From 13e4fa292651b1195c22db377de45925295c3937 Mon Sep 17 00:00:00 2001 From: Matt W <436037+mlw@users.noreply.github.com> Date: Mon, 11 Nov 2024 15:36:58 -0500 Subject: [PATCH] Subscribe to authentication event types and handle enrichment (#107) This PR starts adding in support for new authentication event types. Protobuf/string serialization will come in future PRs. The main goal is to define the new enriched types and handle them in the enricher. --- Source/santad/BUILD | 2 + .../EndpointSecurity/EnrichedTypes.h | 177 ++++++++++++++++-- .../EndpointSecurity/Enricher.h | 3 + .../EndpointSecurity/Enricher.mm | 48 ++++- .../SNTEndpointSecurityRecorder.mm | 19 +- .../SNTEndpointSecurityRecorderTest.mm | 21 ++- .../Serializers/BasicString.h | 17 +- .../Serializers/BasicString.mm | 75 ++++---- .../Logs/EndpointSecurity/Serializers/Empty.h | 17 +- .../EndpointSecurity/Serializers/Empty.mm | 51 +++-- .../EndpointSecurity/Serializers/Protobuf.h | 5 + .../EndpointSecurity/Serializers/Protobuf.mm | 52 ++--- .../EndpointSecurity/Serializers/Serializer.h | 18 +- Source/santad/Metrics.mm | 15 +- Source/santad/MetricsTest.mm | 27 ++- 15 files changed, 384 insertions(+), 163 deletions(-) diff --git a/Source/santad/BUILD b/Source/santad/BUILD index e820399b..1dde3930 100644 --- a/Source/santad/BUILD +++ b/Source/santad/BUILD @@ -503,6 +503,7 @@ objc_library( hdrs = ["EventProviders/EndpointSecurity/EnrichedTypes.h"], deps = [ ":EndpointSecurityMessage", + "//Source/common:Platform", "//Source/santad/ProcessTree:process_tree_cc_proto", ], ) @@ -1223,6 +1224,7 @@ santa_unit_test( ":EndpointSecurityMessage", ":Metrics", ":MockEndpointSecurityAPI", + "//Source/common:Platform", "//Source/common:SNTCommonEnums", "//Source/common:SNTMetricSet", "//Source/common:TestUtils", diff --git a/Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h b/Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h index 160f6a9c..4f2c9560 100644 --- a/Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h +++ b/Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. /// This file groups all of the enriched message types - that is the /// objects that are constructed to hold all enriched event data prior @@ -25,6 +26,7 @@ #include #include +#include "Source/common/Platform.h" #include "Source/santad/EventProviders/EndpointSecurity/Message.h" #include "Source/santad/ProcessTree/process_tree.pb.h" @@ -159,8 +161,10 @@ class EnrichedEventType { return enrichment_time_; } - private: + protected: Message es_msg_; + + private: EnrichedProcess instigator_; struct timespec enrichment_time_; }; @@ -435,14 +439,157 @@ class EnrichedLoginLogout : public EnrichedEventType { EnrichedLoginLogout(EnrichedLoginLogout &&) = default; }; -using EnrichedType = std::variant< - EnrichedClose, EnrichedExchange, EnrichedExec, EnrichedExit, EnrichedFork, - EnrichedLink, EnrichedRename, EnrichedUnlink, EnrichedCSInvalidated, - EnrichedLoginWindowSessionLogin, EnrichedLoginWindowSessionLogout, - EnrichedLoginWindowSessionLock, EnrichedLoginWindowSessionUnlock, - EnrichedScreenSharingAttach, EnrichedScreenSharingDetach, - EnrichedOpenSSHLogin, EnrichedOpenSSHLogout, EnrichedLoginLogin, - EnrichedLoginLogout>; +// Base class for authentication event types that contain instigator +// information. Note that beginning in macOS 15 instigator information +// is optional. If complete process info is missing, the audit token +// of the instigator is still made available. +class EnrichedAuthenticationWithInstigator : public EnrichedEventType { + public: + EnrichedAuthenticationWithInstigator( + Message &&es_msg, EnrichedProcess instigator, + std::optional enriched_auth_instigator) + : EnrichedEventType(std::move(es_msg), std::move(instigator)), + enriched_auth_instigator_(std::move(enriched_auth_instigator)) {} + + virtual ~EnrichedAuthenticationWithInstigator() = default; + + EnrichedAuthenticationWithInstigator( + EnrichedAuthenticationWithInstigator &&) = default; + + virtual const es_process_t *AuthInstigator() const = 0; + virtual std::optional AuthInstigatorToken() const = 0; + + const std::optional &EnrichedAuthInstigator() const { + return enriched_auth_instigator_; + } + + private: + std::optional enriched_auth_instigator_; +}; + +class EnrichedAuthenticationOD : public EnrichedAuthenticationWithInstigator { + public: + using EnrichedAuthenticationWithInstigator:: + EnrichedAuthenticationWithInstigator; + + EnrichedAuthenticationOD(EnrichedAuthenticationOD &&) = default; + + const es_process_t *AuthInstigator() const override { +#if HAVE_MACOS_13 + return es_msg_->event.authentication->data.od->instigator; +#else + return nullptr; +#endif + } + + std::optional AuthInstigatorToken() const override { +#if HAVE_MACOS_15 + return es_msg_->version >= 8 + ? std::make_optional( + es_msg_->event.authentication->data.od->instigator_token) + : std::nullopt; +#else + return std::nullopt; +#endif + } +}; + +class EnrichedAuthenticationTouchID + : public EnrichedAuthenticationWithInstigator { + public: + EnrichedAuthenticationTouchID( + Message &&es_msg, EnrichedProcess instigator, + std::optional auth_instigator, + std::optional> username) + : EnrichedAuthenticationWithInstigator(std::move(es_msg), + std::move(instigator), + std::move(auth_instigator)), + username_(std::move(username)) {} + + EnrichedAuthenticationTouchID(EnrichedAuthenticationTouchID &&) = default; + + const es_process_t *AuthInstigator() const override { +#if HAVE_MACOS_13 + return es_msg_->event.authentication->data.touchid->instigator; +#else + return nullptr; +#endif + } + + std::optional AuthInstigatorToken() const override { +#if HAVE_MACOS_15 + return es_msg_->version >= 8 ? std::make_optional( + es_msg_->event.authentication->data + .touchid->instigator_token) + : std::nullopt; +#else + return std::nullopt; +#endif + } + + const std::optional> &Username() const { + return username_; + } + + private: + std::optional> username_; +}; + +class EnrichedAuthenticationToken + : public EnrichedAuthenticationWithInstigator { + public: + using EnrichedAuthenticationWithInstigator:: + EnrichedAuthenticationWithInstigator; + + EnrichedAuthenticationToken(EnrichedAuthenticationToken &&) = default; + + const es_process_t *AuthInstigator() const override { +#if HAVE_MACOS_13 + return es_msg_->event.authentication->data.token->instigator; +#else + return nullptr; +#endif + } + + std::optional AuthInstigatorToken() const override { +#if HAVE_MACOS_15 + return es_msg_->version >= 8 ? std::make_optional( + es_msg_->event.authentication->data + .token->instigator_token) + : std::nullopt; +#else + return std::nullopt; +#endif + } +}; + +class EnrichedAuthenticationAutoUnlock : public EnrichedEventType { + public: + EnrichedAuthenticationAutoUnlock(Message &&es_msg, EnrichedProcess instigator, + std::optional uid) + : EnrichedEventType(std::move(es_msg), std::move(instigator)), + uid_(std::move(uid)) {} + + EnrichedAuthenticationAutoUnlock(EnrichedAuthenticationAutoUnlock &&) = + default; + + inline std::optional UID() const { return uid_; } + + private: + std::optional uid_; +}; + +using EnrichedType = + std::variant; class EnrichedMessage { public: diff --git a/Source/santad/EventProviders/EndpointSecurity/Enricher.h b/Source/santad/EventProviders/EndpointSecurity/Enricher.h index 5f4713c0..08362a55 100644 --- a/Source/santad/EventProviders/EndpointSecurity/Enricher.h +++ b/Source/santad/EventProviders/EndpointSecurity/Enricher.h @@ -41,6 +41,9 @@ class Enricher { virtual EnrichedProcess Enrich( const es_process_t &es_proc, EnrichOptions options = EnrichOptions::kDefault); + virtual std::optional Enrich( + const es_process_t *es_proc, + EnrichOptions options = EnrichOptions::kDefault); virtual EnrichedFile Enrich(const es_file_t &es_file, EnrichOptions options = EnrichOptions::kDefault); diff --git