github northpolesec/santa 2026.3
v2026.3
on GitHub

6 hours ago

Notes

Announcements

🎉 Get the most out of Santa with Workshop! Workshop is North Pole Security's official sync service, designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Learn more at northpole.security.

📣 There is now a "Santa Lite" package included in the release. It is generally not recommended to use this but we recognize there are users that want reduced packaging. Read the Lite Package docs for more information.

🔒 Security Advisory: For security reasons, we strongly recommend all users update to Santa 2025.12 or newer. On prior versions, an attacker with admin privileges could bypass Santa. A detailed blog post will be published soon with more information.

Fixed

❗ Fixed issue where sync interval settings were not always being correctly applied
Workshop customers: Improved handling of network mount name formats

Changed

↔️ Sync interval settings sent by the sync server are now persisted and will be used as the default on restarts
↔️ Workshop customers: Telemetry filter expressions from the MDM config now take precedence over filter expressions configured in Workshop

Added

➕ Santa can now enforce encryption settings when blocking/remounting removable media (currently APFS only)
➕ Several performance and memory improvements to keep Santa snappy
➕ Santa can be configured with a set of signing IDs to extend pid_suspend protections to other software
santactl fileinfo now has an "expected decision" field that shows if Santa is expected to allow or deny the execution (note: runtime characteristics may still result in a different decision being applied)
➕ CEL policies now have access to path and is_platform_binary properties
santactl doctor now validates FAA configurations
➕ Block reason has been added to the UI/TTY
➕ Added pid_suspend/pid_resume to telemetry
Workshop customers: CEL fallback policies - You can now add CEL expressions that can apply a global policy in the event no specific rule matched
Workshop customers: CEL policies can now access ancestor execution arguments
Workshop customers: CEL policies can now basic access file descriptor information, enabling policies to express how to handle conditions like stdin attached to a pipe or socket
Workshop customers: Added real-time command to trigger hosts to upload installed binaries/bundles
Workshop customers: MDM policies can now define the set of allowed real-time commands
Workshop customers: Santa will now upload metrics directly to Workshop by default, allowing performance monitoring

Santa documentation can be found at northpole.dev.

What's Changed

  • docs: Update serialize-javascript dep by @russellhancox in #828
  • docs: Update ajv by @russellhancox in #829
  • Improve perf related to event metrics by @mlw in #833
  • Wrap proc token data in shared_ptr to reduce retains/releases by @mlw in #835
  • ci: Ensure that added unit tests are included in the unit_tests rule by @russellhancox in #834
  • Protobuf encoding perf improvements by @mlw in #836
  • Fix unbounded arena growth in CEL Evaluator by @pmarkowsky in #831
  • add missing notification keys by @arubdesu in #832
  • docs: Update multiple deps by @russellhancox in #837
  • Support ancestor args in CEL policies by @mlw in #840
  • Reuse SNTCachedDecision when a non-cacheable CEL policy matched by @mlw in #839
  • Add fallback CEL expressions by @russellhancox in #838
  • ui: Add block reason to GUI/TTY by @russellhancox in #842
  • santactl/fileinfo: Add Expected Decision field by @russellhancox in #843
  • config: Persist sync intervals, display in status by @russellhancox in #845
  • santad: Flush cache when CEL fallback rules change by @russellhancox in #847
  • cel: Add fds field to CELv2 policies by @russellhancox in #846
  • pkg: Add lite version by @russellhancox in #841
  • device: enforce drive encryption by @sharvilshah in #824
  • telemetry: Rename REASON_FALLBACK_CEL -> REASON_CEL_FALLBACK by @russellhancox in #850
  • Decouple metrics from ES classes by @mlw in #852
  • Move ES library wrappers to Source/common/es/ by @mlw in #853
  • Move ES client base classes to Source/common/es/ by @mlw in #854
  • Upgrade all actions by @mlw in #855
  • Move ProcessTree to Source/common/pt/ and CSOpsHelper to Source/common/ by @mlw in #856
  • config: added a configuration key to allowlist Santa commands by @sharvilshah in #849
  • config: Use MDM telemetry filter expressions before sync by @russellhancox in #858
  • Fix various style inconsistencies by @mlw in #857
  • Remove old, unmaintained fuzzing code by @mlw in #859
  • Remove now-unnecessary generated proto wrappers by @mlw in #860
  • Bump bazel version and deps by @mlw in #862
  • i18n(ru): Fix critical translation errors and improve naturalness by @HelysDU in #851
  • sync: handle blockUnencryptedRemovableMedia in preflight by @sharvilshah in #864
  • cel: Add path, target.is_platform_binary and target.team_id fields by @russellhancox in #863
  • Add EventUpload santa command handler by @pmarkowsky in #772
  • protos: update hash, sync: set encrypted for USBMountEvent by @sharvilshah in #865
  • Move to os_unfair_lock to address inversion issues by @mlw in #866
  • Update telemetry.md docs to match code defaults by @tikotzky in #861
  • Process tree perf improvements by @mlw in #867
  • Add remove_if method on SantaCache by @mlw in #868
  • Sync the chrome cookies example on the FAA page by @mlw in #871
  • Silence cel-cpp repo warnings by @mlw in #875
  • Fix returning nil when non-null required by @mlw in #876
  • Extract AuditTokenForPid into new impl file by @mlw in #873
  • Update docs deps by @mlw in #879
  • More docs deps by @mlw in #880
  • santactl/doctor: Validate FAA rules in MDM config by @russellhancox in #874
  • metrics: Add sync-based export by @russellhancox in #869
  • Update clang-format config and apply by @russellhancox in #878
  • Document FAA key name constraints by @mlw in #881
  • Handle more mount name formats when blocking network mounts by @mlw in #882
  • Fix issue with sync intervals by @mlw in #884
  • Update docs deps by @mlw in #886
  • Add logging support for ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME by @pmarkowsky in #883
  • Remove unnecessary stub properties/methods by @mlw in #887
  • santad: Use format_to instead of NSString stringWithFormat, remove unused param to CreateDefaultString by @russellhancox in #888
  • Fix Timer deadlock when destroyed from callback by @mlw in #889
  • Use persisted sync intervals as fallback on startup by @mlw in #885
  • Avoid unnecessary string copies in Message::PathTarget by @mlw in #890
  • Update doc deps by @mlw in #891
  • Update doc deps by @mlw in #893
  • Add network extension docs by @mlw in #895
  • common: Update MOLXPCConnection to use designated requirements by @russellhancox in #894
  • chmod santactl by @mlw in #897
  • store and replay rule id for exec and faa events by @tburgin in #898
  • docs: Update vite by @russellhancox in #899
  • device: support distinct remount args for encrypted and unencrypted policies by @sharvilshah in #896
  • Update TCC profiles with network extension info by @mlw in #900
  • docs: rename and redirect usb-sd-blocking.md to removable-media-blocking.md by @sharvilshah in #901
  • santad: Add pid_suspend protection for other processes by @russellhancox in #904
  • Upgrade nats.c to latest stable release by @pmarkowsky in #903
  • santactl/doctor: Provide feedback for individual rules by @russellhancox in #906
  • Remove some debug logs related to CEL processing by @mlw in #907

New Contributors

Full Changelog: 2026.2...2026.3

Check out latest releases or
releases around northpolesec/santa 2026.3

Don't miss a new santa release

NewReleases is sending notifications on new releases.

Get notifications