In the evolving landscape of macOS security, NorthPoleSec’s Santa has earned a solid reputation as a flexible and lightweight endpoint security tool. Originally developed by Google, Santa acts as a binary whitelisting/blacklisting system, but in recent iterations, it also provides incredibly powerful features including file-access authorization. This lesser-known feature is a game-changer for protecting sensitive data on disk, such as session tokens, SSH keys, and browser cookies.

In this post, we’ll take a look at how Santa’s file access authorization mechanism works and how you can configure it to prevent common threat actor behaviors on macOS endpoints.

What Is Santa’s File-Access Authorization?

File-Access Authorization (FAA) intercepts attempts by binaries to access specified files — before macOS even serves the request.

This gives administrators granular control over which binaries (by hash, path, or code signature) are permitted to touch certain locations on disk.

FAA process flow

Understanding Path Pattern Matching and Globbing

Santa evaluates file-access rules by first resolving the “real path” of the requested file, following symlinks, then matching that path against configured prefix and glob patterns:

  • Prefix Matching: Santa checks for any rule whose target path is an exact prefix of the real path (among multiple prefixes, the longest matching prefix applies).
  • Glob Matching: If no prefix rule applies, Santa applies the single-level * wildcard in globs matching zero or more characters.
    • * matches across directory separators only if explicitly placed before or after a / (e.g. /Users/*/file).

Rule Selection

If both prefix and glob rules match, Santa gives precedence to the prefix rule.

Rule Type Path
Rule A Path /Users/alice/Documents/
Rule B Glob /Users/*/Documents/*

Rules A and B will match /Users/alice/Documents/Secrets.txt, however Rule A takes priority due to longer match.

Rule Refresh Interval

By default, Santa loads FAA rules on startup and periodically polls for updates. The refresh interval is controlled by the FAARefreshIntervalSec key in the Santa configuration. The default value is 600 seconds with a minimum possible value of 15 seconds.

This introduces a potential race condition where files that would be monitored by Santa are essentially unmonitored for up to the duration of the refresh interval, which could provide a brief opportunity to allow an attacker to circumvent FAA rules.

Pitfalls and Best Practices

Crafting FAA rules requires precision and testing - it is very easy to create an overly restrictive path rule that prevents critical system services from functioning, such as XProtect and endpoint security products, and can be difficult to revert depending on how the configuration is being applied.

  • Make use of AuditOnly set to true during initial development, this will provide logs on what would be blocked without actually denying access.
  • Wildcards in paths such as /Users/*/.* can lock out native system utilities. Be as specific as possible with path patterns and use wildcards sparingly.
  • Auto‑updating tools can change checksums or file paths. Give preference to certificate or signing identifier‑based rules.

Use Case: Protecting Chrome Cookies

In a world of all-things-SSO and strong MFA, session tokens have become the next logical target - if you can’t steal the credentials, steal the thing they grant access to.

In the case of most identity providers, after you pass through the authentication flow, the only thing protecting your session token is the browser itself - this makes post-auth session tokens extremely valuable, as they can be leveraged to access applications gated by SSO.

Cookies are stored by Chrome in an sqlite database located at ~/Library/Application Support/Google/Chrome/<Profile>/Cookies, which is encrypted using a passphrase stored in the macOS login keychain. An attacker able to access this database may be able to perform offline attacks against the keychain, which is itself encrypted using the device password, in order to retrieve the Chrome Safe Storage passphrase and decrypt the cookie database.

The below rule restricts access to the cookies sqlite database, across all device users and browser profiles, to only processes with the signing ID com.google.Chrome.helper i.e. the Chrome Helper process. This prevents any unauthorised access attempts to the cookie store while still allowing the browser to function normally.

<key>Chrome_Cookies</key>
<dict>
 <key>Paths</key>
 <array>
  <dict>
   <key>Path</key>
   <string>/Users/*/Library/Application Support/Google/Chrome/*/Cookies</string>
  </dict>
 </array>
 <key>Options</key>
 <dict>
  <key>AllowReadAccess</key>
  <false />
  <key>AuditOnly</key>
  <false />
  <key>EnableSilentMode</key>
  <true />
  <key>RuleType</key>
  <string>PathsWithAllowedProcesses</string>
 </dict>
 <key>Processes</key>
 <array>
  <dict>
   <key>TeamID</key>
   <string>EQHXZ8M8AV</string>
   <key>SigningID</key>
   <string>com.google.Chrome.helper</string>
  </dict>
 </array>
</dict>

Restricting access to com.google.Chrome.helper, and not simply com.google.Chrome, is necessary to prevent an attacker from leveraging the browser itself to retrieve the database from disk.

Detecting Indicators of Compromise via Santa Logs

Santa’s FAA not only enforces access policies but also doubles as a sensor for malicious or anomalous activity. When file-access authorization any denied access attempt generate a Unified Logging event under subsystem com.apple.santa, including details such as requested path, PID, and code signature of the requesting binary.

Repeated or unusual denies - especially against high-value paths - can be potential indicators of:

  • Data exfiltration attempts: a non‑Chrome process being denied access to Chrome’s Cookies database suggests atempts to steal session tokens.
  • Lateral movement or privilege escalation: unauthorized reads of SSH keys or keychain backups often accompany post‑exploit reconnaissance.

Conclusion

Santa’s file-access authorization extends the macOS security perimeter from code execution to data exfiltration. By integrating FAA rules into your workflow, you can enforce least-privilege access to critical assets. With these controls in place, macOS endpoints become far more resilient against stealthy attackers attempting to capture and exfiltrate sensitive data.