github/santa
1
1
Fork 0
mirror of https://github.com/google/santa.git synced 2026-04-24 03:00:12 -04:00
Code Issues Packages Projects Releases Wiki Activity

More event type support (#992)

Browse Source 
* Add truncate and create support

* Add metrics support
This commit is contained in:
Matt W
2023-01-06 18:51:40 +01:00
committed by GitHub
parent dc1a3c27c2
commit 4adad2ecfa
9 changed files with 108 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Source/common/santa.proto
View File

@@ -488,6 +488,8 @@ message FileAccess {
ACCESS_TYPE_CLONE = 5;
ACCESS_TYPE_EXCHANGEDATA = 6;
ACCESS_TYPE_COPYFILE = 7;
ACCESS_TYPE_CREATE = 8;
ACCESS_TYPE_TRUNCATE = 9;
}
optional AccessType access_type = 5;

69
Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizer.mm
View File

@@ -118,13 +118,46 @@ es_auth_result_t CombinePolicyResults(es_auth_result_t result1, es_auth_result_t
void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
switch (msg->event_type) {
case ES_EVENT_TYPE_AUTH_OPEN:
PushBackIfNotTruncated(targets, msg->event.open.file, true);
case ES_EVENT_TYPE_AUTH_CLONE:
PushBackIfNotTruncated(targets, msg->event.clone.source, true);
PushBackIfNotTruncated(targets, msg->event.clone.target_dir, msg->event.clone.target_name);
break;
case ES_EVENT_TYPE_AUTH_CREATE:
// AUTH CREATE events should always be ES_DESTINATION_TYPE_NEW_PATH
if (msg->event.create.destination_type == ES_DESTINATION_TYPE_NEW_PATH) {
PushBackIfNotTruncated(targets, msg->event.create.destination.new_path.dir,
msg->event.create.destination.new_path.filename);
} else {
LOGW(@"Unexpected destination type for create event: %d. Ignoring target.",
msg->event.create.destination_type);
}
break;
case ES_EVENT_TYPE_AUTH_COPYFILE:
PushBackIfNotTruncated(targets, msg->event.copyfile.source, true);
if (msg->event.copyfile.target_file) {
PushBackIfNotTruncated(targets, msg->event.copyfile.target_file);
} else {
PushBackIfNotTruncated(targets, msg->event.copyfile.target_dir,
msg->event.copyfile.target_name);
}
break;
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA:
PushBackIfNotTruncated(targets, msg->event.exchangedata.file1);
PushBackIfNotTruncated(targets, msg->event.exchangedata.file2);
break;
case ES_EVENT_TYPE_AUTH_LINK:
PushBackIfNotTruncated(targets, msg->event.link.source);
PushBackIfNotTruncated(targets, msg->event.link.target_dir, msg->event.link.target_filename);
break;
case ES_EVENT_TYPE_AUTH_OPEN:
PushBackIfNotTruncated(targets, msg->event.open.file, true);
break;
case ES_EVENT_TYPE_AUTH_RENAME:
PushBackIfNotTruncated(targets, msg->event.rename.source);
if (msg->event.rename.destination_type == ES_DESTINATION_TYPE_EXISTING_FILE) {
@@ -137,26 +170,15 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
msg->event.rename.destination_type);
}
break;
case ES_EVENT_TYPE_AUTH_TRUNCATE:
PushBackIfNotTruncated(targets, msg->event.truncate.target);
break;
case ES_EVENT_TYPE_AUTH_UNLINK:
PushBackIfNotTruncated(targets, msg->event.unlink.target);
break;
case ES_EVENT_TYPE_AUTH_CLONE:
PushBackIfNotTruncated(targets, msg->event.clone.source, true);
PushBackIfNotTruncated(targets, msg->event.clone.target_dir, msg->event.clone.target_name);
break;
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA:
PushBackIfNotTruncated(targets, msg->event.exchangedata.file1);
PushBackIfNotTruncated(targets, msg->event.exchangedata.file2);
break;
case ES_EVENT_TYPE_AUTH_COPYFILE:
PushBackIfNotTruncated(targets, msg->event.copyfile.source, true);
if (msg->event.copyfile.target_file) {
PushBackIfNotTruncated(targets, msg->event.copyfile.target_file);
} else {
PushBackIfNotTruncated(targets, msg->event.copyfile.target_dir,
msg->event.copyfile.target_name);
}
break;
default:
[NSException
raise:@"Unexpected event type"
@@ -269,9 +291,11 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
}
break;
case ES_EVENT_TYPE_AUTH_CREATE:
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA:
case ES_EVENT_TYPE_AUTH_RENAME:
case ES_EVENT_TYPE_AUTH_LINK:
case ES_EVENT_TYPE_AUTH_RENAME:
case ES_EVENT_TYPE_AUTH_TRUNCATE:
case ES_EVENT_TYPE_AUTH_UNLINK:
// These event types have no special case
break;
@@ -451,8 +475,9 @@ void PopulatePathTargets(const Message &msg, std::vector<PathTarget> &targets) {
- (void)enable {
// TODO(xyz): Expand to support ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_TRUNCATE
std::set<es_event_type_t> events = {
ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA, ES_EVENT_TYPE_AUTH_LINK,
ES_EVENT_TYPE_AUTH_OPEN, ES_EVENT_TYPE_AUTH_RENAME, ES_EVENT_TYPE_AUTH_UNLINK,
ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA,
ES_EVENT_TYPE_AUTH_LINK, ES_EVENT_TYPE_AUTH_OPEN, ES_EVENT_TYPE_AUTH_RENAME,
ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
};
#if HAVE_MACOS_12