a/Source/santad/EventProviders/EndpointSecurity/Enricher.mm b/Source/santad/EventProviders/EndpointSecurity/Enricher.mm index 2ddf751d..9e69945e 100644 --- a/Source/santad/EventProviders/EndpointSecurity/Enricher.mm +++ b/Source/santad/EventProviders/EndpointSecurity/Enricher.mm @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #include "Source/santad/EventProviders/EndpointSecurity/Enricher.h" @@ -86,6 +87,36 @@ return std::make_unique( EnrichedCSInvalidated(std::move(es_msg), Enrich(*es_msg->process))); #if HAVE_MACOS_13 + case ES_EVENT_TYPE_NOTIFY_AUTHENTICATION: + switch (es_msg->event.authentication->type) { + case ES_AUTHENTICATION_TYPE_OD: + return std::make_unique( + EnrichedAuthenticationOD(std::move(es_msg), Enrich(*es_msg->process), + Enrich(es_msg->event.authentication->data.od->instigator))); + case ES_AUTHENTICATION_TYPE_TOUCHID: + return std::make_unique(EnrichedAuthenticationTouchID( + std::move(es_msg), Enrich(*es_msg->process), + Enrich(es_msg->event.authentication->data.touchid->instigator), + es_msg->event.authentication->data.touchid->has_uid + ? UsernameForUID(es_msg->event.authentication->data.touchid->uid.uid) + : std::nullopt)); + case ES_AUTHENTICATION_TYPE_TOKEN: + return std::make_unique(EnrichedAuthenticationToken( + std::move(es_msg), Enrich(*es_msg->process), + Enrich(es_msg->event.authentication->data.token->instigator))); + case ES_AUTHENTICATION_TYPE_AUTO_UNLOCK: + return std::make_unique(EnrichedAuthenticationAutoUnlock( + std::move(es_msg), Enrich(*es_msg->process), + UIDForUsername( + StringTokenToStringView(es_msg->event.authentication->data.auto_unlock->username)))); + + // Note: There is a case here where future OS versions could add new authentication types + // that did not exist in the SDK used to build the current running version of Santa. Return + // nullptr here to signal to the caller that event processing should not continue. Santa + // would have to be updated and rebuilt with the new SDK in order to properly handle the new + // types. + default: return nullptr; + } case ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN: return std::make_unique(EnrichedLoginWindowSessionLogin( std::move(es_msg), Enrich(*es_msg->process), @@ -128,6 +159,11 @@ } } +std::optional Enricher::Enrich(const es_process_t *es_proc, + EnrichOptions options) { + return es_proc ? std::make_optional(Enrich(*es_proc, options)) : std::nullopt; +} + EnrichedProcess Enricher::Enrich(const es_process_t &es_proc, EnrichOptions options) { return EnrichedProcess(UsernameForUID(audit_token_to_euid(es_proc.audit_token), options), UsernameForGID(audit_token_to_egid(es_proc.audit_token), options), diff --git a/Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm b/Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm index 3ee16531..239cef11 100644 --- a/Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm +++ b/Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #import "Source/santad/EventProviders/SNTEndpointSecurityRecorder.h" #include @@ -178,6 +179,11 @@ - (void)handleMessage:(Message &&)esMsg // data as close to the source event as possible. std::unique_ptr enrichedMessage = _enricher->Enrich(std::move(esMsg)); + if (!enrichedMessage) { + recordEventMetrics(EventDisposition::kDropped); + return; + } + // Asynchronously log the message [self processEnrichedMessage:std::move(enrichedMessage) handler:^(std::unique_ptr msg) { @@ -203,6 +209,7 @@ - (void)enable { #if HAVE_MACOS_13 if (@available(macOS 13.0, *)) { events.insert({ + ES_EVENT_TYPE_NOTIFY_AUTHENTICATION, ES_EVENT_TYPE_NOTIFY_LOGIN_LOGIN, ES_EVENT_TYPE_NOTIFY_LOGIN_LOGOUT, ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN, diff --git a/Source/santad/EventProviders/SNTEndpointSecurityRecorderTest.mm b/Source/santad/EventProviders/SNTEndpointSecurityRecorderTest.mm index 79f14d7e..e0a0b11b 100644 --- a/Source/santad/EventProviders/SNTEndpointSecurityRecorderTest.mm +++ b/Source/santad/EventProviders/SNTEndpointSecurityRecorderTest.mm @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #include #import @@ -97,6 +98,7 @@ - (void)testEnable { #if HAVE_MACOS_13 if (@available(macOS 13.0, *)) { expectedEventSubs.insert({ + ES_EVENT_TYPE_NOTIFY_AUTHENTICATION, ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN, ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGOUT, ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOCK, @@ -148,7 +150,12 @@ - (void)handleMessageShouldLog:(BOOL)shouldLog mockESApi->SetExpectationsESNewClient(); mockESApi->SetExpectationsRetainReleaseMessage(); - std::unique_ptr enrichedMsg = std::unique_ptr(nullptr); + // Create a fake enriched message. It isn't used other than to inject a valid + // returned object from a mocked Enrich method. The purpose is to ensure the + // check in the recorder that a message is enriched always succeeds. + es_message_t fakeEnrichedMsg = MakeESMessage(ES_EVENT_TYPE_NOTIFY_EXIT, NULL); + std::unique_ptr enrichedMsg = std::make_unique(EnrichedMessage( + santa::EnrichedExit(Message(mockESApi, &fakeEnrichedMsg), santa::EnrichedProcess()))); auto mockEnricher = std::make_shared(); diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.h b/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.h index 88875b3a..0a0cc848 100644 --- a/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.h +++ b/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.h @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #ifndef SANTA__SANTAD__LOGS_ENDPOINTSECURITY_SERIALIZERS_BASICSTRING_H #define SANTA__SANTAD__LOGS_ENDPOINTSECURITY_SERIALIZERS_BASICSTRING_H @@ -58,6 +59,10 @@ class BasicString : public Serializer { std::vector SerializeMessage(const santa::EnrichedOpenSSHLogout &) override; std::vector SerializeMessage(const santa::EnrichedLoginLogin &) override; std::vector SerializeMessage(const santa::EnrichedLoginLogout &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationOD &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationTouchID &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationToken &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationAutoUnlock &) override; #endif std::vector SerializeFileAccess(const std::string &policy_version, diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm b/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm index c265e37e..b7b13ae8 100644 --- a/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm +++ b/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #include "Source/santad/Logs/EndpointSecurity/Serializers/BasicString.h" @@ -35,36 +36,6 @@ #include "Source/santad/Logs/EndpointSecurity/Serializers/Utilities.h" #import "Source/santad/SNTDecisionCache.h" -using santa::EndpointSecurityAPI; -using santa::EnrichedClose; -using santa::EnrichedCSInvalidated; -using santa::EnrichedEventType; -using santa::EnrichedExchange; -using santa::EnrichedExec; -using santa::EnrichedExit; -using santa::EnrichedFork; -using santa::EnrichedLink; -using santa::EnrichedLoginLogin; -using santa::EnrichedLoginLogout; -using santa::EnrichedLoginWindowSessionLock; -using santa::EnrichedLoginWindowSessionLogin; -using santa::EnrichedLoginWindowSessionLogout; -using santa::EnrichedLoginWindowSessionUnlock; -using santa::EnrichedOpenSSHLogin; -using santa::EnrichedOpenSSHLogout; -using santa::EnrichedProcess; -using santa::EnrichedRename; -using santa::EnrichedScreenSharingAttach; -using santa::EnrichedScreenSharingDetach; -using santa::EnrichedUnlink; -using santa::Message; -using santa::MountFromName; -using santa::NonNull; -using santa::Pid; -using santa::Pidversion; -using santa::RealGroup; -using santa::RealUser; - namespace santa { static inline SanitizableString FilePath(const es_file_t *file) { @@ -648,6 +619,38 @@ static inline void AppendSocketAddress(std::string &str, es_address_type_t type, return FinalizeString(str); } +std::vector