* Add metrics for stat change detection
* Fix test related issues due to partially constructed messages
* lint
* Convert errno to enum class StatResult
* Cleanup from PR feedback
Bumping from BACKGROUND to DEFAULT had the desired impact of processing events faster and reducing memory usage but had a larger-than-expected increase in CPU usage. UTILITY is in the middle of these two and better fits the desired priority.
The use of the background queue is a historical artifact from when Santa had its own kernel extension with separate in-kernel queues for processing AUTH & NOTIFY type events. With the move to ES and the larger number of event types that we now notify on, running at the background QoS carries a small risk that the thread processing these events is not given a chance to run often enough that the queue grows and increases memory usage.
* Update SNTPolicyProcessor to use a map instead of a giant switch statement
Update SNTPolicyProcessor to use a map instead of a giant switch statement.
Add unit tests for the method that sets SNTCachedDecision values.
* Remove unneccessary OCMock dep in BUILD file.
* Fix typo in method signature.
* Incorporate review feedback.
* Upper case UpdateCachedDecisionSigningInfo
* Update SNTPolicyProcessor.h
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Update SNTPolicyProcessor.mm
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Fix typo
* Fix linter issues.
* Fixed up more linter issues.
---------
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
This includes updating to rules_apple 3.5.1 and protobuf 26.1, as well as updating several tests to no longer use the data attribute to pass in testdata.
* Emit a log warning when overrides were applied
* Overrides now disabled in tests unless explicitly enabled
* Remove log message. Check for xctest instead of bazel env vars.
* Typo
* Change the behavior of addedRulesShouldFlushDecisionCache to flush when 1000 non-allowlist rules are added or a remove rule is encountered or any new non-allowlist rules are added
* Add tests for cache flushing behavior.
* process annotations: thread the tree through santa
* Update enricher to read annotations from the ProcessTree
* rebase changes
* add configuration for annotations, disabling the tree entirely if none are enabled
* lingering build dep
* use tree factory constructor
* fix configurator
* build fixes
* rebase fixes
* fix tests
* review comments
* lint
* english hard
* record metrics even when event only used for process tree
* ProcessTree: add macos-specific loader and event adapter
* lingering darwin->macos
* lint
* remove defunct client id
* struct rename
* and one last header update
* use EndpointSecurityAPI in adapter
* expose esapi in message
