arubdesu/ruler.py

## ruler.py
#!/usr/bin/python
"""Shoves down santa rules 5 at a time to whitelist certs/binaries
NOTICE - if you have a sync server like Zentral configured, you cannot add rules
"""
import os
import subprocess
from multiprocessing.dummy import Pool as ThreadPool

if os.geteuid() != 0:
    exit("Please run this script as root.")
pool = ThreadPool(5)
shas = [
    "10b716799ecc07f472e6475ac6395cf76d7b180da7fc665fa7399e931d0540e5",#        BINARIES: /opt/puppetlabs/puppet/bin/augparse
    "10e5efeba67a600d3dcafc1cf3ee1bbb854c3d41a65fa3e9466e8e565d76c3eb",# /opt/puppetlabs/puppet/bin/ruby
    "2533995e290b235bc98dcd9142df49101017ce2d9b860b0bbe8e841a780e6009",# /Applications/Docker.app/Contents/Resources/bin/docker
    "3b45cef4efbd9a437a18669e6a7bce4e24456bb1c6cedfe039fda4ed9277c652",# /Library/DropboxHelperTools/Dropbox_u841296058/dbaccessperm
    "58926d227548537c86b69b88906f1cbafbd689f5289323c13a3c2a31019f872b",# /Applications/Managed Software Center.app
    "5d76ffc5b716f065bb0a2218fb05f1249e7e9ba83e960e7ed0a9b0c2aae58f56",# /Applications/Docker.app/Contents/Resources/bin/http2client
    "7b30e3c645301d2e41006c9da04b6b50c6bca32843aafd7ee7dcf900d50c4549",# /Applications/TextMate.app/Contents/Resources/mate
    "c478494745d20331d0eb83286828dae7afead2cd6b4bcbf4401888ec8ce8f364",# /opt/puppetlabs/puppet/bin/facter
    "e11090b15e08ae267e4fbfb6581f72b4fa5996d2a54ad2a45711e407d514c2ae",# /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
    "f4178ce09f21ec92b19a9ec1ded51e9356fe329c0b2015d1d93595cabdf5b561"# /Users/abanks/Library/Application Support/TextMate/Ruby/1.8.7/bin/ruby
    ]
certs = [
    "0cf15940ebd239cc47a5d3d1d7ebcf4dba963299fc30511ae8146ffa3051db10",#        CERTS: Cinch.app
    "15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153",# GoogleSoftwareUpdateAgent (~)
    "1808a95f11169c7212a45b44c1c547c1f3e810915014bd892435253a3f8761ca",# Citrix ServiceRecords/ReceiverHelper
    "259187ec002d9015f88abc6e6421027a202ea95c1960db91a0c54ac8dc0500f1",# bomgar-rep
    "259aba4c7924f2ae7b1770c00f0eafc0dc1b433c03ebb3ffa5c56ea9a7689d3b",# osqueryi
    "2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2",# Dropbox/garcon
    "2d78ade98f19b5cee99c2eaa47745018b671c41a63da6941eb679db339753057",# Textmate
    "34e1933590ebd8b05a8c425327ed794bfff9f018008c19d247ccf94ea622b60b",# Cisco anyconnect/bin/vpnagentd -execv_instance
    "380e6394a2cb49ec1b1aeb588bdddb6a4d031145e6754aa70e935aa64082def5",# Github Desktop/Atom
    "45fd79a19e12bbafeeaeaadd5a34ad7b2ea587f0edddfa75eca6329fa6575be8",# Mactracker
    "4d60a649f7c6db9aa23690be8db2cc28211fa415feec62ccb91352050d800295",# QuickRadar
    "4f1c352e8f62316e649c42bb7dfae0917d6f73fa72cb86850883e8e2ed519c69",# Charles
    "537abaf0432a214b0495f712317b146eb18c0beb3b0e2255473abf2f8dbb2e3a",# VLC
    "61977d6006459c4cefe9b988a453589946224957bfc07b262cd7ca1b7a61e04e",# Apple MAS - Numbers, Keynote, OmniGraffle
    "77198a84d6080082fb8d17468d5698b68b0b0dffc84f40d40fa067111e7aedf3",# AppSupport/CitrixOnline/GoToMeeting/G2MUpdate
    "8fa5635d4d6d9f93a9a1631a8f90388f19771b7082c8d7b8de19cc694f1db1ec",# Skype For Business
    "9c5e8b23cbdd0e7316fda612d120836041476ac91a28245f41611e74fe916ec1",# SuspiciousPackage
    "9f9dd26b6ad69cd86438ee416d527b8a9ed871a2bd75cdf8f9cf2345a9cbeb38",# Wireshark
    "a7f86800e3a3a101ef20e2c4d20b01f2ec806b91038998f60d5db009ad26fc7c",# Logitech Control Center daemon
    "ad9dba778a3a1204a02298193be3c8d184a6bdc0d10ae109dfaf356722b3cf92",# Kaleidoscope
    "adced5ef3635ab1debda86f02dc55e96cefedf7bd7fe7519f0a806092bf75873",# new MAU helpertool
    "bf2b2fb5bbbffb3e73a35072ef78b5bd3da98c68d8ec1a6506c48a07b495f6f1",# Rest of office 2016
    "c1b6c50a32bb4b266e6335b4f79b6a7265f2594bf356e0cf5f847492cecf854b",# Slack
    "c77028bbb406c9335ebb9361275f5b240e621e715a446f3cc217a7efdb766b55",# Box Sync appex
    "cb8a3c9b533f03e8fc56e0da1e9a170c4230511856f10f15b0f30f489949abc8",# TextExpander
    "f78a1cb259aec911960624aa7257547eb0e82d61121280b52d3f39a2af296173"# 1Password helper, SafariExtensionCompanion.appex, etc.
    ]
cmd_list = []
for sha in shas:
    cmd_list.append(['/usr/local/bin/santactl', 'rule', '--whitelist', '--sha256', sha])
for cert in certs:
    cmd_list.append(['/usr/local/bin/santactl', 'rule', '--whitelist', '--certificate', '--sha256', cert])

