Merge e8d11da into e1cf8e7

BUILD

@@ -48,6 +48,7 @@ run_command(
     cmd = """
 sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null
 sudo launchctl unload /Library/LaunchDaemons/com.google.santa.bundleservice.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.metricservice.plist 2>/dev/null
 sudo kextunload -b com.google.santa-driver 2>/dev/null
 launchctl unload /Library/LaunchAgents/com.google.santa.plist 2>/dev/null
 """,
@@ -58,6 +59,7 @@ run_command(
     cmd = """
 sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
 sudo launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
 launchctl load /Library/LaunchAgents/com.google.santa.plist
 """,
 )
@@ -94,6 +96,7 @@ genrule(
         "Conf/install.sh",
         "Conf/uninstall.sh",
         "Conf/com.google.santa.bundleservice.plist",
+        "Conf/com.google.santa.metricservice.plist",
         "Conf/com.google.santad.plist",
         "Conf/com.google.santa.plist",
         "Conf/com.google.santa.asl.conf",
@@ -142,6 +145,10 @@ genrule(
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santabundleservice.dSYM
             ;;
+          *santametricservice.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santametricservice.dSYM
+            ;;
           *Santa.app.dSYM*Info.plist)
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/Santa.app.dSYM
@@ -225,15 +232,18 @@ test_suite(
     name = "unit_tests",
     tests = [
         "//Source/common:SNTFileInfoTest",
+        "//Source/common:SNTMetricSetTest",
         "//Source/common:SNTPrefixTreeTest",
         "//Source/common:SantaCacheTest",
         "//Source/santactl:SNTCommandFileInfoTest",
         "//Source/santactl:SNTCommandSyncTest",
+        "//Source/santad:SNTApplicationCoreMetricsTest",
         "//Source/santad:SNTApplicationTest",
         "//Source/santad:SNTEndpointSecurityManagerTest",
         "//Source/santad:SNTEventTableTest",
         "//Source/santad:SNTExecutionControllerTest",
         "//Source/santad:SNTRuleTableTest",
+        "//Source/santametricservice:unit_tests",
     ],
 )
 

Conf/Package/package_and_sign.sh

@@ -48,6 +48,7 @@ readonly INPUT_KEXT="${RELEASE_ROOT}/binaries/santa-driver.kext"
 readonly INPUT_SYSX="${INPUT_APP}/Contents/Library/SystemExtensions/com.google.santa.daemon.systemextension"
 readonly INPUT_SANTACTL="${INPUT_APP}/Contents/MacOS/santactl"
 readonly INPUT_SANTABS="${INPUT_APP}/Contents/MacOS/santabundleservice"
+readonly INPUT_SANTAMS="${INPUT_APP}/Contents/MacOS/santametricservice"
 
 readonly RELEASE_NAME="santa-$(/usr/bin/defaults read "${INPUT_APP}/Contents/Info.plist" CFBundleVersion)"
 
@@ -65,7 +66,7 @@ readonly DMG_PATH="${ARTIFACTS_DIR}/${RELEASE_NAME}.dmg"
 readonly TAR_PATH="${ARTIFACTS_DIR}/${RELEASE_NAME}.tar.gz"
 
 # Sign all of binaries/bundles. Maintain inside-out ordering where necessary
-for ARTIFACT in "${INPUT_SANTACTL}" "${INPUT_SANTABS}" "${INPUT_SYSX}" "${INPUT_APP}" "${INPUT_KEXT}"; do
+for ARTIFACT in "${INPUT_SANTACTL}" "${INPUT_SANTABS}" "${INPUT_SANTAMS}" "${INPUT_SYSX}" "${INPUT_APP}" "${INPUT_KEXT}"; do
   BN=$(/usr/bin/basename "${ARTIFACT}")
   EN="${ENTITLEMENTS}/${BN}.entitlements"
 
@@ -130,6 +131,7 @@ echo "creating app pkg"
 /bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santad.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
 /bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.plist" "${APP_PKG_ROOT}/Library/LaunchAgents/"
 /bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.bundleservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
+/bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.metricservice.plist" "${APP_PKG_ROOT}/Library/LaunchDaemons/"
 /bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.asl.conf" "${APP_PKG_ROOT}/private/etc/asl/"
 /bin/cp -vX "${RELEASE_ROOT}/conf/com.google.santa.newsyslog.conf" "${APP_PKG_ROOT}/private/etc/newsyslog.d/"
 /bin/cp -vXL "${SCRIPT_PATH}/preinstall" "${APP_PKG_SCRIPTS}/"