37
Source/santad/EventProviders/SNTEndpointSecurityFileAccessAuthorizerTest.mm
View File

@@ -342,10 +342,8 @@ void SetExpectationsForFileAccessAuthorizerInit(
// Ensure other handled event types do not have a special case
std::set<es_event_type_t> eventTypes = {
ES_EVENT_TYPE_AUTH_LINK,
ES_EVENT_TYPE_AUTH_RENAME,
ES_EVENT_TYPE_AUTH_UNLINK,
ES_EVENT_TYPE_AUTH_EXCHANGEDATA,
ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA, ES_EVENT_TYPE_AUTH_LINK,
ES_EVENT_TYPE_AUTH_RENAME, ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
};
for (const auto &event : eventTypes) {
@@ -493,8 +491,9 @@ void SetExpectationsForFileAccessAuthorizerInit(
- (void)testEnable {
std::set<es_event_type_t> expectedEventSubs = {
ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA, ES_EVENT_TYPE_AUTH_LINK,
ES_EVENT_TYPE_AUTH_OPEN, ES_EVENT_TYPE_AUTH_RENAME, ES_EVENT_TYPE_AUTH_UNLINK,
ES_EVENT_TYPE_AUTH_CLONE, ES_EVENT_TYPE_AUTH_CREATE, ES_EVENT_TYPE_AUTH_EXCHANGEDATA,
ES_EVENT_TYPE_AUTH_LINK, ES_EVENT_TYPE_AUTH_OPEN, ES_EVENT_TYPE_AUTH_RENAME,
ES_EVENT_TYPE_AUTH_TRUNCATE, ES_EVENT_TYPE_AUTH_UNLINK,
};
#if HAVE_MACOS_12
@@ -663,6 +662,32 @@ void SetExpectationsForFileAccessAuthorizerInit(
XCTAssertFalse(targets[1].isReadable);
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_CREATE;
esMsg.event.create.destination_type = ES_DESTINATION_TYPE_NEW_PATH;
esMsg.event.create.destination.new_path.dir = &testDir;
esMsg.event.create.destination.new_path.filename = testTok;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 1);
XCTAssertCppStringEqual(targets[0].path, dirTok);
XCTAssertFalse(targets[0].isReadable);
}
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_TRUNCATE;
esMsg.event.truncate.target = &testFile1;
std::vector<PathTarget> targets;
PopulatePathTargets(msg, targets);
XCTAssertEqual(targets.size(), 1);
XCTAssertCStringEqual(targets[0].path.c_str(), testFile1.path.data);
XCTAssertFalse(targets[0].isReadable);
}
if (@available(macOS 12.0, *)) {
{
esMsg.event_type = ES_EVENT_TYPE_AUTH_COPYFILE;

