* Emit a log warning when overrides were applied
* Overrides now disabled in tests unless explicitly enabled
* Remove log message. Check for xctest instead of bazel env vars.
* Typo
* process annotations: thread the tree through santa
* Update enricher to read annotations from the ProcessTree
* rebase changes
* add configuration for annotations, disabling the tree entirely if none are enabled
* lingering build dep
* use tree factory constructor
* fix configurator
* build fixes
* rebase fixes
* fix tests
* review comments
* lint
* english hard
* record metrics even when event only used for process tree
* Responses to events about to exceed deadline should respect FailClosed
* Only respect FailClosed when in Lockdown mode. Update docs.
* FailClosed in Configurator now wraps checking client mode
* PR feedback
* Fix execution controller tests with new FailClosed logic
* WIP Clean syncs now leave non-transitive rules by default
* WIP Get existing tests compiling and passing
* Remove clean all sync server key. Basic tests.
* Add SNTConfiguratorTest, test deprecated key migration
* Revert changes to santactl status output
* Add new preflight response sync type key, lots of tests
* Rework configurator flow a bit so calls cannot be made out of order
* Comment clean sync states. Test all permutations.
* Update docs for new sync keys
* Doc updates as requested in PR
* Add missing config keys
* Use more consistent wording
* More consistent whitespace
* Reorder constants to appropriate section groups
* Update docs/deployment/configuration.md
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
---------
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
* WIP add config support to filter logged entitlements
* Add EntitlementInfo proto message to store if entitlements were filtered
* Log cleanup
* Address PR feedback
* Address PR feedback
Add support for logging when codesigning has become invalidated for a process.
This adds support to the Recorder to log when codesigning is invalidated as reported by the Endpoint Security Framework's
ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED event.
* Allow per-policy and per-rule FAA URL and button text
* Add format string support to the custom URL. Added SNTBlockMessageTest.
* Add event URL to TTY message.
* Allow rule specific policy to "clear" global to remove buttons for the rule
* Remove extra beta label for FAA
* Support new config (and sync config) option to override file access action.
* Adopt override action config in file access client
* Add sync service and file access client tests
* Require override action to be specific values. Add new sync setting to docs.
* WIP: UI: open cert modal, hookup silence checkbox. Add cert helper funcs.
* Popup dialog on file access violation. Support config-based and custom messages.
* Send message to TTY on file access rule violation
* TTYWriter Write now takes an es_process_t. Fix async data lifespan issue.
* Dedupe TTY message printing per process per rule
* Some minor swift beautification
* Remove main app from dock when showing file access dialog
* Update header docs
* Remove define guards for ObjC header file
* Update Source/common/CertificateHelpers.h
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Fix comment typo
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Use #import for ObjC headers
* Use #import for ObjC header
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* lint
* Comment use of escape sequences
---------
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Add hot cache for file reads
* Clear cache on policy change
* Prevent unbounded cache growth
* Move cache impl to its own class
* Add some additional tests
* Cleanup
* Comment cleanup
* Switch to absl containers
* Use default absl::Hash instead of custom hasher
* Removing another reference to PairHash
* Remove unused imports
This allows a sync server to send a `custom_url` field along with a rule blocking execution and this will be used as the URL for the "open" button in place of the normally generated URL.
* Bump DB version. Ensure proper casing for rule identifiers on insert.
* Minor comment fixes, more test cases
* Handle SigningIDs using the delimiter character
* lint
* PR feedback
* Basic working prototype to display a UI on blocked file access
* Force watch items policies to be silent for now
* Remove unused view
* Refactor to not use newer SwiftUI features
* Address PR feedback
* WIP: Signing ID rules
* WIP: More work supporting signing ID rules
* Expanded exec controller tests for signing ID and team ID
* wip all current tests now pass
* Added integration tests
* Branch cleanup
* Update protobuf tests for signing id reason types
* Remove old commented out code
---------
Co-authored-by: Russell Hancox <russell@hancox.us>
Make the sync client content encoding a tunable.
This makes the sync client's content encoding a tunable so that it can be
compatible with more sync servers.
Removed the "backwards compatibility" config option.
---------
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
This change allows a sync server to change the header that Santa will use to send XSRF tokens on subsequent requests by putting the header name in the header.
