* WIP add config support to filter logged entitlements
* Add EntitlementInfo proto message to store if entitlements were filtered
* Log cleanup
* Address PR feedback
* Address PR feedback
Add support for logging when codesigning has become invalidated for a process.
This adds support to the Recorder to log when codesigning is invalidated as reported by the Endpoint Security Framework's
ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED event.
* Bump DB version. Ensure proper casing for rule identifiers on insert.
* Minor comment fixes, more test cases
* Handle SigningIDs using the delimiter character
* lint
* PR feedback
* WIP: Signing ID rules
* WIP: More work supporting signing ID rules
* Expanded exec controller tests for signing ID and team ID
* wip all current tests now pass
* Added integration tests
* Branch cleanup
* Update protobuf tests for signing id reason types
* Remove old commented out code
---------
Co-authored-by: Russell Hancox <russell@hancox.us>
* Apply clang-format to cc files
* Modify binaryproto namespace
* Add more required includes
* Add proto includes
* Assert message parsing succeeds in test
* Add optional keyword to proto fields to track presence. TESTS BROKEN.
* Update golden test data
* Initial proto serializer with close event
* Define move ctors for enriched types, delete copy ctors
* More event proto serialization. Commonized proto test code.
* Started work serializing exec event. Added serializer utilities.
* More progress serializing exec event
* Add mroe test data. Test restructure to permit fine grained mocking.
* Env/FD ES types now wrapped in EndpointSecurityAPI. Added calls to proto serializer.
* Add fd type names to proto
* Version compat. Script and Working Dir encoding.
* Add process start time
* Serialize Link event
* Add null check, mainly to fix tests
* Handle versioned expectations
* Each test now build msg in callbacks to set better expectations
* Serialize rename event and tests
* Serialize unlink event and tests
* Serialize allowlist and bundle events. Add utilities tests.
* Formatting
* Disk event proto serialization and tests
* Fix test only issues
* Rename santa_new.proto to santa.proto
* Change fd type int and string to an enum
* Proto namespace now versioned
* Added comments to proto schema
* Add proto support to indicate if fd list truncated
* Refactor the SNTApplicationTest unit tests to function correctly.
The tests were originally written in a table style and were impacted by the lack of mocking the configurator. This caused issues with static rules to impact the unit tests.
Additionally added improved logging messages for critical binaries and a todo for macOS 13 unit tests.
Added goodbinary and rules.db test files to allstar's ignored paths.
This adds a full functional test for starting up an SNTApplication
(with as few mocks as possible) and executing it with a directly
recorded & collected EndpointSecurity event.
This also fixes a potential race condition and segfault on Santa startup: due
to es_subscribe being called first, it's possible for an es event to arrive
before listenForDecisionRequests or listenForLogRequests are called,
causing the SNTEndpointSecurityManager callbacks to call a nil pointer.
