first commit

.gitignore

@@ -0,0 +1,7 @@
+.DS_Store
+vendor/
+cmd/*/*.crt
+cmd/*/*.key
+cmd/*/*/*.toml
+cmd/*/build/*
+cmd/moroz/moroz

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Victor Vrantchan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,132 @@
+<p align="center">
+<img src="moroz.png" alt="moroz"/><br/>
+</p>
+
+Moroz is a server for the [Santa](https://github.com/google/santa) project.
+
+> Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.
+
+> Santa is a project of Google's Macintosh Operations Team.
+
+# Configurations
+
+Moroz uses [TOML](https://github.com/toml-lang/toml#example) rule files to specify configuration for Santa.
+The path to the folder with the configurations can be specified with `-configs /path/to/configs`.
+
+Moroz expects a `global.toml` file which contains a list of rules. The `global` config can be overriden by providing a machine specific config. 
+To do so, name the file for each host with the santa `machine id` [configuration parameter](https://github.com/google/santa/wiki/Configuration#keys-to-be-used-with-a-tls-server). By default, this is the hardware UUID of the mac.
+
+Below is a sample configuration file:
+
+```
+client_mode = "MONITOR"
+#blacklist_regex = "^(?:/Users)/.*"
+#whitelist_regex = "^(?:/Users)/.*"
+batch_size = 100
+
+[[rules]]
+rule_type = "BINARY"
+policy = "BLACKLIST"
+sha256 = "2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda"
+custom_msg = "blacklist firefox"
+
+[[rules]]
+rule_type = "CERTIFICATE"
+policy = "BLACKLIST"
+sha256 = "e7726cf87cba9e25139465df5bd1557c8a8feed5c7dd338342d8da0959b63c8d"
+custom_msg = "blacklist dash app certificate"
+```
+
+# Creating rules
+
+Acceptable values for client mode:
+```
+MONITOR | LOCKDOWN
+```
+
+Values for `rule_type`:
+```
+BINARY | CERTIFICATE
+```
+
+Values for `policy`:
+```
+BLACKLIST | WHITELIST
+```
+
+use the santactl command to get the sha256 value: 
+```
+santactl fileinfo /Applications/Firefox.app
+```
+
+# Build
+
+The commands below assume you have `$GOPATH/bin` in your path.
+
+```
+go get -u github.com/golang/dep
+dep ensure
+cd cmd/moroz; go install; cd -
+```
+
+# Run
+
+`moroz`  
+See `moroz -h` for a full list of options.
+
+```
+Usage of moroz:
+  -configs string
+    	path to config folder (default "../../configs")
+  -event-logfile string
+    	path to file for saving uploaded events (default "/tmp/santa_events")
+  -http-addr string
+    	http address ex: -http-addr=:8080 (default ":8080")
+  -tls-cert string
+    	path to TLS certificate (default "server.crt")
+  -tls-key string
+    	path to TLS private key (default "server.key")
+  -version
+    	print version information
+```
+
+# Quickstart
+
+Download the `moroz` binary from the [Releases](https://github.com/groob/moroz/releases) page.
+Copy the `configs` folder from the repo somewhere locally. It must have the `global.toml` file.
+
+
+Generate a self signed certificate which will be used by santa and the server for communication.
+
+```
+openssl genrsa -out server.key 2048
+openssl rsa -in server.key -out server.key
+openssl req -sha256 -new -key server.key -out server.csr -subj "/CN=santa"
+openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
+rm -f server.csr
+```
+
+Add the santa CN to your hosts file.
+
+```
+sudo echo "127.0.0.1 santa" >> /etc/hosts
+```
+
+
+Install Santa
+The latest version of santa is available on the github repo page: https://github.com/google/santa/releases
+
+Configure Santa:
+You will need to provide the `SyncBaseURL` and `ServerAuthRootsFile` settings.
+
+```
+sudo launchctl unload -w /Library/LaunchDaemons/com.google.santad.plist
+sudo defaults write /var/db/santa/config.plist SyncBaseURL https://santa:8080/v1/santa/
+sudo defaults write /var/db/santa/config.plist ServerAuthRootsFile $(pwd)/server.crt
+sudo launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
+```
+
+Start moroz:
+Assumes you have the `./server.crt` and `./server.key` files.
+
+```moroz -configs /path/to/configs/folder```

