* Emit a log warning when overrides were applied
* Overrides now disabled in tests unless explicitly enabled
* Remove log message. Check for xctest instead of bazel env vars.
* Typo
* Change the behavior of addedRulesShouldFlushDecisionCache to flush when 1000 non-allowlist rules are added or a remove rule is encountered or any new non-allowlist rules are added
* Add tests for cache flushing behavior.
* process annotations: thread the tree through santa
* Update enricher to read annotations from the ProcessTree
* rebase changes
* add configuration for annotations, disabling the tree entirely if none are enabled
* lingering build dep
* use tree factory constructor
* fix configurator
* build fixes
* rebase fixes
* fix tests
* review comments
* lint
* english hard
* record metrics even when event only used for process tree
* ProcessTree: add macos-specific loader and event adapter
* lingering darwin->macos
* lint
* remove defunct client id
* struct rename
* and one last header update
* use EndpointSecurityAPI in adapter
* expose esapi in message
* Responses to events about to exceed deadline should respect FailClosed
* Only respect FailClosed when in Lockdown mode. Update docs.
* FailClosed in Configurator now wraps checking client mode
* PR feedback
* Fix execution controller tests with new FailClosed logic
* ProcessTree: add core process tree logic
* make Step implicitly called by Handle* methods
* lint
* naming convention
* widen pidversion to be generic
* move os specific backfill to os specific impl
* simplify ts checking
* retain/release a whole vec of pids
* document processtoken
* lint
* namespace
* add process tree to project-wide unit test target
* case change annotations
* case change annotations
* remove stray comment
* default initialize seen_timestamps
* fix missing initialization of refcnt and tombstoned
* reshuffle pb namespace
* pr review
* move annotation registration to tree construction
* use factory function for tree construction
* WIP Clean syncs now leave non-transitive rules by default
* WIP Get existing tests compiling and passing
* Remove clean all sync server key. Basic tests.
* Add SNTConfiguratorTest, test deprecated key migration
* Revert changes to santactl status output
* Add new preflight response sync type key, lots of tests
* Rework configurator flow a bit so calls cannot be made out of order
* Comment clean sync states. Test all permutations.
* Update docs for new sync keys
* Doc updates as requested in PR
* Make santactl status always print out transitive rule status even when not using a sync service.
* Fix typo in SNTCommandRule.m.
* Updated JSON values to put transitive_rules in the daemon section.
* Add missing config keys
* Use more consistent wording
* More consistent whitespace
* Reorder constants to appropriate section groups
* Update docs/deployment/configuration.md
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
---------
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
* Ignore TID/SID rules for dev signed code
* Handle code paths from santactl
* Don't bother evaluating isProdSignedCallback if not necessary
* PR feedback. Link to docs.
* WIP add config support to filter logged entitlements
* Add EntitlementInfo proto message to store if entitlements were filtered
* Log cleanup
* Address PR feedback
* Address PR feedback
GoogleTest when built with GTEST_HAS_ABSL fails to convert these strings
to a `std::string_view`. Lets instead explicitly convert them to a
`std::string_view`.
