---
title: "Common Expression Language (CEL) - Santa Docs"
description: "Common Expression Language (CEL) - Open source binary authorization for macOS. Configure, deploy, and extend the agent that powers Workshop."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/docs/santa/cookbook/cel"
---
# Common Expression Language (CEL)

This page lists well-known and/or community-contributed CEL expressions.

CEL ([Common Expression Language](https://cel.dev/)) rules allow for more complex policies than would normally be possible. Read how to configure CEL rules in the [Binary Authorization](https://northpole.security/docs/santa/features/binary-authorization#cel) documentation.

## Apps signed since X

This will prevent executions of an app where the specific binary was signed before the provided date. This is particularly useful when attached to a `TEAMID` or `SIGNINGID` rule.

```
target.signing_time >= timestamp('2025-05-31T00:00:00Z')
```

## Prevent users from disabling gatekeeper

Create a signing ID rule for `platform:com.apple.spctl` and attach the following CEL program

```
[
    '--global-disable',
    '--master-disable',
    '--disable',
    '--add',
    '--remove'
].exists(flag, flag in args) ? BLOCKLIST : ALLOWLIST
```

## Prevent Timestomping of LaunchAgents and LaunchDaemons Santa 2025.8

Malware like those produced by the Chollima groups use “timestomping” to reset the timestamps of LaunchAgents and LaunchDaemons using touch. This can be prevented / detected by creating a SigningID rule for `platform:com.apple.touch` with the following CEL program.

This technique was recently discussed by [Jaron Bradely](https://themittenmac.com/author/jaron-bradley/) at [Objective by the Sea v8](https://objectivebythesea.org/v8/talks.html#Speaker_24)

```
args.exists(arg, arg in [
  '-a', '-m', '-r', '-A', '-t'
]) && args.join(" ").contains("Library/Launch") ? BLOCKLIST : ALLOWLIST
```

Note this will not stop using the system calls directly or otherwise programmatically modifying the timestamps. Also this won’t cover modifications if the process’ current working directory is already in the LaunchDaemons / LaunchAgents directories.

## Prevent OSAScript From Popping Password Dialogs Santa 2025.8

A lot of malware on macOS will attempt to get users to enter their passwords into a dialog box via osascript. This is a basic rule to stop directly asking for a password dialog.

Make a SigningID rule for `platform:com.apple.osascript` with the following CEL Program

```
(
    args.join(" ").lowerAscii().matches(".*\\W+with\\W+hidden\\W+answer.*") ||
    args.join(" ").lowerAscii().contains("password")
) &&
    args.join(" ").lowerAscii().matches(
        ".*\\W+display\\W+dialog.*")  ? BLOCKLIST : ALLOWLIST
```

Note: This will not stop obfuscated osascript that’s evaluated at runtime or any other malicious behavior triggered through osascript. For better security block osascript all together if you can. Be aware software like the Google Cloud SDK installer and AI tools like claude code use osascript.

Also if you’re using osascript to do this legitimately this will break your usage.

## Prevent users from enabling SSH and Remote Apple Events Santa 2025.8

As called out in [loobins](https://www.loobins.io/binaries/systemsetup/) the systemsetup command can be used to enable SSH and Remote Apple Events via command line options.

To block this create a signing ID rule for `platform:com.apple.systemsetup` and attach the following CEL program:

```
args.join(" ").contains("-setremotelogin on") ||
args.join(" ").contains("-setremoteappleevents on") ? BLOCKLIST : ALLOWLIST
```

## Prevent Users from Taking and Mounting Time Machine Snapshots

As was presented at [Kawaiicon 2025](https://kawaiicon.org/) by [Calum Hall](https://www.youtube.com/watch?v=hIeNuqq12sk&t=1390s), Time Machine snapshots can be used to bypass [File Access Authorization rules](https://www.youtube.com/watch?v=hIeNuqq12sk&t=1390s).

You can stop the taking of local snapshots by creating a signing ID for `platform:com.apple.tmutil` and attaching the following CEL program:

```
'localsnapshot' in args ? BLOCKLIST : ALLOWLIST
```

This will break taking local snapshots via the command line. Alternatively if you need to still be able to take time machine snapshots but don’t want users to mount them locally you can stop the mount of local snapshots with a signing ID rule `platform:com.apple.mount_apfs` with the following CEL program

```
('-s' in args &&
  args.exists(arg, arg.contains("com.apple.TimeMachine."))) ? BLOCKLIST : ALLOWLIST
```

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)