* Convert santa::santad::logs::endpoint_security::serializers::Utilities
* Convert santa::santad::logs::endpoint_security::writers
* Convert santa::santad::logs::endpoint_security::serializers
* Convert santa::santad::logs::endpoint_security and santatest
* Lint
* Change type alias names to not conflict with sysinfo.h
* Change the behavior of addedRulesShouldFlushDecisionCache to flush when 1000 non-allowlist rules are added or a remove rule is encountered or any new non-allowlist rules are added
* Add tests for cache flushing behavior.
* WIP Clean syncs now leave non-transitive rules by default
* WIP Get existing tests compiling and passing
* Remove clean all sync server key. Basic tests.
* Add SNTConfiguratorTest, test deprecated key migration
* Revert changes to santactl status output
* Add new preflight response sync type key, lots of tests
* Rework configurator flow a bit so calls cannot be made out of order
* Comment clean sync states. Test all permutations.
* Update docs for new sync keys
* Doc updates as requested in PR
* Allow per-policy and per-rule FAA URL and button text
* Add format string support to the custom URL. Added SNTBlockMessageTest.
* Add event URL to TTY message.
* Allow rule specific policy to "clear" global to remove buttons for the rule
* Remove extra beta label for FAA
This allows a sync server to send a `custom_url` field along with a rule blocking execution and this will be used as the URL for the "open" button in place of the normally generated URL.
* Bump DB version. Ensure proper casing for rule identifiers on insert.
* Minor comment fixes, more test cases
* Handle SigningIDs using the delimiter character
* lint
* PR feedback
* Basic working prototype to display a UI on blocked file access
* Force watch items policies to be silent for now
* Remove unused view
* Refactor to not use newer SwiftUI features
* Address PR feedback
* WIP: Signing ID rules
* WIP: More work supporting signing ID rules
* Expanded exec controller tests for signing ID and team ID
* wip all current tests now pass
* Added integration tests
* Branch cleanup
* Update protobuf tests for signing id reason types
* Remove old commented out code
---------
Co-authored-by: Russell Hancox <russell@hancox.us>
* Add method to get WatchItems state
* Update santactl status with watch items state
* Update status label
* PR feedback - add missing dispatch_group_leave
* WIP parsing new watch item config format
* Change WatchItemPolicy param order. Define policy default constants.
* rename write_only policy member to allow_read_access
* WIP parsing new config format, WatchItemsTest all pass
* Restructured process config parsing. Added tons of tests.
* Abstract NSError creation to a function
* Better errors. Bubble up NSErrors to reduce duplicate messages. More Tests.
* Validate min string lengths. Add a bunch more tests.
* Adopt new policy process logic and add tests
* Address PR feedback
* Support more file access protection event types
* Update tests for new events and method signatures
* lint
* Add metrics for new event types
* Add support for LINK event
* Fix spacing
* WIP begin adopting new ES APIs inverting target mute paths
* Track subscription status so as not to unnecessarily enable/disable
* Properly chain call to invert target mute paths. Fix using wrong Message obj.
* Add base client tests
* Support compiling on older platforms
* More changes to support compiling on older platforms
* Only enable watch items periodic task on macOS 13
* Add more asserts to test
* Disable ES caching for now
* lint
* Change FindPolicyForPath to operate on vector of inputs
* Adopt new interface to find all policies simultaneously
* Fix tests to use new FindPoliciesForPath signature
* WIP Dynamic watch item config loading. Dynamic event handler protocol.
* Clients can now register with WatchItems to be enabled/disabled
* Handle dynamic fs monitor config add/modify/delete, dynamic enable/disable clients
* Update WatchItemsTest to use new constructor
* Better check handling value changes
* Add missing mock config value to fix integration test
* Add policy version to config. Return policy decision as enum.
* Check EnableBadSignatureProtection config when evaluating instigating procs
* Draft proto update for file access
* Revert "Draft proto update for file access"
This reverts commit 5d7e9a9e03.
* Change return type to work around OCMock partial mocking issues
* lint
* WIP Initial work for new fs watcher client
* WIP basic working mechanics of applying policy to OPEN events
* WIP now support allowing access based on cdhash
* WIP lint fix
* WIP check instigator cdhash and cert hash against policy
* WIP Fix test issue in base ES client class
* WIP Fix test issue in water items test
* Added secondary lookup cache for cert hashes and fallback lookups
* Adopt new SantaVnode name
* Adopt min macOS 11. Adopt new SantaCacheHasher for SantaVnode.
