Welcome to this user-friendly guide on Moroz, a server designed for the Santa project, an advanced binary allowlisting/blocklisting system for macOS. Think of Moroz as the vigilant guard at the gate, ensuring only the approved applications can access your system. Let’s walk through the steps to configure and run Moroz effectively.
Step 1: Understanding Moroz Configuration
Moroz uses TOML rule files to specify its configurations. It expects a global.toml file, which includes a list of rules governing the allowed and blocked applications. Additionally, you can provide machine-specific configurations by naming the file according to the Santa machine ID, which defaults to the hardware UUID of your Mac.
Step 2: Sample Configuration File
Here’s an example of what a typical configuration file might look like:
client_mode = MONITOR
#blocklist_regex = ^(?:Users).*
#allowlist_regex = ^(?:Users).*
batch_size = 100
[[rules]]
rule_type = BINARY
policy = BLOCKLIST
sha256 = 2dc104631939b4bdf5d6bccab76e166e37fe5e1605340cf68dab919df58b8edac
custom_msg = blocklist firefox
[[rules]]
rule_type = CERTIFICATE
policy = BLOCKLIST
sha256 = e7726cf87cba9e25139465df5bd1557c8a8feed5c7dd338342d8da0959b63c8d
custom_msg = blocklist dash app certificate
[[rules]]
rule_type = TEAMID
policy = ALLOWLIST
identifier = EQHXZ8M8AV
custom_msg = allow google team id
[[rules]]
rule_type = SIGNINGID
policy = ALLOWLIST
identifier = EQHXZ8M8AV:com.google.Chrome
custom_msg = allow google chrome signing id
Think of the global.toml file as the library of rules for an elite security team. Each rule operates like a different book, detailing who is allowed in (allowlist) and who is barred from entry (blocklist).
Step 3: Creating Rules
When creating rules, you’ll need to consider the following:
- Acceptable client modes: MONITOR, LOCKDOWN
- Rule types: BINARY, CERTIFICATE, TEAMID, SIGNINGID
- Policies: BLOCKLIST, ALLOWLIST, ALLOWLIST_COMPILER, REMOVE
Step 4: Building Moroz
To build Moroz, follow these commands:
cd cmd/moroz
go build
Step 5: Running Moroz
Once built, you can run Moroz using the command:
moroz -configs pathtoconfigsfolder
For a full list of options, you can use:
moroz -h
Step 6: Quickstart
To get started quickly, download the Moroz binary from the Releases page. Then, follow these steps:
- Copy the configs folder (which must include the
global.tomlfile) to a local directory. - Generate a self-signed certificate for communication between Santa clients and the server using the command:
.tools/dev/certificate/create - Add Santa CN to your hosts file:
sudo echo 127.0.0.1 santa >> /etc/hosts - Add the self-signed cert to your system roots:
.tools/dev/certificate/add-trusted-cert
Troubleshooting
If you face issues while running Moroz, consider the following:
- Ensure that the configuration files are correctly structured and located in the specified path.
- Check that all required certificates and keys are correctly generated and positioned.
- Consult the logs for any error messages that can give clues regarding the issue.
For more insights, updates, or to collaborate on AI development projects, stay connected with fxis.ai.
Conclusion
At fxis.ai, we believe that such advancements are crucial for the future of AI, as they enable more comprehensive and effective solutions. Our team is continually exploring new methodologies to push the envelope in artificial intelligence, ensuring that our clients benefit from the latest technological innovations.