Skip to main content

Common Expression Language (CEL)

This page lists well-known and/or community-contributed CEL expressions.

CEL (Common Expression Language) rules allow for more complex policies than would normally be possible. Read how to configure CEL rules in the Binary Authorization documentation.

Apps signed since X

This will prevent executions of an app where the specific binary was signed before the provided date. This is particularly useful when attached to a TEAMID or SIGNINGID rule.

target.signing_time >= timestamp('2025-05-31T00:00:00Z')

Prevent users from disabling gatekeeper

Create a signing ID rule for platform:com.apple.spctl and attach the following CEL program

[
    '--global-disable',
    '--master-disable',
    '--disable',
    '--add',
    '--remove'
].exists(flag, flag in args) ? BLOCKLIST : ALLOWLIST

Prevent Timestomping of LaunchAgents and LaunchDaemons Santa 2025.8

Malware like those produced by the Chollima groups use "timestomping" to reset the timestamps of LaunchAgents and LaunchDaemons using touch. This can be prevented / detected by creating a SigningID rule for platform:com.apple.touch with the following CEL program.

This technique was recently discussed by Jaron Bradely at Objective by the Sea v8

args.exists(arg, arg in [
  '-a', '-m', '-r', '-A', '-t'
]) && args.join(" ").contains("Library/Launch") ? BLOCKLIST : ALLOWLIST

Note this will not stop using the system calls directly or otherwise programmatically modifying the timestamps. Also this won't cover modifications if the process' current working directory is already in the LaunchDaemons / LaunchAgents directories.

Prevent OSAScript From Popping Password Dialogs Santa 2025.8

A lot of malware on macOS will attempt to get users to enter their passwords into a dialog box via osascript. This is a basic rule to stop directly asking for a password dialog.

Make a SigningID rule for platform:com.apple.osascript with the following CEL Program

(
    args.join(" ").lowerAscii().matches(".*\\W+with\\W+hidden\\W+answer.*") ||
    args.join(" ").lowerAscii().contains("password")
) &&
    args.join(" ").lowerAscii().matches(
        ".*\\W+display\\W+dialog.*")  ? BLOCKLIST : ALLOWLIST

Note: This will not stop obfuscated osascript that's evaluated at runtime or any other malicious behavior triggered through osascript. For better security block osascript all together if you can. Be aware software like the Google Cloud SDK installer and AI tools like claude code use osascript.

Also if you're using osascript to do this legitimately this will break your usage.

Prevent users from enabling SSH and Remote Apple Events Santa 2025.8

As called out in loobins the systemsetup command can be used to enable SSH and Remote Apple Events via command line options.

To block this create a signing ID rule for platform:com.apple.systemsetup and attach the following CEL program:

args.join(" ").contains("-setremotelogin on") ||
args.join(" ").contains("-setremoteappleevents on") ? BLOCKLIST : ALLOWLIST