Add support for logging when codesigning has become invalidated for a process.
This adds support to the Recorder to log when codesigning is invalidated as reported by the Endpoint Security Framework's
ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED event.
* e2e test usb mounting
* no poweroff
* no start
* drive usb via sync server since its up
sudo santactl status
sudo?
* revert nostart/nopoweroff
* bump VMCLI minimum os version
* e2e for macos 14
* no shutdown
* gh path
* dismiss santa popup after bad binary
* sleep for ui
* re-enable start vm
* re-enable poweroff
* tabs
* ratchet checkout actions in e2e
* Fix issue preventing rule import / export from working.
* Removed unused --json option from help string.
* Document that import and export as taking a path argument.
Update the syncing-overview.md document to note that FCM based push notifications are not currently available outside the internal Google deployment of Santa.
Update the configuration.md document to note that FCM based push notifications are not currently available outside the internal Google deployment of Santa
Previously the sync command required root in order to establish a connection to santad with enough privilege to use the XPC methods for adding rules. Now that santasyncservice exists this requirement is no longer necessary and there is no risk in allowing unprivileged users to initiate a sync.
We still ensure that privileges are dropped, just in case someone does execute as root.
Fields like pid, ppid, execution_time, current_sessions etc. are not supplied in Event uploads when the decision is BUNDLE_BINARY (ie. Events generated by the bundle scanning service, rather than actual executions) so I have marked these as not required in the API definition.
Few other small formatting tidy-ups while I was there.
* Allow per-policy and per-rule FAA URL and button text
* Add format string support to the custom URL. Added SNTBlockMessageTest.
* Add event URL to TTY message.
* Allow rule specific policy to "clear" global to remove buttons for the rule
* Remove extra beta label for FAA
* Support new config (and sync config) option to override file access action.
* Adopt override action config in file access client
* Add sync service and file access client tests
* Require override action to be specific values. Add new sync setting to docs.
* WIP: UI: open cert modal, hookup silence checkbox. Add cert helper funcs.
* Popup dialog on file access violation. Support config-based and custom messages.
* Send message to TTY on file access rule violation
* TTYWriter Write now takes an es_process_t. Fix async data lifespan issue.
* Dedupe TTY message printing per process per rule
* Some minor swift beautification
* Remove main app from dock when showing file access dialog
* Update header docs
* Remove define guards for ObjC header file
* Update Source/common/CertificateHelpers.h
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Fix comment typo
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Use #import for ObjC headers
* Use #import for ObjC header
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* lint
* Comment use of escape sequences
---------
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Bump bazel and build_bazel_rules_apple versions
* Minor change in Source dir to trigger github build actions
* Declare some archives higher up due to deps changes
The logupload stage was referred to in this document but was removed in #331.
FYI this document also refers to santactl performing syncs, which I believe is now handled by santasyncservice, but I am not familiar enough with it to document sorry.
Removes file_bundle_binary_count and file_bunde_hash from the Rule definition and examples
These were accidentally added to the Rule definition and examples, rather than to the Event section in #1130.
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
Added SigningID/TeamID to Event definition
Added SigningID and TeamID to the definition of Events in the EventUpload stage
Documented SigningID and TeamID in the definition of Events in the EventUpload stage