* Rename the es client to FileAccessAuthorizer
* Added some more tests
* Added MockLogger and a lot more tests.
* Removed currently unused subscriptions. Don't enable FS client by default
* lint
* lint after rebase
* Use strtoul for hex string conversion. Update comments.
* PR feedback
* WIP started work on parsing config
* WIP Basics of parsing config and generating new policy
* WIP Reapplying config updates functionally complete. Needs a lot more tests.
* Test cleanup, added using decl for watch items tree type
* More WatchItems tests and test polishing.
* Remove test print function. Formatting.
* Commented use of __BLOCKS__ undef
* Return a shared_ptr from factory
* Change WatchItemsPolicy to store sets instead of vectors
* Remove unnecessary WatchItem, replace with string
* Typo
* Update error messages to not make it sound like parse errors are recoverable
* Initial structure for ES wrappers, enriched types, logging
* Basic working ES and logging functionality
* Add in oneTBB and thread-safe-lru deps
* Added a bunch of enriched types
* Auto-mute self when establishing ES client
* Basic auth, tamper client. Syslog of all events. Basic compiler tracking.
* Update copyright header blobs, convert some tabs to spaces
* Auth result cache. Fix getting translocation path.
* Added remaining cache methods
* Add AuthResultCache to Recorder client. Cache now operates on es_file_t.
* Hooked up SNTPrefixTree
* Fix CompilerController for RENAME. Fix AllowList logging missing path.
* Block loading Santa kext
* Added device manager client
* Properly log DiskAppear events
* Fix build to adopt new adhoc build
* Handle clearing cache on UNMOUNT events
* Ignore other ES clients if configured
* Remove SNTAllowlistInfo. Rename AllowList to Allowlist. Minor cleanup.
* Recorder now logs asynchronously. Enricher now returns shared_ptrs.
* Added File writer. Added timestamps to BasicStream serializer.
* Skip calling stat in SNTFileInfo when path given by ES.
* Fix build issue
* Address draft PR feedback
* santactl integrated, XPC works, fix file writer bug
* Integrate syncservice. Start observing some config changes.
* Add metrics service wrapper
* Add metrics config observers and metrics interval reset.
* Start better dependency control. Add Null logger support.
* Added more deps
* Added more deps
* Fix issue where metric service wasn't starting
* Add missing variant include
* Fix missing parent proc name
* Added googletest and new unit test macro
* Started expanding AuthResultCacheTest
* Properly mock EndpointSecurityAPI
* Finished AuthResultCacheTest
* bazelrc now builds all C++ as C++17. Added LoggerTest.
* Add FileTest. Abstract some File constants to Logger.
* Added Empty serializer test
* Started work on BasicStringTest. Fixed some BasicString serialization bugs.
* Added Unlink BasicString serialization test
* Added some more tests. Commonized some test code
* Finished BasicStringTest. Converted to XCTest.
* Standardize esapi variable naming
* Bubble up gTest expect failures to XCTest failures
* AuthResultCacheTest now uses XCTest. Added common TestUtils.h
* EmptyTest now uses XCTest.
* FileTest now uses XCTest
* LoggerTest now uses XCTest. Removed santa_unit_gtest bazel macro.
* Added ClientTest
* Add basic Enricher tests
* Add MessageTest. Make more TestUtils.
* Rename metrics to Metrics
* Add MetricsTest.
* Apply template pattern to Serializer
* Add SNTDecisionCacheTest.
* Add SNTCachedDecisionTest.
* Testing with coveralls debug mode
* Allow manual CI runs
* Remove unused property
* Started work on SNTEndpointSecurityClientTest.
* WIP SNTEndpointSecurityClientTest, fix test run issue
* Added more base ES client tests
* Add more base ES client tests
* Base ES client tests done. Added serializer utils/tests. Expanded basic string tests.
* Add utils test to test suite
* Add copy ctor. Add test output to bazel coverage.
