Add santa EnableBadSignatureProtection cfg param

zentralopensource · May 14, 2020 · b482be0 · b482be0
1 parent a339c54
commit b482be0
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 1 deletion.
diff --git a/tests/santa/test_configuration.py b/tests/santa/test_configuration.py
@@ -10,10 +10,12 @@ def test_local_configuration_url_keys(self):
 
  config = Configuration.objects.create(name=get_random_string(256),
  more_info_url=more_info_url,
- file_changes_prefix_filters=file_changes_prefix_filters)
+ file_changes_prefix_filters=file_changes_prefix_filters,
+ enable_bad_signature_protection=True)
  local_config = config.get_local_config()
  self.assertEqual(local_config["MoreInfoURL"], more_info_url)
  self.assertEqual(local_config["FileChangesPrefixFilters"], file_changes_prefix_filters)
+ self.assertEqual(local_config["EnableBadSignatureProtection"], True)
 
  def test_blacklist_regex_default_whitelist_regex(self):
  blacklist_regex = get_random_string(34)

diff --git a/zentral/contrib/santa/migrations/0011_configuration_enable_bad_signature_protection.py b/zentral/contrib/santa/migrations/0011_configuration_enable_bad_signature_protection.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.2.10 on 2020-05-11 06:00
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('santa', '0010_auto_20190603_1543'),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name='configuration',
+ name='enable_bad_signature_protection',
+ field=models.BooleanField(default=False, help_text='When enabled, a binary that is signed but has a bad signature (cert revoked, binary tampered with, etc.) will be blocked regardless of client-mode unless a binary whitelist.'),
+ ),
+ ]
diff --git a/zentral/contrib/santa/models.py b/zentral/contrib/santa/models.py
@@ -29,6 +29,7 @@ class Configuration(models.Model):
  'whitelist_regex',
  'blacklist_regex',
  'enable_page_zero_protection',
+ 'enable_bad_signature_protection',
  'more_info_url',
  'event_detail_url',
  'event_detail_text',
@@ -73,6 +74,11 @@ class Configuration(models.Model):
  help_text="If this flag is set to YES, 32-bit binaries that are missing the __PAGEZERO segment will be blocked"
  " even in MONITOR mode, unless the binary is whitelisted by an explicit rule."
  )
+ enable_bad_signature_protection = models.BooleanField(
+ default=False,
+ help_text="When enabled, a binary that is signed but has a bad signature (cert revoked, binary tampered with, "
+ "etc.) will be blocked regardless of client-mode unless a binary whitelist."
+ )
  more_info_url = models.URLField(
  blank=True,
  help_text='The URL to open when the user clicks "More Info..." when opening Santa.app. '

diff --git a/zentral/contrib/santa/templates/santa/configuration_detail.html b/zentral/contrib/santa/templates/santa/configuration_detail.html
@@ -60,6 +60,12 @@ <h2>Santa configuration <i>{{ object.name }}</i></h2>
  <td>{{ object.enable_page_zero_protection|yesno }}</td>
  </tr>
  {% endif %}
+ {% if object.enable_bad_signature_protection %}
+ <tr>
+ <td>Enable bad signature protection</td>
+ <td>{{ object.enable_bad_signature_protection|yesno }}</td>
+ </tr>
+ {% endif %}
  {% if object.more_info_url %}
  <tr>
  <td>More info URL</td>