BasicString::SerializeMessage(const EnrichedAuthenticationOD &msg) { + std::string str = CreateDefaultString(); + + str.append("action=AUTHENTICATION_OD"); + + return FinalizeString(str); +} + +std::vector BasicString::SerializeMessage(const EnrichedAuthenticationTouchID &msg) { + std::string str = CreateDefaultString(); + + str.append("action=AUTHENTICATION_TOUCHID"); + + return FinalizeString(str); +} + +std::vector BasicString::SerializeMessage(const EnrichedAuthenticationToken &msg) { + std::string str = CreateDefaultString(); + + str.append("action=AUTHENTICATION_TOKEN"); + + return FinalizeString(str); +} + +std::vector BasicString::SerializeMessage(const EnrichedAuthenticationAutoUnlock &msg) { + std::string str = CreateDefaultString(); + + str.append("action=AUTHENTICATION_AUTO_UNLOCK"); + + return FinalizeString(str); +} + #endif // HAVE_MACOS_13 std::vector BasicString::SerializeFileAccess(const std::string &policy_version, diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/Empty.h b/Source/santad/Logs/EndpointSecurity/Serializers/Empty.h index 06d9afff..8e659a08 100644 --- a/Source/santad/Logs/EndpointSecurity/Serializers/Empty.h +++ b/Source/santad/Logs/EndpointSecurity/Serializers/Empty.h @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #ifndef SANTA__SANTAD__LOGS_ENDPOINTSECURITY_SERIALIZERS_EMPTY_H #define SANTA__SANTAD__LOGS_ENDPOINTSECURITY_SERIALIZERS_EMPTY_H @@ -49,6 +50,10 @@ class Empty : public Serializer { std::vector SerializeMessage(const santa::EnrichedOpenSSHLogout &) override; std::vector SerializeMessage(const santa::EnrichedLoginLogin &) override; std::vector SerializeMessage(const santa::EnrichedLoginLogout &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationOD &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationTouchID &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationToken &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationAutoUnlock &) override; std::vector SerializeFileAccess(const std::string &policy_version, const std::string &policy_name, diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/Empty.mm b/Source/santad/Logs/EndpointSecurity/Serializers/Empty.mm index ae598984..0f425480 100644 --- a/Source/santad/Logs/EndpointSecurity/Serializers/Empty.mm +++ b/Source/santad/Logs/EndpointSecurity/Serializers/Empty.mm @@ -1,41 +1,20 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #include "Source/santad/Logs/EndpointSecurity/Serializers/Empty.h" -using santa::EnrichedClose; -using santa::EnrichedCSInvalidated; -using santa::EnrichedExchange; -using santa::EnrichedExec; -using santa::EnrichedExit; -using santa::EnrichedFork; -using santa::EnrichedLink; -using santa::EnrichedLoginLogin; -using santa::EnrichedLoginLogout; -using santa::EnrichedLoginWindowSessionLock; -using santa::EnrichedLoginWindowSessionLogin; -using santa::EnrichedLoginWindowSessionLogout; -using santa::EnrichedLoginWindowSessionUnlock; -using santa::EnrichedOpenSSHLogin; -using santa::EnrichedOpenSSHLogout; -using santa::EnrichedProcess; -using santa::EnrichedRename; -using santa::EnrichedScreenSharingAttach; -using santa::EnrichedScreenSharingDetach; -using santa::EnrichedUnlink; -using santa::Message; - namespace santa { std::shared_ptr Empty::Create() { @@ -120,6 +99,22 @@ return {}; } +std::vector Empty::SerializeMessage(const EnrichedAuthenticationOD &) { + return {}; +} + +std::vector Empty::SerializeMessage(const EnrichedAuthenticationTouchID &) { + return {}; +} + +std::vector Empty::SerializeMessage(const EnrichedAuthenticationToken &) { + return {}; +} + +std::vector Empty::SerializeMessage(const EnrichedAuthenticationAutoUnlock &) { + return {}; +} + std::vector Empty::SerializeFileAccess(const std::string &policy_version, const std::string &policy_name, const Message &msg, const EnrichedProcess &enriched_process, diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.h