Conf/Package/postinstall

@@ -24,6 +24,9 @@ mkdir -p /usr/local/bin
 # Load com.google.santa.bundleservice
 /bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
+# Load com.google.santa.metricservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
 GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 [[ -z "${GUI_USER}" ]] && exit 0
 

Conf/Package/preinstall

@@ -8,6 +8,7 @@
 
 /bin/launchctl remove com.google.santad || true
 /bin/launchctl remove com.google.santa.bundleservice || true
+/bin/launchctl remove com.google.santa.metricservice || true
 
 /bin/sleep 1
 

Conf/com.google.santa.metricservice.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.metricservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santametricservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.metricservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+</dict>
+</plist>

Conf/install.sh

@@ -24,6 +24,9 @@ fi
 # Unload bundle service
 /bin/launchctl remove com.google.santa.bundleservice >/dev/null 2>&1
 
+# Unload metric service
+/bin/launchctl remove com.google.santa.metricservice >/dev/null 2>&1
+
 # Unload kext.
 /sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
 
@@ -58,6 +61,7 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 
 /bin/cp ${CONF}/com.google.santa.plist /Library/LaunchAgents
 /bin/cp ${CONF}/com.google.santa.bundleservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santa.metricservice.plist /Library/LaunchDaemons
 /bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
 /bin/cp ${CONF}/com.google.santa.asl.conf /etc/asl/
 /bin/cp ${CONF}/com.google.santa.newsyslog.conf /etc/newsyslog.d/
@@ -71,6 +75,9 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 # Load com.google.santa.bundleservice
 /bin/launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
+# Load com.google.santa.metricservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
 # Load GUI agent if someone is logged in.
 [[ -z "${GUI_USER}" ]] && exit 0
 

Conf/uninstall.sh

@@ -24,6 +24,7 @@ user=$(/usr/bin/stat -f '%u' /dev/console)
 /bin/rm -f /Library/LaunchAgents/com.google.santa.plist
 /bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
 /bin/rm -f /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.metricservice.plist
 /bin/rm -f /private/etc/asl/com.google.santa.asl.conf
 /bin/rm -f /private/etc/newsyslog.d/com.google.santa.newsyslog.conf
 /bin/rm -f /usr/local/bin/santactl # just a symlink

Source/common/SNTConfigurator.h

@@ -386,6 +386,10 @@
 ///
 @property(readonly, nonatomic) NSURL *metricURL;
 
+///
+/// Duration in seconds of how often the metrics should be exported.
+///
+@property(readonly, nonatomic) NSUInteger metricExportInterval;
 
 ///
 ///  Retrieve an initialized singleton configurator object using the default file path.

Source/common/SNTConfigurator.m

@@ -104,6 +104,7 @@ @implementation SNTConfigurator
 // TODO(markowsky): move these to sync server only.
 static NSString *const kMetricFormat = @"MetricFormat";
 static NSString *const kMetricURL = @"MetricURL";
+static NSString *const kMetricExportInterval = @"MetricExportInterval";
 
 // The keys managed by a sync server.
 static NSString *const kFullSyncLastSuccess = @"FullSyncLastSuccess";
@@ -177,6 +178,7 @@ - (instancetype)init {
       kFCMAPIKey : string,
       kMetricFormat : string,
       kMetricURL : string,
+      kMetricExportInterval: number,
     };
     _defaults = [NSUserDefaults standardUserDefaults];
     [_defaults addSuiteNamed:@"com.google.santa"];
@@ -687,6 +689,16 @@ - (NSURL *)metricURL {
   return [NSURL URLWithString:self.configState[kMetricURL]];
 }
 
+// Returns a default value of 30 (for 30 seconds).
+- (NSUInteger)metricExportInterval {
+    NSNumber *configuredInterval = self.configState[kMetricExportInterval];
+
+    if (configuredInterval == nil) {
+        return 30;
+    }
+    return [configuredInterval unsignedIntegerValue];
+}
+
 #pragma mark Private
 
 ///

Source/common/SNTMetricSet.h

@@ -100,6 +100,15 @@ typedef NS_ENUM(NSInteger, SNTMetricType) {
                            fieldNames:(NSArray<NSString *> *)fieldNames
                              helpText:(NSString *)text;
 
+/**
+ * Returns a shared global instance with default root labels and metrics registered.
+ */
++ (instancetype)sharedInstance;
+
+
+/**
+ *  Add a root label to the MetricSet.
+ */
 - (void)addRootLabel:(NSString *)label value:(NSString *)value;
 
