Instantly share code, notes, and snippets.

Embed
What would you like to do?
manual (server-less) 🎅rule import script, and an excuse to use multiprocessing
#!/usr/bin/python
"""Shoves down santa rules 5 at a time to whitelist certs/binaries
NOTICE - if you have a sync server like Zentral configured, you cannot add rules
"""
import os
import subprocess
from multiprocessing.dummy import Pool as ThreadPool
if os.geteuid() != 0:
exit("Please run this script as root.")
pool = ThreadPool(5)
shas = [
"10b716799ecc07f472e6475ac6395cf76d7b180da7fc665fa7399e931d0540e5",# BINARIES: /opt/puppetlabs/puppet/bin/augparse
"10e5efeba67a600d3dcafc1cf3ee1bbb854c3d41a65fa3e9466e8e565d76c3eb",# /opt/puppetlabs/puppet/bin/ruby
"2533995e290b235bc98dcd9142df49101017ce2d9b860b0bbe8e841a780e6009",# /Applications/Docker.app/Contents/Resources/bin/docker
"3b45cef4efbd9a437a18669e6a7bce4e24456bb1c6cedfe039fda4ed9277c652",# /Library/DropboxHelperTools/Dropbox_u841296058/dbaccessperm
"58926d227548537c86b69b88906f1cbafbd689f5289323c13a3c2a31019f872b",# /Applications/Managed Software Center.app
"5d76ffc5b716f065bb0a2218fb05f1249e7e9ba83e960e7ed0a9b0c2aae58f56",# /Applications/Docker.app/Contents/Resources/bin/http2client
"7b30e3c645301d2e41006c9da04b6b50c6bca32843aafd7ee7dcf900d50c4549",# /Applications/TextMate.app/Contents/Resources/mate
"c478494745d20331d0eb83286828dae7afead2cd6b4bcbf4401888ec8ce8f364",# /opt/puppetlabs/puppet/bin/facter
"e11090b15e08ae267e4fbfb6581f72b4fa5996d2a54ad2a45711e407d514c2ae",# /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"f4178ce09f21ec92b19a9ec1ded51e9356fe329c0b2015d1d93595cabdf5b561"# /Users/abanks/Library/Application Support/TextMate/Ruby/1.8.7/bin/ruby
]
certs = [
"0cf15940ebd239cc47a5d3d1d7ebcf4dba963299fc30511ae8146ffa3051db10",# CERTS: Cinch.app
"15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153",# GoogleSoftwareUpdateAgent (~)
"1808a95f11169c7212a45b44c1c547c1f3e810915014bd892435253a3f8761ca",# Citrix ServiceRecords/ReceiverHelper
"259187ec002d9015f88abc6e6421027a202ea95c1960db91a0c54ac8dc0500f1",# bomgar-rep
"259aba4c7924f2ae7b1770c00f0eafc0dc1b433c03ebb3ffa5c56ea9a7689d3b",# osqueryi
"2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2",# Dropbox/garcon
"2d78ade98f19b5cee99c2eaa47745018b671c41a63da6941eb679db339753057",# Textmate
"34e1933590ebd8b05a8c425327ed794bfff9f018008c19d247ccf94ea622b60b",# Cisco anyconnect/bin/vpnagentd -execv_instance
"380e6394a2cb49ec1b1aeb588bdddb6a4d031145e6754aa70e935aa64082def5",# Github Desktop/Atom
"45fd79a19e12bbafeeaeaadd5a34ad7b2ea587f0edddfa75eca6329fa6575be8",# Mactracker
"4d60a649f7c6db9aa23690be8db2cc28211fa415feec62ccb91352050d800295",# QuickRadar
"4f1c352e8f62316e649c42bb7dfae0917d6f73fa72cb86850883e8e2ed519c69",# Charles
"537abaf0432a214b0495f712317b146eb18c0beb3b0e2255473abf2f8dbb2e3a",# VLC
"61977d6006459c4cefe9b988a453589946224957bfc07b262cd7ca1b7a61e04e",# Apple MAS - Numbers, Keynote, OmniGraffle
"77198a84d6080082fb8d17468d5698b68b0b0dffc84f40d40fa067111e7aedf3",# AppSupport/CitrixOnline/GoToMeeting/G2MUpdate
"8fa5635d4d6d9f93a9a1631a8f90388f19771b7082c8d7b8de19cc694f1db1ec",# Skype For Business
"9c5e8b23cbdd0e7316fda612d120836041476ac91a28245f41611e74fe916ec1",# SuspiciousPackage
"9f9dd26b6ad69cd86438ee416d527b8a9ed871a2bd75cdf8f9cf2345a9cbeb38",# Wireshark
"a7f86800e3a3a101ef20e2c4d20b01f2ec806b91038998f60d5db009ad26fc7c",# Logitech Control Center daemon
"ad9dba778a3a1204a02298193be3c8d184a6bdc0d10ae109dfaf356722b3cf92",# Kaleidoscope
"adced5ef3635ab1debda86f02dc55e96cefedf7bd7fe7519f0a806092bf75873",# new MAU helpertool
"bf2b2fb5bbbffb3e73a35072ef78b5bd3da98c68d8ec1a6506c48a07b495f6f1",# Rest of office 2016
"c1b6c50a32bb4b266e6335b4f79b6a7265f2594bf356e0cf5f847492cecf854b",# Slack
"c77028bbb406c9335ebb9361275f5b240e621e715a446f3cc217a7efdb766b55",# Box Sync appex
"cb8a3c9b533f03e8fc56e0da1e9a170c4230511856f10f15b0f30f489949abc8",# TextExpander
"f78a1cb259aec911960624aa7257547eb0e82d61121280b52d3f39a2af296173"# 1Password helper, SafariExtensionCompanion.appex, etc.
]
cmd_list = []
for sha in shas:
cmd_list.append(['/usr/local/bin/santactl', 'rule', '--whitelist', '--sha256', sha])
for cert in certs:
cmd_list.append(['/usr/local/bin/santactl', 'rule', '--whitelist', '--certificate', '--sha256', cert])
results = pool.map(subprocess.check_output, cmd_list)
pool.close()
pool.join()
print results
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment