Scopes
In addition to rules, Santa can allow or block based on scopes. Currently, only a few scopes are implemented. Scopes are evaluated after rules, with block evaluation preceding allow.
Scopes are a broader way of allowing or blocking executions.
We strongly discourage the use of scopes as they can be relatively trivial to bypass but there are some circumstances where it is the only option.
For configuration of scopes see configuration.md.
Block Scopes
Scope | Configurable |
---|---|
Blocked Path Regex | Yes |
Missing __PAGEZERO | Yes |
Allow Scopes
Scope | Configurable |
---|---|
Allowed Path Regex | Yes |
Not a Mach-O | No |
Regex Caveats
The paths covered by the allowed path and blocked path regex patterns are not tracked. If an execution is allowed initially, then moved into a blocked directory, Santa has no knowledge of that move. Since Santa caches decisions, the recently moved file will continue to be allowed to execute even though it is now within a blocked path. Going from a blocked path to an allowed path is not largely affected.