12
Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm
View File

@@ -113,13 +113,15 @@ std::string GetModeString(SNTClientMode mode) {
std::string GetAccessTypeString(es_event_type_t event_type) {
switch (event_type) {
case ES_EVENT_TYPE_AUTH_OPEN: return "OPEN";
case ES_EVENT_TYPE_AUTH_LINK: return "LINK";
case ES_EVENT_TYPE_AUTH_RENAME: return "RENAME";
case ES_EVENT_TYPE_AUTH_UNLINK: return "UNLINK";
case ES_EVENT_TYPE_AUTH_CLONE: return "CLONE";
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA: return "EXCHANGEDATA";
case ES_EVENT_TYPE_AUTH_COPYFILE: return "COPYFILE";
case ES_EVENT_TYPE_AUTH_CREATE: return "CREATE";
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA: return "EXCHANGEDATA";
case ES_EVENT_TYPE_AUTH_LINK: return "LINK";
case ES_EVENT_TYPE_AUTH_OPEN: return "OPEN";
case ES_EVENT_TYPE_AUTH_RENAME: return "RENAME";
case ES_EVENT_TYPE_AUTH_TRUNCATE: return "TRUNCATE";
case ES_EVENT_TYPE_AUTH_UNLINK: return "UNLINK";
default: return "UNKNOWN_TYPE_" + std::to_string(event_type);
}
}

1
Source/santad/Logs/EndpointSecurity/Serializers/BasicStringTest.mm
View File

@@ -255,6 +255,7 @@ std::string BasicStringSerializeMessage(es_message_t *esMsg) {
{ES_EVENT_TYPE_AUTH_OPEN, "OPEN"}, {ES_EVENT_TYPE_AUTH_LINK, "LINK"},
{ES_EVENT_TYPE_AUTH_RENAME, "RENAME"}, {ES_EVENT_TYPE_AUTH_UNLINK, "UNLINK"},
{ES_EVENT_TYPE_AUTH_CLONE, "CLONE"}, {ES_EVENT_TYPE_AUTH_EXCHANGEDATA, "EXCHANGEDATA"},
{ES_EVENT_TYPE_AUTH_CREATE, "CREATE"}, {ES_EVENT_TYPE_AUTH_TRUNCATE, "TRUNCATE"},
{ES_EVENT_TYPE_AUTH_COPYFILE, "COPYFILE"}, {(es_event_type_t)1234, "UNKNOWN_TYPE_1234"},
};

