You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey guys I posted the first part of this as a feature request on Google Santa (google/santa#1234) a while back but I thought I'd copy it over here now that things have changed. There are two things on my mind -
I guess you'll come across more clients like us who are using Santa differently to Google, where as you mention on the MacAdmins podcast the purpose was 'if it's not malware then allow it'. Various security requirements have us maintain a list of allowed applications on our devices and regularly review that list, so the shorter it is the better. We have 600 rules for 50 Macs, which already more or less rules out a manual review, but my bet is a few hundred of those are no longer used. Compare that to 40 rules for AppLocker on our x50 Windows devices (I know a direct comparison is not really fair here).
I assume NPS are planning to build a SaaS Santa server and you'll want to minimise the traffic hitting it, which may mean removing the EnableAllEventUpload option (at least after initial allowlist building) so you don't get inadvertently DDOS'd by your customers. An alternative might be for the agent to send a list of all rules it had hits against since the last sync. The server can then easily track which rules have recently been used on one or more machines.
The text was updated successfully, but these errors were encountered:
Hey guys I posted the first part of this as a feature request on Google Santa (google/santa#1234) a while back but I thought I'd copy it over here now that things have changed. There are two things on my mind -
I guess you'll come across more clients like us who are using Santa differently to Google, where as you mention on the MacAdmins podcast the purpose was 'if it's not malware then allow it'. Various security requirements have us maintain a list of allowed applications on our devices and regularly review that list, so the shorter it is the better. We have 600 rules for 50 Macs, which already more or less rules out a manual review, but my bet is a few hundred of those are no longer used. Compare that to 40 rules for AppLocker on our x50 Windows devices (I know a direct comparison is not really fair here).
I assume NPS are planning to build a SaaS Santa server and you'll want to minimise the traffic hitting it, which may mean removing the EnableAllEventUpload option (at least after initial allowlist building) so you don't get inadvertently DDOS'd by your customers. An alternative might be for the agent to send a list of all rules it had hits against since the last sync. The server can then easily track which rules have recently been used on one or more machines.
The text was updated successfully, but these errors were encountered: