin in #422
- Initial plumbing for export configuration by @mlw in #416
- Remove
EnableDebugLoggingconfig key. Supportsantactl sync --debugby @mlw in #423 - gui: Allow clean syncing by holding Option by @russellhancox in #420
- Keychain wrapper implementation by @mlw in #425
- Update bazel-contrib by @mlw in #426
- santactl,sync: Add signing timestamps by @russellhancox in #428
- santactl/fileinfo: Add --localtz flag, default to UTC by @russellhancox in #429
- Store export config and send back to sync service by @mlw in #427
- Do not cache allows for compiler processes at the ES layer by @mlw in #430
- Renaming signing timestamp fields by @mlw in #431
- sync: Fix rare issue causing event upload to skip by @russellhancox in #432
- common: Add CEL evaluator by @russellhancox in #424
- Fix rare crash when XPC connections go invalid before completion by @mlw in #433
- santad: Integrate CEL rule processing into execution path by @russellhancox in #434
- Adopt latest AWS export config by @mlw in #435
- cel: Migrate to cel.proto from protos repo by @russellhancox in #437
- santad: Add sync-state.plist to protected files, protect reads by @russellhancox in #438
- santad: If CEL rules fail and FailClosed is true, fail closed. by @russellhancox in #439
- santactl/fileinfo: Change how Rule field is populated by @russellhancox in #436
- Rework how files being exported are tracked by @mlw in #440
- Fix mem leak related to FAA paths with globs by @mlw in #443
- docs: Add info about rule policies by @russellhancox in #446
- gui: Add distributed notifications for FAA blocks by @russellhancox in #447
- docs: Upgrade docusaurus to 3.8.1 by @russellhancox in #449
- build(deps): bump brace-expansion from 1.1.11 to 1.1.12 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #450
- Add glob support to paths for Proc FAA rules by @mlw in #444
- santactl/doctor: Add checks for syncing, update MOLAuth logs by @russellhancox in #448
- Adopt rednose. Basic support for exporting telemetry to S3 by @mlw in #451
- sync: add support for primary user groups by @tburgin in #454
- gui: Make links in custom messages clickable by @russellhancox in #455
- santactl/sync: Add ability to ingest CEL rules. by @russellhancox in #453
- docs: Add basic docs for CEL policy by @russellhancox in #456
- docs: Add missing AddedBadge to CEL policy by @russellhancox in #457
- Support GCP export via Rednose by @mlw in #458
- santactl/fileinfo: Identify static rules by @russellhancox in #459
- Configure rust toolchain for dependencies by @mlw in #460
- Support multi-arch builds by @mlw in #461
- santactl/status: Show status for disabled features by @russellhancox in #465
- santactl/status: Add some new fields, change output groupings, rework JSON output. by @mlw in #467
- santad: Flush cache when CEL rules change by @russellhancox in #468
- santad: Check CEL expression validity before adding to DB by @russellhancox in #469
- santad: Move StaticRule processing into SNTRuleTable. by @russellhancox in #470
- readme: Update shields by @russellhancox in #471
- docs: add owner groups by @tburgin in #472
- gui: Fix minor UI issue when an app sets empty bundle name by @mlw in #474
- build: Fix multi-arch builds for rust by @russellhancox in #478
- build: Check release builds contain both archs by @russellhancox in #477
Full Changelog: 2025.5...2025.6