12
Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm
View File

@@ -327,13 +327,15 @@ static inline void EncodeCertificateInfo(::pbv1::CertificateInfo *pb_cert_info,
::pbv1::FileAccess::AccessType GetAccessType(es_event_type_t event_type) {
switch (event_type) {
case ES_EVENT_TYPE_AUTH_OPEN: return ::pbv1::FileAccess::ACCESS_TYPE_OPEN;
case ES_EVENT_TYPE_AUTH_LINK: return ::pbv1::FileAccess::ACCESS_TYPE_LINK;
case ES_EVENT_TYPE_AUTH_RENAME: return ::pbv1::FileAccess::ACCESS_TYPE_RENAME;
case ES_EVENT_TYPE_AUTH_UNLINK: return ::pbv1::FileAccess::ACCESS_TYPE_UNLINK;
case ES_EVENT_TYPE_AUTH_CLONE: return ::pbv1::FileAccess::ACCESS_TYPE_CLONE;
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA: return ::pbv1::FileAccess::ACCESS_TYPE_EXCHANGEDATA;
case ES_EVENT_TYPE_AUTH_CREATE: return ::pbv1::FileAccess::ACCESS_TYPE_CREATE;
case ES_EVENT_TYPE_AUTH_COPYFILE: return ::pbv1::FileAccess::ACCESS_TYPE_COPYFILE;
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA: return ::pbv1::FileAccess::ACCESS_TYPE_EXCHANGEDATA;
case ES_EVENT_TYPE_AUTH_LINK: return ::pbv1::FileAccess::ACCESS_TYPE_LINK;
case ES_EVENT_TYPE_AUTH_OPEN: return ::pbv1::FileAccess::ACCESS_TYPE_OPEN;
case ES_EVENT_TYPE_AUTH_RENAME: return ::pbv1::FileAccess::ACCESS_TYPE_RENAME;
case ES_EVENT_TYPE_AUTH_TRUNCATE: return ::pbv1::FileAccess::ACCESS_TYPE_TRUNCATE;
case ES_EVENT_TYPE_AUTH_UNLINK: return ::pbv1::FileAccess::ACCESS_TYPE_UNLINK;
default: return ::pbv1::FileAccess::ACCESS_TYPE_UNKNOWN;
}
}

12
Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm
View File

@@ -536,13 +536,15 @@ void SerializeAndCheckNonESEvents(
- (void)testGetAccessType {
std::map<es_event_type_t, ::pbv1::FileAccess::AccessType> eventTypeToAccessType = {
{ES_EVENT_TYPE_AUTH_OPEN, ::pbv1::FileAccess::ACCESS_TYPE_OPEN},
{ES_EVENT_TYPE_AUTH_LINK, ::pbv1::FileAccess::ACCESS_TYPE_LINK},
{ES_EVENT_TYPE_AUTH_RENAME, ::pbv1::FileAccess::ACCESS_TYPE_RENAME},
{ES_EVENT_TYPE_AUTH_UNLINK, ::pbv1::FileAccess::ACCESS_TYPE_UNLINK},
{ES_EVENT_TYPE_AUTH_CLONE, ::pbv1::FileAccess::ACCESS_TYPE_CLONE},
{ES_EVENT_TYPE_AUTH_EXCHANGEDATA, ::pbv1::FileAccess::ACCESS_TYPE_EXCHANGEDATA},
{ES_EVENT_TYPE_AUTH_COPYFILE, ::pbv1::FileAccess::ACCESS_TYPE_COPYFILE},
{ES_EVENT_TYPE_AUTH_CREATE, ::pbv1::FileAccess::ACCESS_TYPE_CREATE},
{ES_EVENT_TYPE_AUTH_EXCHANGEDATA, ::pbv1::FileAccess::ACCESS_TYPE_EXCHANGEDATA},
{ES_EVENT_TYPE_AUTH_LINK, ::pbv1::FileAccess::ACCESS_TYPE_LINK},
{ES_EVENT_TYPE_AUTH_OPEN, ::pbv1::FileAccess::ACCESS_TYPE_OPEN},
{ES_EVENT_TYPE_AUTH_RENAME, ::pbv1::FileAccess::ACCESS_TYPE_RENAME},
{ES_EVENT_TYPE_AUTH_TRUNCATE, ::pbv1::FileAccess::ACCESS_TYPE_TRUNCATE},
{ES_EVENT_TYPE_AUTH_UNLINK, ::pbv1::FileAccess::ACCESS_TYPE_UNLINK},
{(es_event_type_t)1234, ::pbv1::FileAccess::ACCESS_TYPE_UNKNOWN},
};

