* Initial structure for ES wrappers, enriched types, logging
* Basic working ES and logging functionality
* Add in oneTBB and thread-safe-lru deps
* Added a bunch of enriched types
* Auto-mute self when establishing ES client
* Basic auth, tamper client. Syslog of all events. Basic compiler tracking.
* Update copyright header blobs, convert some tabs to spaces
* Auth result cache. Fix getting translocation path.
* Added remaining cache methods
* Add AuthResultCache to Recorder client. Cache now operates on es_file_t.
* Hooked up SNTPrefixTree
* Fix CompilerController for RENAME. Fix AllowList logging missing path.
* Block loading Santa kext
* Added device manager client
* Properly log DiskAppear events
* Fix build to adopt new adhoc build
* Handle clearing cache on UNMOUNT events
* Ignore other ES clients if configured
* Remove SNTAllowlistInfo. Rename AllowList to Allowlist. Minor cleanup.
* Recorder now logs asynchronously. Enricher now returns shared_ptrs.
* Added File writer. Added timestamps to BasicStream serializer.
* Skip calling stat in SNTFileInfo when path given by ES.
* Fix build issue
* Address draft PR feedback
* santactl integrated, XPC works, fix file writer bug
* Integrate syncservice. Start observing some config changes.
* Add metrics service wrapper
* Add metrics config observers and metrics interval reset.
* Start better dependency control. Add Null logger support.
* Added more deps
* Added more deps
* Fix issue where metric service wasn't starting
* Add missing variant include
* Fix missing parent proc name
* Added googletest and new unit test macro
* Started expanding AuthResultCacheTest
* Properly mock EndpointSecurityAPI
* Finished AuthResultCacheTest
* bazelrc now builds all C++ as C++17. Added LoggerTest.
* Add FileTest. Abstract some File constants to Logger.
* Added Empty serializer test
* Started work on BasicStringTest. Fixed some BasicString serialization bugs.
* Added Unlink BasicString serialization test
* Added some more tests. Commonized some test code
* Finished BasicStringTest. Converted to XCTest.
* Standardize esapi variable naming
* Bubble up gTest expect failures to XCTest failures
* AuthResultCacheTest now uses XCTest. Added common TestUtils.h
* EmptyTest now uses XCTest.
* FileTest now uses XCTest
* LoggerTest now uses XCTest. Removed santa_unit_gtest bazel macro.
* Added ClientTest
* Add basic Enricher tests
* Add MessageTest. Make more TestUtils.
* Rename metrics to Metrics
* Add MetricsTest.
* Apply template pattern to Serializer
* Add SNTDecisionCacheTest.
* Add SNTCachedDecisionTest.
* Testing with coveralls debug mode
* Allow manual CI runs
* Remove unused property
* Started work on SNTEndpointSecurityClientTest.
* WIP SNTEndpointSecurityClientTest, fix test run issue
* Added more base ES client tests
* Add more base ES client tests
* Base ES client tests done. Added serializer utils/tests. Expanded basic string tests.
* Add utils test to test suite
* Add copy ctor. Add test output to bazel coverage.
* Single thread bazel coverage
* Updaload coverage file
* Updaload coverage file
* Old gen cov test
* Restructure message handlers to enable better testability
* Added enable tests for all ES clients
* Made a single MockEndpointSecurityAPI class to share everywhere
* Added most of SNTCompilerControllerTest
* Cleanup SNTCompilerControllerTest
* Started expanding Auth client test
* Finished up the Authorizer tests
* Move to using enum class for notify/auth instead of bool
* WIP for tamper resistance test. ASAN issues.
* Add OCMock patch to fix test issue on ARM Macs
* Changed patches directory name to external_patches
* Update WORKSPACE path
* Finished up Tamper Resistance tests
* Finished up Recorder tests.
* Move SNTExecutionControllerTest to ObjC++
* Initial work to port SNTExecutionControllerTest
* Finished porting SNTExecutionControllerTest.
* Added SNTExecutionControllerTest to list of unit tests
* Ported SNTEndpointSecurityDeviceManager.
* Test cleanup, use MockESAPI expectation helpers
* Verify SNTEndpointSecurityDeviceManager expectations differently
* Test cleanup, omit gTest param list where unused
* Log message cleanup
* Rename SNTApplicationTest to santad_test.mm
* Finished porting santad_test, formerly SNTApplicationTest
* Fix SNTEndpointSecurityDeviceManager issues
* Pulled in missed fixes. Updated tests.
* Renamed lowercase filenames to match rest of codebase
* Fix non-static dispatch_once_t, and noisy watching compiler log message
* WIP Started process of removing components no longer used
* WIP Continued process of removing components no longer used
* BUILD file cleanup. Proto warning. Removed unused global
* Rename SNTEventProvider to SNTEndpointSecurityEventHandler
* Rename SNTEndpointSecurityEventHandler protocol
* Remove EnableSysxCache option. Remove --quick flag used during dev.
* Ran testing/fix.sh
* Addmissing param to fix.sh that was omitting .mm files.
* clang-format
* Fix linter: find cmd missing .mm ext, git grep exclude patch files.
