---
title: "Security Cookbook - Workshop & Santa Rules"
description: "Production-ready security rules for Workshop and Santa. CEL expressions and File Access Authorization rules to protect your macOS fleet against infostealers, persistence, and more."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/cookbook"
---
# Security Rules Ready to Deploy

Production-ready CEL expressions and File Access Authorization rules for Workshop and Santa.

Filter posts35 of 35

35 of 35 rules

[

Discovery PreventionExecution

### Block dscl Password Validation

Block infostealers from validating stolen passwords with dscl -authonly using a Workshop CEL rule that stops the credential check at the source.



](https://northpole.security/cookbook/block-dscl-authonly)[

Execution ControlExecution

### Block DYLD Environment Variable Injection

Block DYLD\_INSERT\_LIBRARIES and other dyld environment variables to prevent code injection into third-party macOS applications.



](https://northpole.security/cookbook/block-dyld-injection)[

Defense EvasionExecution

### Block Fake Password Prompts via osascript

Block osascript display dialogs that mimic system password prompts, stopping Atomic Stealer and Cthulhu Stealer from harvesting user credentials.



](https://northpole.security/cookbook/block-fake-password-prompts)[

Execution ControlExecution

### Block Legacy Unix Shells and Interpreters

Block csh, tcsh, and ksh execution to reduce attack surface, forcing attackers off rarely-monitored legacy shells onto auditable bash and zsh.



](https://northpole.security/cookbook/block-legacy-shells)[

Execution ControlExecution

### Block Old Browsers Based on Signing Time

Enforce minimum Chrome and Firefox versions using CEL secure signing time, keeping browsers patched against active exploits and CVEs.



](https://northpole.security/cookbook/block-old-browsers)[

Credential ProtectionMultiple

### Block Password Hash Dumping

Prevent dscl from dumping macOS user password hashes for offline cracking. Workshop combines file access and CEL rules to lock down shadow data.



](https://northpole.security/cookbook/block-password-hash-dumping)[

Defense EvasionExecution

### Block Remote Access Enablement via systemsetup

Block systemsetup from enabling SSH or remote Apple Events while preserving other operations, stopping attackers from opening lateral movement channels.



](https://northpole.security/cookbook/block-systemsetup-remote-access)[

Execution ControlRisk Engine

### Block Unauthorized VPN Software

Use Workshop Risk Engine to flag any software with VPN entitlements for admin review, blocking unauthorized tunnels that enable data exfiltration.



](https://northpole.security/cookbook/block-vpn-software)[

Persistence PreventionExecution

### Detect Suspicious launchctl Load Patterns

Detect and block launchctl loading LaunchAgents from temp directories or with random plist names, stopping malware persistence on macOS.



](https://northpole.security/cookbook/detect-malicious-launchctl)[

Persistence PreventionFile Access

### Monitor Launch Item Creation

Audit all writes to LaunchAgent and LaunchDaemon directories to surface persistence attempts with complete process context for incident response.



](https://northpole.security/cookbook/monitor-launch-items)

1234

PrevNext

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)