cmd/moroz/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:3.4
+
+RUN apk --update add \
+    ca-certificates 
+
+COPY ./build/moroz-linux-amd64 /moroz
+
+CMD ["/moroz"]
+

cmd/moroz/main.go

@@ -0,0 +1,106 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"net/http"
+	"os"
+
+	stdlog "log"
+
+	"github.com/go-kit/kit/log"
+	"github.com/groob/moroz/moroz"
+	"github.com/groob/moroz/santaconfig"
+)
+
+const openSSLBash = `
+Looks like you're missing a TLS certifacte and private key. You can quickly generate one 
+by using the commands below:
+
+openssl genrsa -out server.key 2048
+openssl rsa -in server.key -out server.key
+openssl req -sha256 -new -key server.key -out server.csr -subj "/CN=santa"
+openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
+rm -f server.csr
+
+Add the santa CN to your hosts file.
+
+sudo echo "127.0.0.1 santa" >> /etc/hosts
+
+
+You also will need to configure santa:
+
+sudo launchctl unload -w /Library/LaunchDaemons/com.google.santad.plist 
+sudo defaults write /var/db/santa/config.plist SyncBaseURL https://santa:8080/v1/santa/
+sudo defaults write /var/db/santa/config.plist ServerAuthRootsFile $(pwd)/server.crt
+sudo launchctl load -w /Library/LaunchDaemons/com.google.santad.plist
+
+
+The latest version of santa is available on the github repo page:
+	https://github.com/google/santa/releases
+`
+
+var version = "unknown"
+
+func main() {
+	var (
+		flTLSCert = flag.String("tls-cert", envString("MOROZ_TLS_CERT", "server.crt"), "path to TLS certificate")
+		flTLSKey  = flag.String("tls-key", envString("MOROZ_TLS_KEY", "server.key"), "path to TLS private key")
+		flAddr    = flag.String("http-addr", envString("MOROZ_HTTP_ADDRESS", ":8080"), "http address ex: -http-addr=:8080")
+		flConfigs = flag.String("configs", envString("MOROZ_CONFIGS", "../../configs"), "path to config folder")
+		flEvents  = flag.String("event-logfile", envString("MOROZ_EVENTLOG_FILE", "/tmp/santa_events"), "path to file for saving uploaded events")
+		flVersion = flag.Bool("version", false, "print version information")
+	)
+	flag.Parse()
+
+	if *flVersion {
+		fmt.Printf("moroz version %s\n", version)
+		return
+	}
+
+	if _, err := os.Stat(*flTLSCert); os.IsNotExist(err) {
+		fmt.Println(openSSLBash)
+		os.Exit(2)
+	}
+
+	if !validateConfigExists(*flConfigs) {
+		fmt.Println("you need to provide at least a 'global.toml' configuration file in the configs folder. See the configs folder in the git repo for an example")
+		os.Exit(2)
+	}
+
+	repo := santaconfig.NewFileRepo(*flConfigs)
+	svc, err := moroz.NewService(repo, *flEvents)
+	if err != nil {
+		stdlog.Fatal(err)
+	}
+	logger := log.NewLogfmtLogger(os.Stderr)
+	h := moroz.MakeAPIHandler(svc, logger)
+
+	http.Handle("/v1/santa/", h)
+
+	go func() { fmt.Println("started server") }()
+	stdlog.Fatal(http.ListenAndServeTLS(*flAddr,
+		*flTLSCert,
+		*flTLSKey,
+		nil))
+}
+
+func validateConfigExists(configsPath string) bool {
+	var hasConfig = true
+	if _, err := os.Stat(configsPath); os.IsNotExist(err) {
+		hasConfig = false
+	}
+	if _, err := os.Stat(configsPath + "/global.toml"); os.IsNotExist(err) {
+		hasConfig = false
+	}
+	if !hasConfig {
+	}
+	return hasConfig
+}
+
+func envString(key, def string) string {
+	if env, ok := os.LookupEnv(key); ok {
+		return env
+	}
+	return def
+}

