santa vs CIS-for-macOS-Catalina-CP

Our great sponsors

WorkOS - The modern identity platform for B2B SaaS

InfluxDB - Power Real-Time Data Analytics at Scale

SaaSHub - Software Alternatives and Reviews

Our great sponsors

santa		CIS-for-macOS-Catalina-CP
	Project
20	Mentions	1
4,303	Stars	120
0.7%	Growth	0.8%
9.0	Activity	0.0
14 days ago	Latest Commit	almost 3 years ago
Objective-C	Language	Shell
Apache License 2.0	License	MIT License

The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

santa

Posts with mentions or reviews of santa. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-04-15.

Linux being secure is a common misconception
1 project | news.ycombinator.com | 26 Nov 2023
Unable to install ruby due to google santa
1 project | /r/ruby | 14 May 2023

For anyone wondering: https://github.com/google/santa
Reporting on new installed applications
1 project | /r/macsysadmin | 11 May 2023

Have you looked at SANTA?
Remote Code Execution Vulnerability in Google They Are Not Willing to Fix
2 projects | news.ycombinator.com | 15 Apr 2023

Not directly relevant but interesting...
https://github.com/google/santa
This is a product developed by Google that has at least been utilized internally to some extent. It's not perfect, but my previous company used it and it does prevent unexpected unknown code from running in the background.
What it does not do is prevent someone from intentionally downloading and executing a library unless the upvoter actually comes to some demand that you do so. I found that it quickly became a bit of a "alert fatigue" where you approve things your coworkers send you so they can get back to work without properly vetting.
is it possible to see what account made changes to the system?
2 projects | /r/jamf | 9 Mar 2023

If you really want to get draconian with your controls/logging have a look into https://github.com/google/santa
MacOS + MDM Policies (Privacy, Notifications, Native Apps)
1 project | /r/macsysadmin | 12 Jan 2023

Is your company open to adopting open source tooling? There is a tool called Santa that could be used to block binaries from executing.
Possible to restrict which applications a user can install/execute?
3 projects | /r/macsysadmin | 16 Dec 2022
On Oct 24th Apple will release macOS Ventura - Are you ready?
1 project | /r/macsysadmin | 19 Oct 2022

you may like https://github.com/google/santa
Uber Investigating Breach of Its Computer Systems
2 projects | news.ycombinator.com | 15 Sep 2022

> Infostealers for Mac are a thing (Uber is a mac heavy shop I hear)
Block unknown executables on company machines. Google developed Santa to protect themselves: https://github.com/google/santa
> and that's all it takes to steal cookies and tokens post-mfa,
Make post-MFA cookies and tokens short-lived. Require MFA re-authentication at least daily.
> or why even bother with that, if you're running code just make it a reverse shell.
All outbound connections should be strictly monitored, especially from production servers, which should have no ability to make outbound connections. With modern dependency management, that's harder for build servers, but still doable.
What Anti-Keylogging Software do you use or recommend?
1 project | /r/cybersecurity | 10 Sep 2022

https://github.com/google/santa for anyone curious

CIS-for-macOS-Catalina-CP

Posts with mentions or reviews of CIS-for-macOS-Catalina-CP. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-06-24.

Hardening macOS
3 projects | news.ycombinator.com | 24 Jun 2022

You can get most of the way to hardening to CIS level 1 picking more up-to-date fork of these https://github.com/jamf/CIS-for-macOS-Catalina-CP.
FWIW, CIS level 1 will mean people get locked out of their machines very frequently. Complex 15 character passwords with 3 retries from memory. So you need a half-decent MDM to unlock quickly. There is no half-decent MDM out there. Only shit ones but workable like Jamf.
Also you the username does't get auto-populated on login so the typo can be in username and user assumes it is with password. Very fast way to get lock outs.
To pass a full security review you might want to play with Google Santa. But that is intense.

What are some alternatives?

When comparing santa and CIS-for-macOS-Catalina-CP you can also consider the following projects:

sequelpro - MySQL/MariaDB database management for macOS

macos_security - macOS Security Compliance Project

macOSLAPS - Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows

debian-cis - PCI-DSS compliant Debian 10/11/12 hardening

jss-filevault-reissue - A framework for re-escrowing missing or invalid FileVault keys with Jamf Pro.

MacPass - A native macOS KeePass client

super - S.U.P.E.R.M.A.N. optimizes the macOS software update experience.

CocoaLumberjack - A fast & simple, yet powerful & flexible logging framework for macOS, iOS, tvOS and watchOS

prowler - Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 240 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks. [Moved to: https://github.com/prowler-cloud/prowler]

pip - The Python package installer

tpm-fido - A WebAuthn/U2F token protected by a TPM (Go/Linux)