4
Source/santad/Metrics.mm
View File

@@ -29,6 +29,7 @@ static NSString *const kProcessorFileAccessAuthorizer = @"FileAccessAuthorizer";
static NSString *const kEventTypeAuthClone = @"AuthClone";
static NSString *const kEventTypeAuthCopyfile = @"AuthCopyfile";
static NSString *const kEventTypeAuthCreate = @"AuthCreate";
static NSString *const kEventTypeAuthExchangedata = @"AuthExchangedata";
static NSString *const kEventTypeAuthExec = @"AuthExec";
static NSString *const kEventTypeAuthKextload = @"AuthKextload";
@@ -37,6 +38,7 @@ static NSString *const kEventTypeAuthMount = @"AuthMount";
static NSString *const kEventTypeAuthOpen = @"AuthOpen";
static NSString *const kEventTypeAuthRemount = @"AuthRemount";
static NSString *const kEventTypeAuthRename = @"AuthRename";
static NSString *const kEventTypeAuthTruncate = @"AuthTruncate";
static NSString *const kEventTypeAuthUnlink = @"AuthUnlink";
static NSString *const kEventTypeNotifyClose = @"NotifyClose";
static NSString *const kEventTypeNotifyExchangedata = @"NotifyExchangedata";
@@ -70,6 +72,7 @@ const NSString *EventTypeToString(es_event_type_t eventType) {
switch (eventType) {
case ES_EVENT_TYPE_AUTH_CLONE: return kEventTypeAuthClone;
case ES_EVENT_TYPE_AUTH_COPYFILE: return kEventTypeAuthCopyfile;
case ES_EVENT_TYPE_AUTH_CREATE: return kEventTypeAuthCreate;
case ES_EVENT_TYPE_AUTH_EXCHANGEDATA: return kEventTypeAuthExchangedata;
case ES_EVENT_TYPE_AUTH_EXEC: return kEventTypeAuthExec;
case ES_EVENT_TYPE_AUTH_KEXTLOAD: return kEventTypeAuthKextload;
@@ -78,6 +81,7 @@ const NSString *EventTypeToString(es_event_type_t eventType) {
case ES_EVENT_TYPE_AUTH_OPEN: return kEventTypeAuthOpen;
case ES_EVENT_TYPE_AUTH_REMOUNT: return kEventTypeAuthRemount;
case ES_EVENT_TYPE_AUTH_RENAME: return kEventTypeAuthRename;
case ES_EVENT_TYPE_AUTH_TRUNCATE: return kEventTypeAuthTruncate;
case ES_EVENT_TYPE_AUTH_UNLINK: return kEventTypeAuthUnlink;
case ES_EVENT_TYPE_NOTIFY_CLOSE: return kEventTypeNotifyClose;
case ES_EVENT_TYPE_NOTIFY_EXCHANGEDATA: return kEventTypeNotifyExchangedata;

2
Source/santad/MetricsTest.mm
View File

@@ -129,6 +129,7 @@ using santa::santad::ProcessorToString;
std::map<es_event_type_t, NSString *> eventTypeToString = {
{ES_EVENT_TYPE_AUTH_CLONE, @"AuthClone"},
{ES_EVENT_TYPE_AUTH_COPYFILE, @"AuthCopyfile"},
{ES_EVENT_TYPE_AUTH_CREATE, @"AuthCreate"},
{ES_EVENT_TYPE_AUTH_EXCHANGEDATA, @"AuthExchangedata"},
{ES_EVENT_TYPE_AUTH_EXEC, @"AuthExec"},
{ES_EVENT_TYPE_AUTH_KEXTLOAD, @"AuthKextload"},
@@ -136,6 +137,7 @@ using santa::santad::ProcessorToString;
{ES_EVENT_TYPE_AUTH_MOUNT, @"AuthMount"},
{ES_EVENT_TYPE_AUTH_REMOUNT, @"AuthRemount"},
{ES_EVENT_TYPE_AUTH_RENAME, @"AuthRename"},
{ES_EVENT_TYPE_AUTH_TRUNCATE, @"AuthTruncate"},
{ES_EVENT_TYPE_AUTH_UNLINK, @"AuthUnlink"},
{ES_EVENT_TYPE_NOTIFY_CLOSE, @"NotifyClose"},
{ES_EVENT_TYPE_NOTIFY_EXCHANGEDATA, @"NotifyExchangedata"},