cmd/moroz/release.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+VERSION="$(git describe --tags --always --dirty)"
+NAME=moroz
+
+echo "Building $NAME version $VERSION"
+
+mkdir -p build
+
+build() {
+  echo -n "=> $1-$2: "
+  GOOS=$1 GOARCH=$2 CGO_ENABLED=0 go build -o build/$NAME-$1-$2 -ldflags "\
+      -X main.version=${VERSION}" ./main.go
+  du -h build/$NAME-$1-$2
+}
+
+build "darwin" "amd64"
+build "linux" "amd64"

configs/global.toml

@@ -0,0 +1,16 @@
+client_mode = "MONITOR"
+#blacklist_regex = "^(?:/Users)/.*"
+#whitelist_regex = "^(?:/Users)/.*"
+batch_size = 100
+
+[[rules]]
+rule_type = "BINARY"
+policy = "BLACKLIST"
+sha256 = "2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8eda"
+custom_msg = "blacklist firefox"
+
+[[rules]]
+rule_type = "CERTIFICATE"
+policy = "BLACKLIST"
+sha256 = "e7726cf87cba9e25139465df5bd1557c8a8feed5c7dd338342d8da0959b63c8d"
+custom_msg = "blacklist dash app certificate"

lock.json

@@ -0,0 +1,79 @@
+{
+    "memo": "e8e16180a1501b2d6c026119e81ae561492bbb8b2badc2a47f60ad19c8d81b58",
+    "projects": [
+        {
+            "name": "github.com/BurntSushi/toml",
+            "version": "v0.2.0",
+            "revision": "bbd5bb678321a0d6e58f1099321dfa73391c1b6f",
+            "packages": [
+                "."
+            ]
+        },
+        {
+            "name": "github.com/go-kit/kit",
+            "branch": "master",
+            "revision": "fadad6fffe0466b19df9efd9acde5c9a52df5fa4",
+            "packages": [
+                "endpoint",
+                "log",
+                "transport/http"
+            ]
+        },
+        {
+            "name": "github.com/go-logfmt/logfmt",
+            "version": "v0.3.0",
+            "revision": "390ab7935ee28ec6b286364bba9b4dd6410cb3d5",
+            "packages": [
+                "."
+            ]
+        },
+        {
+            "name": "github.com/go-stack/stack",
+            "version": "v1.5.2",
+            "revision": "100eb0c0a9c5b306ca2fb4f165df21d80ada4b82",
+            "packages": [
+                "."
+            ]
+        },
+        {
+            "name": "github.com/gorilla/context",
+            "version": "v1.1",
+            "revision": "1ea25387ff6f684839d82767c1733ff4d4d15d0a",
+            "packages": [
+                "."
+            ]
+        },
+        {
+            "name": "github.com/gorilla/mux",
+            "version": "v1.3.0",
+            "revision": "392c28fe23e1c45ddba891b0320b3b5df220beea",
+            "packages": [
+                "."
+            ]
+        },
+        {
+            "name": "github.com/kr/logfmt",
+            "branch": "master",
+            "revision": "b84e30acd515aadc4b783ad4ff83aff3299bdfe0",
+            "packages": [
+                "."
+            ]
+        },
+        {
+            "name": "golang.org/x/net",
+            "branch": "master",
+            "revision": "d379faa25cbdc04d653984913a2ceb43b0bc46d7",
+            "packages": [
+                "context/ctxhttp"
+            ]
+        },
+        {
+            "name": "gopkg.in/natefinch/lumberjack.v2",
+            "branch": "v2.0",
+            "revision": "dd45e6a67c53f673bb49ca8a001fd3a63ceb640e",
+            "packages": [
+                "."
+            ]
+        }
+    ]
+}