* Use MakeESProcess default params in tests
* Move variables to camelCase in objc classes
* More case changes
* Sanitize strings
* Change dispatch queue priorities and standardize daemon queue naming
* Exclude patch files in markdown check
* Ensure string log messages end with newline
* Fix BasicStringTest
* Disable clang-format in code producing different results in local/remote versions
* Moved to using date ranges in copyright notices as per current guidelines
* Update Source/common/SNTConfigurator.h
Suggestion adding whitespace in comment to fix clang-format mangling
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Removed santa_panic macro used in one place
* Updated comment about ES cachability
* Pin oneTBB to specific commit
* Address outstanding WORKSPACE 'canonical reproducible form' messages
* Use string append instead of ostringstream due to benchmark results
* Remove use of freind classes in EnrichedTypes.h
* Added SNTKVOManager, removed observers from SNTConfigurator.
* Fixed SNTEndpointSecurityRecorderTest class name
* Reduce usage of the auto keyword
* Each SNTKVOManager instance now adds its own observer
* Replaced more auto keywords with real types.
* Remove leftover code coverage debugging from ci.yml
* Updated comment
* Memoize SNTFileInfo sha256. Reduce some cache sizes.
* Fix issue checking for translocated paths
* Use more performant NSURL creation method
* Fix lint issue
* Address PR feedback
* Use an array literal for kvo objects
* Fix some clang tidy and import issues
* Replace third party LRU cache with SantaCache for now
* Fix clang tidy issues
* Address PR feedback
* Fix comment typo
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
* Added todo for when we adopt macOS 13
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
The fileinfo tests didn't work on BigSur because of some path and binary changes.
Also, the embeddedPlist method didn't work on fat binaries, of which there are now
many, because of M1 machines. I think we didn't notice this before because we pull
the embedded plist from the first arch listed in the headers dict which generally
seemed to pick x86_64 first but with the arm64/arm64e option being added
that now appears first.
Also fixed some errors handling 32-bit segment/sections and added a test for this.
Add helper to make declaring unit tests easier
Add unit_tests test_suite containing all unit tests
Fix reload rule
Update to workspace-relative header locations that were missed before
* temporarily gutted SNTCommandFileInfo. Added SNTCommand base class for all
of the SNTCommand* classes to inherit from. Changed commands so that they
are consistently instantiated before being run, with a common init method.
* Put most of SNTCommandFileInfo functionality back in
* follow symlinks
* added -r and --recursive flags and updated help text
* moved humanReadableFileType to SNTFileInfo
* added back JSON output
* Fixed bundle info. Grab directory color from ENV variable.
* fixed indentation, moved stuff around
* Added SNTCommandFileInfo * back as parameter to property getters so that rule getter
doesn't have to be a special case any more.
* fixed code review issues
* added SNTCommand.h and SNTCommand.m to project
* added SNTCommand.m to build phases
* removed trailing spaces
* fixed tests for SNTCommandFileInfo and added a few more
* fix end-of-line comment spacing to conform to style guide
* Use NSBundle instead of NSWorkspace to determine if path is a bundle.
* added autorelease pool inside recursive search loop to fix bug where file listing
would abruptly stop after so many files with mach header related keys.
* removed directory headers. don't separate entries with newline when printing single key. format output based on max key length.
* an attempt at speeding things up. also halfway fixed broken cert-index key.
* speedups via caching MOLCodeSignChecker & not using NSMutableString append*
* fix json ouput with cert-index, single key output, & cache SHA values
* reverted back to NSMutableString for building up output, since it seems slightly better
or at least no worse than using an NSMutableArray
* Don't print empty JSON objects
* fixed non-thread-safe JSON commas
* made the print dispatch group a property so it doesn't have to be passed around
* Fixed certIndex indexing bug & better error checking when parsing --cert-index argument
* prevent unsigned int overflow
* fixed logic tests broken by objc_setAssociatedObject with nil SNTFileInfo argument
* send error output to the serial print queue
* NSBundle bundleWithPath: returns an object even for non-bundle directories, so need to also check that there's a valid bundle identifier.
* Added TODO comment and fixed formatting issues
* added cached codeSignChecker property to SNTFileInfo
* rewrote SNTFileInfo's codesignChecker method to include an error reference parameter & removed @synchronized
* Removed caching of SHA values from SNTFileInfo
* use property getter/setter to access codesignCheckerError
* Change nil NSError ** arguments to NULL
* Don't try to create a new codesignChecker if there was previously an error
* Fix NSDirectoryEnumerator memory usage & don't retain self in rule getter.
The NSStrings grabbed from the directory enumerator needed a chance to be freed.
* fixed colon alignment
Split the kernel-land cache into 2 separate caches, one for the root
volume and one for secondary volumes. When an unmount happens, clear
the non-root cache to ensure no overlap with filesystem IDs.
* santabs: Create Santa Bundle Service
* common: SNTXPCConnection add initClientWithServiceName:
* santad: add logic for blocked bundles
* SantaGUI: add ui elements and xpc connections to / from santabs
* santactl/sync: add api features for syncing bundle events
* santactl/bundleinfo: add bundleinfo command for debug builds
* common: prefer bundle hash over file hash for event urls
* common: remove syncBackoff property - this is now handled in santactl sync
* common: add properties to support the bundle event api
* common: find a bundle from a nested binary
* review updates
* sane bundle hash time outs
* post rebase updates
* post review updates
pread can return less than the chunk size (e.g. signal caught in the
middle) and hence we need to handle it. This change also cleans up the
hash function and makes it more performant.
- Use fcntl to disable cache and issue an advisory read
- Increase default chunk size from 4KB to 256KB
- Use pread to read from file descriptor, rather than make NSData objects
This is ~15% faster.