* Single thread bazel coverage
* Updaload coverage file
* Updaload coverage file
* Old gen cov test
* Restructure message handlers to enable better testability
* Added enable tests for all ES clients
* Made a single MockEndpointSecurityAPI class to share everywhere
* Added most of SNTCompilerControllerTest
* Cleanup SNTCompilerControllerTest
* Started expanding Auth client test
* Finished up the Authorizer tests
* Move to using enum class for notify/auth instead of bool
* WIP for tamper resistance test. ASAN issues.
* Add OCMock patch to fix test issue on ARM Macs
* Changed patches directory name to external_patches
* Update WORKSPACE path
* Finished up Tamper Resistance tests
* Finished up Recorder tests.
* Move SNTExecutionControllerTest to ObjC++
* Initial work to port SNTExecutionControllerTest
* Finished porting SNTExecutionControllerTest.
* Added SNTExecutionControllerTest to list of unit tests
* Ported SNTEndpointSecurityDeviceManager.
* Test cleanup, use MockESAPI expectation helpers
* Verify SNTEndpointSecurityDeviceManager expectations differently
* Test cleanup, omit gTest param list where unused
* Log message cleanup
* Rename SNTApplicationTest to santad_test.mm
* Finished porting santad_test, formerly SNTApplicationTest
* Fix SNTEndpointSecurityDeviceManager issues
* Pulled in missed fixes. Updated tests.
* Renamed lowercase filenames to match rest of codebase
* Fix non-static dispatch_once_t, and noisy watching compiler log message
* WIP Started process of removing components no longer used
* WIP Continued process of removing components no longer used
* BUILD file cleanup. Proto warning. Removed unused global
* Rename SNTEventProvider to SNTEndpointSecurityEventHandler
* Rename SNTEndpointSecurityEventHandler protocol
* Remove EnableSysxCache option. Remove --quick flag used during dev.
* Ran testing/fix.sh
* Addmissing param to fix.sh that was omitting .mm files.
* clang-format
* Fix linter: find cmd missing .mm ext, git grep exclude patch files.
* Use MakeESProcess default params in tests
* Move variables to camelCase in objc classes
* More case changes
* Sanitize strings
* Change dispatch queue priorities and standardize daemon queue naming
* Exclude patch files in markdown check
* Ensure string log messages end with newline
* Fix BasicStringTest
* Disable clang-format in code producing different results in local/remote versions
* Moved to using date ranges in copyright notices as per current guidelines
* Update Source/common/SNTConfigurator.h
Suggestion adding whitespace in comment to fix clang-format mangling
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Removed santa_panic macro used in one place
* Updated comment about ES cachability
* Pin oneTBB to specific commit
* Address outstanding WORKSPACE 'canonical reproducible form' messages
* Use string append instead of ostringstream due to benchmark results
* Remove use of freind classes in EnrichedTypes.h
* Added SNTKVOManager, removed observers from SNTConfigurator.
* Fixed SNTEndpointSecurityRecorderTest class name
* Reduce usage of the auto keyword
* Each SNTKVOManager instance now adds its own observer
* Replaced more auto keywords with real types.
* Remove leftover code coverage debugging from ci.yml
* Updated comment
* Memoize SNTFileInfo sha256. Reduce some cache sizes.
* Fix issue checking for translocated paths
* Use more performant NSURL creation method
* Fix lint issue
* Address PR feedback
* Use an array literal for kvo objects
* Fix some clang tidy and import issues
* Replace third party LRU cache with SantaCache for now
* Fix clang tidy issues
* Address PR feedback
* Fix comment typo
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
* Added todo for when we adopt macOS 13
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
* Refactor the SNTApplicationTest unit tests to function correctly.
The tests were originally written in a table style and were impacted by the lack of mocking the configurator. This caused issues with static rules to impact the unit tests.
Additionally added improved logging messages for critical binaries and a todo for macOS 13 unit tests.
Added goodbinary and rules.db test files to allstar's ignored paths.
* Populate critical paths from the ES default mute set
* Attempt to fix build on older macos
* Link ES to build SNTRuleTableTest
* Workflow test
* Use preprocessor macros to support building on older SDKs
* Add API availability
This adds a full functional test for starting up an SNTApplication
(with as few mocks as possible) and executing it with a directly
recorded & collected EndpointSecurity event.
This also fixes a potential race condition and segfault on Santa startup: due
to es_subscribe being called first, it's possible for an es event to arrive
before listenForDecisionRequests or listenForLogRequests are called,
causing the SNTEndpointSecurityManager callbacks to call a nil pointer.