results = pool.map(subprocess.check_output, cmd_list)
pool.close()
pool.join()
print results
	#!/usr/bin/python
	"""Shoves down santa rules 5 at a time to whitelist certs/binaries
	NOTICE - if you have a sync server like Zentral configured, you cannot add rules
	"""
	import os
	import subprocess
	from multiprocessing.dummy import Pool as ThreadPool

	if os.geteuid() != 0:
	exit("Please run this script as root.")
	pool = ThreadPool(5)
	shas = [
	"10b716799ecc07f472e6475ac6395cf76d7b180da7fc665fa7399e931d0540e5",# BINARIES: /opt/puppetlabs/puppet/bin/augparse
	"10e5efeba67a600d3dcafc1cf3ee1bbb854c3d41a65fa3e9466e8e565d76c3eb",# /opt/puppetlabs/puppet/bin/ruby
	"2533995e290b235bc98dcd9142df49101017ce2d9b860b0bbe8e841a780e6009",# /Applications/Docker.app/Contents/Resources/bin/docker
	"3b45cef4efbd9a437a18669e6a7bce4e24456bb1c6cedfe039fda4ed9277c652",# /Library/DropboxHelperTools/Dropbox_u841296058/dbaccessperm
	"58926d227548537c86b69b88906f1cbafbd689f5289323c13a3c2a31019f872b",# /Applications/Managed Software Center.app
	"5d76ffc5b716f065bb0a2218fb05f1249e7e9ba83e960e7ed0a9b0c2aae58f56",# /Applications/Docker.app/Contents/Resources/bin/http2client
	"7b30e3c645301d2e41006c9da04b6b50c6bca32843aafd7ee7dcf900d50c4549",# /Applications/TextMate.app/Contents/Resources/mate
	"c478494745d20331d0eb83286828dae7afead2cd6b4bcbf4401888ec8ce8f364",# /opt/puppetlabs/puppet/bin/facter
	"e11090b15e08ae267e4fbfb6581f72b4fa5996d2a54ad2a45711e407d514c2ae",# /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
	"f4178ce09f21ec92b19a9ec1ded51e9356fe329c0b2015d1d93595cabdf5b561"# /Users/abanks/Library/Application Support/TextMate/Ruby/1.8.7/bin/ruby
	]
	certs = [
	"0cf15940ebd239cc47a5d3d1d7ebcf4dba963299fc30511ae8146ffa3051db10",# CERTS: Cinch.app
	"15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153",# GoogleSoftwareUpdateAgent (~)
	"1808a95f11169c7212a45b44c1c547c1f3e810915014bd892435253a3f8761ca",# Citrix ServiceRecords/ReceiverHelper
	"259187ec002d9015f88abc6e6421027a202ea95c1960db91a0c54ac8dc0500f1",# bomgar-rep
	"259aba4c7924f2ae7b1770c00f0eafc0dc1b433c03ebb3ffa5c56ea9a7689d3b",# osqueryi
	"2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2",# Dropbox/garcon
