santa
santa copied to clipboard
[DRAFT] ES/Logging Components Redesign
This is a work-in-progress, being released in draft form in order to solicit early feedback.
Building / Running
Build using the following command:
bazel build --apple_generate_dsym -c opt --verbose_failures --sandbox_debug //Source/santad:com.google.santad.sysext
You can then run the binary directly via:
sudo /path/to/compiled/binary [--quick [timeout_seconds]]
Using the optional --quick
flag will cause the program to exit after 5 seconds. An optional number of seconds can also be passed.
Currently, logged events are echoed to the console via the LOGE
macro. (This is temporary for during development and won't stay around.)
Completed
EndpointSecurity
Interfaces/Classes/Wrappers
-
Source/santad/EventProviders/EndpointSecurity
-
EndpointSecurityAPI
- Wraps theEndpointSecurity
framework functions. Bridges between the wrapped types below and the ES types. -
Client
- This object wraps anes_client_t
-
Message
- This object wraps anes_message_t
-
EnrichedTypes
- Defines all the various per-event-type enriched variants for aMessage
-
Enricher
- Takes aMessage
and produces an appropriateEnrichedMessage
-
EndpointSecurity
Clients
-
Source/santad/EventProviders
-
SNTEndpointSecurityClientBase
- Protocol declaring the base class interfaces available to ES clients -
SNTEndpointSecurityClient
- The base class for ES clients -
SNTEndpointSecurityAuthorizer
-AUTH EXEC
control. Also does caching. -
SNTEndpointSecurityRecorder
- Subscribes to events that will get enriched and logged -
SNTEndpointSecurityDeviceManager
-MOUNT
/REMOUNT
/UNMOUNT
actions -
SNTEndpointSecurityTamperResistance
- Provides functionality to help protect Santa and its resources
-
Resources
-
AuthResultCache
- Wrapper for the "root" and "nonroot" caches. Provided to the various clients that need to interact with the caches -
SNTDecisionCache
- Wrapped for what was previously in theSNTEventLog
. It storesSNTCachedDecisions
.
Logging
-
Source/santad/LogsEndpointSecurity
-
Logger
- Provides the primary logging interfaces. Composed of a serializer and a writer. -
Serializers/
-
Serializer
- Abstract base class for all serializers -
BasicString
- Functionality previously provided bySNTSyslogEventLog
-
-
Writers/
-
Syslog
- Currently just dumps to ULS.
-
-
Other
-
SNTExecutionController
- Interfaces changed to have fewer dependencies. -
SNTCompilerController
- Now does all compiler process tracking instead ofSNTEndpointSecurityManager
-
SNTEventProvider
- Complete overhaul. Split intoSNTEventProvider
andSNTCachingEventProvider
-
SNTCommon
-santa_message_t
has been removed. Removed a bunch fromsanta_action_t
.
~~ NOT COMPLETED ~~
Still a bunch left TODO. The following is very likely an incomplete list:
-
santad.mm
- Needs an overhaul. Right now just sort of a dumping ground as I add more features. - Additional
Writers
- File-based writer
- SimpleMaildir-based writer
- Hookup
santactl
- Hookup all the other agents/daemons (e.g.
syncservice
,bundleservice
,metricservice
, etc.) - Hookup listening for configuration changes
- Split logging for santactl which needs the legacy macros and new logging which can go to ULS.
- gMock/gTest integration
- Protobuf support (??? may just leave this out since we want to overhaul that next)
- Remove a whole bunch of now-unused files
Closing the draft PR. It's now quite outdated.