Santa

Santa provides a macOS‑focused binary and file access authorization system. It installs a kernel extension that intercepts execution and file‑access requests, consulting a local rule database to decide whether to allow or block each operation. A GUI agent informs the user of blocked actions, a background service synchronizes policy with a remote server, and a command‑line tool lets administrators manage rules and view events.

The system supports two primary modes: MONITOR, which logs all launches and blocks only explicitly denied binaries, and LOCKDOWN, which permits only binaries listed in the database. Rules can be based on code‑signing attributes such as CDHash, Certificate, TeamID, or SigningID, as well as regular‑expression path patterns, allowing fine‑grained control over publishers or specific files. Built‑in failsafe certificates prevent accidental blocking of essential macOS components, and inter‑process communication is secured by matching signing certificates.

Designed for security‑conscious macOS administrators, Santa offers persistent event logging, caching of allowed binaries for performance, and a modular architecture that validates each user‑land component before interaction. Documentation, deployment guidance, and community support are available through the project’s website and a dedicated Slack channel.