Protect Docker Settings from Tampering

At Objective By the Sea conference, Colson Wilhoit demonstrated how attackers can use Docker as a means of hiding from macOS security tools. Because Docker supports running containers in a Linux virtual machine, security monitoring tools that use the macOS Endpoint Security Framework can't see what's happening inside the VM. And since containers can mount volumes from the host into the VM, attackers can steal credential files or take other actions that modify the host's file system.

By changing the Docker settings files, attackers can get Docker Desktop to run in headless mode. Then they can run a container image with the keychain and other credentials mounted as a volume and upload them, all without showing a UI to the user. Santa's file access rules can protect the Docker settings so they're only accessible by Docker's team ID.

This rule protects Docker Desktop settings from being modified by unauthorized processes. Only processes signed with Docker's team ID (9BNSXJN65R) can modify the settings files.

This prevents attackers from enabling headless mode or other settings changes that could be used to hide malicious activity inside containers.

Docker Desktop is the only legitimate process that needs to modify these settings. If you use other Docker management tools, you may need to add their team IDs to the allowlist.