b/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.h index ceb5643d..d3beb873 100644 --- a/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.h +++ b/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.h @@ -1,4 +1,5 @@ /// Copyright 2022 Google LLC +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. @@ -58,6 +59,10 @@ class Protobuf : public Serializer { std::vector SerializeMessage(const santa::EnrichedOpenSSHLogout &) override; std::vector SerializeMessage(const santa::EnrichedLoginLogin &) override; std::vector SerializeMessage(const santa::EnrichedLoginLogout &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationOD &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationTouchID &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationToken &) override; + std::vector SerializeMessage(const santa::EnrichedAuthenticationAutoUnlock &) override; #endif std::vector SerializeFileAccess(const std::string &policy_version, diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm b/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm index 4f2d5fd1..9c70dc01 100644 --- a/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm +++ b/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm @@ -1,4 +1,5 @@ /// Copyright 2022 Google LLC +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. @@ -43,41 +44,6 @@ using JsonPrintOptions = google::protobuf::json::PrintOptions; using google::protobuf::json::MessageToJsonString; -using santa::EffectiveGroup; -using santa::EffectiveUser; -using santa::EndpointSecurityAPI; -using santa::EnrichedClose; -using santa::EnrichedCSInvalidated; -using santa::EnrichedEventType; -using santa::EnrichedExchange; -using santa::EnrichedExec; -using santa::EnrichedExit; -using santa::EnrichedFile; -using santa::EnrichedFork; -using santa::EnrichedLink; -using santa::EnrichedLoginLogin; -using santa::EnrichedLoginLogout; -using santa::EnrichedLoginWindowSessionLock; -using santa::EnrichedLoginWindowSessionLogin; -using santa::EnrichedLoginWindowSessionLogout; -using santa::EnrichedLoginWindowSessionUnlock; -using santa::EnrichedOpenSSHLogin; -using santa::EnrichedOpenSSHLogout; -using santa::EnrichedProcess; -using santa::EnrichedRename; -using santa::EnrichedScreenSharingAttach; -using santa::EnrichedScreenSharingDetach; -using santa::EnrichedUnlink; -using santa::Message; -using santa::MountFromName; -using santa::NonNull; -using santa::NSStringToUTF8StringView; -using santa::Pid; -using santa::Pidversion; -using santa::RealGroup; -using santa::RealUser; -using santa::StringTokenToStringView; - namespace pbv1 = ::santa::pb::v1; namespace santa { @@ -980,6 +946,22 @@ static inline void EncodeUserInfo(std::function<::pbv1::UserInfo *()> lazy_f, return FinalizeProto(santa_msg); } +std::vector Protobuf::SerializeMessage(const EnrichedAuthenticationOD &msg) { + return {}; +} + +std::vector Protobuf::SerializeMessage(const EnrichedAuthenticationTouchID &msg) { + return {}; +} + +std::vector Protobuf::SerializeMessage(const EnrichedAuthenticationToken &msg) { + return {}; +} + +std::vector Protobuf::SerializeMessage(const EnrichedAuthenticationAutoUnlock &msg) { + return {}; +} + #endif // HAVE_MACOS_13 std::vector Protobuf::SerializeFileAccess(const std::string &policy_version, diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/Serializer.h b/Source/santad/Logs/EndpointSecurity/Serializers/Serializer.h index fb69a695..6834c2e7 100644 --- a/Source/santad/Logs/EndpointSecurity/Serializers/Serializer.h +++ b/Source/santad/Logs/EndpointSecurity/Serializers/Serializer.h @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #ifndef SANTA__SANTAD__LOGS_ENDPOINTSECURITY_SERIALIZERS_SERIALIZER_H #define SANTA__SANTAD__LOGS_ENDPOINTSECURITY_SERIALIZERS_SERIALIZER_H @@ -65,6 +66,11 @@ class Serializer { virtual std::vector SerializeMessage(const santa::EnrichedOpenSSHLogout &) = 0; virtual std::vector SerializeMessage(const santa::EnrichedLoginLogin &) = 0; virtual std::vector SerializeMessage(const santa::EnrichedLoginLogout &) = 0; + virtual std::vector SerializeMessage(const santa::EnrichedAuthenticationOD &) = 0; + virtual std::vector SerializeMessage(const santa::EnrichedAuthenticationTouchID &) = 0; + virtual std::vector SerializeMessage(const santa::EnrichedAuthenticationToken &) = 0; + virtual std::vector SerializeMessage( + const santa::EnrichedAuthenticationAutoUnlock &) = 0; virtual std::vector SerializeFileAccess(const std::string &policy_version, const std::string &policy_name, diff --git a/Source/santad/Metrics.mm b/Source/santad/Metrics.mm index e6211f7c..777da5c5 100644 --- a/Source/santad/Metrics.mm +++ b/Source/santad/Metrics.mm @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #include "Source/santad/Metrics.h" @@ -55,6 +56,7 @@ static NSString *const kEventTypeNotifyUnmount = @"NotifyUnmount"; static NSString *const kPseudoEventTypeGlobal = @"Global"; #if HAVE_MACOS_13 +static NSString *const kEventTypeNotifyAuthentication = @"NotifyAuthentication"; static NSString *const kEventTypeNotifyLoginLogin = @"NotifyLoginLogin"; static NSString *const kEventTypeNotifyLoginLogout = @"NotifyLoginLogout"; static NSString *const kEventTypeNotifyLWSessionLogin = @"NotifyLWSessionLogin"; @@ -131,6 +133,7 @@ case ES_EVENT_TYPE_NOTIFY_UNLINK: return kEventTypeNotifyUnlink; case ES_EVENT_TYPE_NOTIFY_UNMOUNT: return kEventTypeNotifyUnmount; #if HAVE_MACOS_13 + case ES_EVENT_TYPE_NOTIFY_AUTHENTICATION: return kEventTypeNotifyAuthentication; case ES_EVENT_TYPE_NOTIFY_LOGIN_LOGIN: return kEventTypeNotifyLoginLogin; case ES_EVENT_TYPE_NOTIFY_LOGIN_LOGOUT: return kEventTypeNotifyLoginLogout; case ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN: return kEventTypeNotifyLWSessionLogin; diff --git a/Source/santad/MetricsTest.mm b/Source/santad/MetricsTest.mm index 30b96908..b89d06f7 100644 --- a/Source/santad/MetricsTest.mm +++ b/Source/santad/MetricsTest.mm @@ -1,16 +1,17 @@ /// Copyright 2022 Google Inc. All rights reserved. +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. /// You may obtain a copy of the License at /// -/// http://www.apache.org/licenses/LICENSE-2.0 +/// http://www.apache.org/licenses/LICENSE-2.0 /// -/// Unless required by applicable law or agreed to in writing, software -/// distributed under the License is distributed on an "AS IS" BASIS, -/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -/// See the License for the specific language governing permissions and -/// limitations under the License. +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. #include "Source/santad/Metrics.h" @@ -23,6 +24,7 @@ #include #include +#include "Source/common/Platform.h" #import "Source/common/SNTCommonEnums.h" #include "Source/common/SNTMetricSet.h" #include "Source/common/TestUtils.h" @@ -197,6 +199,19 @@ - (void)testEventTypeToString { {ES_EVENT_TYPE_NOTIFY_RENAME, @"NotifyRename"}, {ES_EVENT_TYPE_NOTIFY_UNLINK, @"NotifyUnlink"}, {ES_EVENT_TYPE_NOTIFY_UNMOUNT, @"NotifyUnmount"}, +#if HAVE_MACOS_13 + {ES_EVENT_TYPE_NOTIFY_AUTHENTICATION, @"NotifyAuthentication"}, + {ES_EVENT_TYPE_NOTIFY_LOGIN_LOGIN, @"NotifyLoginLogin"}, + {ES_EVENT_TYPE_NOTIFY_LOGIN_LOGOUT, @"NotifyLoginLogout"}, + {ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN, @"NotifyLWSessionLogin"}, + {ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGOUT, @"NotifyLWSessionLogout"}, + {ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOCK, @"NotifyLWSessionLock"}, + {ES_EVENT_TYPE_NOTIFY_LW_SESSION_UNLOCK, @"NotifyLWSessionUnlock"}, + {ES_EVENT_TYPE_NOTIFY_SCREENSHARING_ATTACH, @"NotifyScreensharingAttach"}, + {ES_EVENT_TYPE_NOTIFY_SCREENSHARING_DETACH, @"NotifyScreensharingDetach"}, + {ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGIN, @"NotifyOpenSSHLogin"}, + {ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGOUT, @"NotifyOpenSSHLogout"}, +#endif {ES_EVENT_TYPE_LAST, @"Global"}, };