	"2d78ade98f19b5cee99c2eaa47745018b671c41a63da6941eb679db339753057",# Textmate
	"34e1933590ebd8b05a8c425327ed794bfff9f018008c19d247ccf94ea622b60b",# Cisco anyconnect/bin/vpnagentd -execv_instance
	"380e6394a2cb49ec1b1aeb588bdddb6a4d031145e6754aa70e935aa64082def5",# Github Desktop/Atom
	"45fd79a19e12bbafeeaeaadd5a34ad7b2ea587f0edddfa75eca6329fa6575be8",# Mactracker
	"4d60a649f7c6db9aa23690be8db2cc28211fa415feec62ccb91352050d800295",# QuickRadar
	"4f1c352e8f62316e649c42bb7dfae0917d6f73fa72cb86850883e8e2ed519c69",# Charles
	"537abaf0432a214b0495f712317b146eb18c0beb3b0e2255473abf2f8dbb2e3a",# VLC
	"61977d6006459c4cefe9b988a453589946224957bfc07b262cd7ca1b7a61e04e",# Apple MAS - Numbers, Keynote, OmniGraffle
	"77198a84d6080082fb8d17468d5698b68b0b0dffc84f40d40fa067111e7aedf3",# AppSupport/CitrixOnline/GoToMeeting/G2MUpdate
	"8fa5635d4d6d9f93a9a1631a8f90388f19771b7082c8d7b8de19cc694f1db1ec",# Skype For Business
	"9c5e8b23cbdd0e7316fda612d120836041476ac91a28245f41611e74fe916ec1",# SuspiciousPackage
	"9f9dd26b6ad69cd86438ee416d527b8a9ed871a2bd75cdf8f9cf2345a9cbeb38",# Wireshark
	"a7f86800e3a3a101ef20e2c4d20b01f2ec806b91038998f60d5db009ad26fc7c",# Logitech Control Center daemon
	"ad9dba778a3a1204a02298193be3c8d184a6bdc0d10ae109dfaf356722b3cf92",# Kaleidoscope
	"adced5ef3635ab1debda86f02dc55e96cefedf7bd7fe7519f0a806092bf75873",# new MAU helpertool
	"bf2b2fb5bbbffb3e73a35072ef78b5bd3da98c68d8ec1a6506c48a07b495f6f1",# Rest of office 2016
	"c1b6c50a32bb4b266e6335b4f79b6a7265f2594bf356e0cf5f847492cecf854b",# Slack
	"c77028bbb406c9335ebb9361275f5b240e621e715a446f3cc217a7efdb766b55",# Box Sync appex
	"cb8a3c9b533f03e8fc56e0da1e9a170c4230511856f10f15b0f30f489949abc8",# TextExpander
	"f78a1cb259aec911960624aa7257547eb0e82d61121280b52d3f39a2af296173"# 1Password helper, SafariExtensionCompanion.appex, etc.
	]
	cmd_list = []
	for sha in shas:
	cmd_list.append(['/usr/local/bin/santactl', 'rule', '--whitelist', '--sha256', sha])
	for cert in certs:
	cmd_list.append(['/usr/local/bin/santactl', 'rule', '--whitelist', '--certificate', '--sha256', cert])

	results = pool.map(subprocess.check_output, cmd_list)
	pool.close()
	pool.join()
	print results