search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.05k stars 422 forks source link

Manage Santa #17370

Open noahtalerman opened 7 months ago

noahtalerman commented 7 months ago

Goal

User story
As a security engineer,
I want to use Fleet to manage Santa
so that I can notify my end users when they're running unauthorized software on their workstations.

Context

  1. Rudolph is an open source Santa server
  2. Rudolph hasn't been updates to support new Santa rules:
    • Team ID rules. Developers (ex. Google) renew their certificates but it's still the same developer (team). I want to authorize software built by Google and I don't want to have to update my Santa rules every time Google renews their certs.
    • Signing ID rules. Similar to Team ID but at application level. For example, I want to authorize a specific Hamachi application and I don't want to have to update my Santa rules every time Hamachi releases a new version.

Changes

Product

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.
noahtalerman commented 7 months ago

Hey @slashnick! Would love to get your feedback on the below.

Is this accurate? Did we capture the right use cases?

  1. Rudolph is an open source Santa server
  2. Rudolph hasn't been updates to support new Santa rules:
    • Team ID rules. Developers (ex. Google) renew their certificates but it's still the same developer (team). I want to authorize software built by Google and I don't want to have to update my Santa rules every time Google renews their certs.
    • Signing ID rules. Similar to Team ID but at application level. For example, I want to authorize a specific Hamachi application and I don't want to have to update my Santa rules every time Hamachi releases a new version.
noahtalerman commented 7 months ago

Pulled the issue description from a similar issue (treated as a duplicate) here: #1423

Goal

Explore possibilities for implementing Binary Authorization (aka "application whitelisting") on Fleet's supported platforms.

Implementing binary authorization can meaningfully improve security on managed computers, though it is known for creating a large burden on operators and users of devices due to restrictive configurations.

How?

macOS

Santa

Windows

WDAC

noahtalerman commented 7 months ago

Hey @mikermcneil, heads up, we didn't have the space to take this on in the current design sprint (4.48).

Please feel free to bring it back to feature fest!

noahtalerman commented 6 months ago

@Patagonia121 we discussed this during the last feature fest.

We decided not to work on drafts for this in the upcoming sprint (4.49)

Removing from feature fest.

Patagonia121 commented 6 months ago

@pintomi1989 we should probably try to bring this one back to the next FF

nonpunctual commented 5 months ago
Screenshot 2024-04-23 at 1 22 22 PM
slashnick commented 5 months ago

I think a killer feature Fleet could offer is a self-serve workflow for users to allow new binaries. The flow I'm picturing is:

  1. User downloads a binary and tries to run it
  2. The binary gets blocked, because they're running Santa in lockdown mode
  3. The go to the My Device page in Fleet, and click a button to unblock that binary on their machine
  4. On their machine's next sync with Fleet,
    • Maybe Fleet kicks off a santactl sync process as soon as the new rule is added, so the user doesn't have to wait 60 seconds for their device to sync
nonpunctual commented 1 month ago

@noahtalerman @marko-lisica @zwass Many prospect customers are raising this capability. This company has added a full stand-alone module for managing Santa: https://docs.zentral.io/en/latest/apps/santa/

noahtalerman commented 1 month ago

Thanks for the heads up @nonpunctual! And link to Zentral.