Skip to main content

Common Expression Language (CEL)

This page lists well-known and/or community-contributed CEL expressions.

CEL (Common Expression Language) rules allow for more complex policies than would normally be possible. Read how to configure CEL rules in the Binary Authorization documentation.

Apps signed since X

This will prevent executions of an app where the specific binary was signed before the provided date. This is particularly useful when attached to a TEAMID or SIGNINGID rule.

target.signing_time >= timestamp('2025-05-31T00:00:00Z')

Prevent users from disabling gatekeeper

Create a signing ID rule for platform:com.apple.spctl and attach the following CEL program

[
'--global-disable',
'--master-disable',
'--disable',
'--add',
'--remove'
].exists(flag, flag in args) ? BLOCKLIST : ALLOWLIST

Prevent Timestomping of LaunchAgents and LaunchDaemons

Malware like those produced by the Chollima groups use "timestomping" to reset the timestamps of LaunchAgents and LaunchDaemons using touch. This can be prevented / detected by creating a SigningID rule for platform:com.apple.touch with the following CEL program.

This technique was recently discussed by Jaron Bradely at Objective by the Sea v8

args.exists(arg, arg in [
'-a', '-m', '-r', '-A', '-t'
]) && args.join(" ").contains("Library/Launch") ? BLOCKLIST : ALLOWLIST

Note this will not stop using the system calls directly or otherwise programmatically modifying the timestamps.

Prevent OSAScript From Popping Password Dialogs

A lot of malware on macOS will attempt to get users to enter their passwords into a dialog box via osascript. This is a basic rule to stop directly asking for a password dialog.

Make a SigningID rule for platform:com.apple.osascript with the following CEL Program

(
args.join(" ").lowerAscii().matches(".*\\W+with\\W+hidden\\W+answer.*") ||
args.join(" ").lowerAscii().contains("password")
) &&
args.join(" ").lowerAscii().matches(
".*\\W+display\\W+dialog.*") ? BLOCKLIST : ALLOWLIST

Note: This will not stop obfuscated osascript that's evaluated at runtime or any other malicious behavior triggered through osascript. For better security block osascript all together if you can. Be aware software like the Google Cloud SDK installer and AI tools like claude code use osascript.

Also if you're using osascript to do this legitimately this will break your usage.