 /**

Source/common/SNTMetricSet.m

@@ -432,6 +432,17 @@ @implementation SNTMetricSet {
   NSMutableArray<void (^)(void)> *_callbacks;
 }
 
++ (instancetype)sharedInstance {
+  static SNTMetricSet *sharedMetrics;
+  static dispatch_once_t onceToken;
+
+  dispatch_once(&onceToken, ^{
+    sharedMetrics = [[SNTMetricSet alloc] init];
+  });
+
+  return sharedMetrics;
+}
+
 - (instancetype)init {
   self = [super init];
   if (self) {

Source/common/SNTMetricSetTest.m

@@ -60,6 +60,7 @@ - (void)testExportNSDictionary {
 
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
+    @"description" : @"Count of exec events broken out by rule type.",
     @"fields" : @{
       @"rule_type" : @[ @{
         @"value" : @"certificate",
@@ -96,6 +97,7 @@ - (void)testExportNSDictionary {
   [b set:true forFieldValues:@[]];
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeBool],
+    @"description" : @"Is the daemon connected.",
     @"fields" : @{
       @"" : @[ @{
         @"value" : @"",
@@ -150,6 +152,7 @@ - (void)testExportNSDictionary {
 
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+    @"description" : @"Count of rules broken out by rule type.",
     @"fields" : @{
       @"rule_type" : @[ @{
         @"value" : @"binary",
@@ -201,6 +204,7 @@ - (void)testExportNSDictionary {
 
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeDouble],
+    @"description" : @"CPU time consumed by this process.",
     @"fields" : @{
       @"mode" : @[
         @{
@@ -244,6 +248,7 @@ - (void)testExportNSDictionary {
 
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeString],
+    @"description" : @"String description of the mode.",
     @"fields" : @{
       @"" : @[ @{
         @"value" : @"",
@@ -313,6 +318,7 @@ - (void)testAddConstantBool {
 
   NSDictionary *expected = @{
     @"/tautology" : @{
+      @"description" : @"The first rule of tautology club is the first rule",
       @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
       @"fields" : @{
         @"" : @[ @{
@@ -337,6 +343,7 @@ - (void)testAddConstantString {
 
   NSDictionary *expected = @{
     @"/build/label" : @{
+      @"description" : @"Build label for the binary",
       @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
       @"fields" : @{
         @"" : @[ @{
@@ -360,6 +367,7 @@ - (void)testAddConstantInt {
 
   NSDictionary *expected = @{
     @"/deep/thought/answer" : @{
+      @"description" : @"Life, the universe, and everything",
       @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
       @"fields" : @{
         @"" : @[ @{
@@ -386,10 +394,10 @@ - (void)testExportNSDictionary {
   [metricSet addConstantBooleanWithName:@"/santa/using_endpoint_security_framework"
                                helpText:@"Is santad using the endpoint security framework."
                                   value:TRUE];
-  [metricSet addConstantIntegerWithName:@"/proc/birth_timestamp"
-                               helpText:@"Start time of this LogDumper instance, in microseconds "
-                                        @"since epoch"
-                                  value:(long long)(0x12345668910)];
+  [metricSet
+    addConstantIntegerWithName:@"/proc/birth_timestamp"
+                      helpText:@"Start time of this santad instance, in microseconds since epoch"
+                         value:(long long)(0x12345668910)];
   // Add Metrics
   SNTMetricCounter *c = [metricSet counterWithName:@"/santa/events"
                                         fieldNames:@[ @"rule_type" ]
@@ -414,7 +422,7 @@ - (void)testExportNSDictionary {
   SNTMetricInt64Gauge *residentMemoryGauge =
     [metricSet int64GaugeWithName:@"/proc/memory/resident_size"
                        fieldNames:@[]
-                         helpText:@"The resident set siz of this process."];
+                         helpText:@"The resident set size of this process."];
 
   [metricSet registerCallback:^(void) {
     [virtualMemoryGauge set:987654321 forFieldValues:@[]];
@@ -425,6 +433,7 @@ - (void)testExportNSDictionary {
     @"root_labels" : @{@"hostname" : @"testHost", @"username" : @"testUser"},
     @"metrics" : @{
       @"/build/label" : @{
+        @"description" : @"Software version running.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
         @"fields" : @{
           @"" : @[ @{
@@ -436,6 +445,7 @@ - (void)testExportNSDictionary {
         }
       },
       @"/santa/events" : @{
+        @"description" : @"Count of events on the host",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
         @"fields" : @{
           @"rule_type" : @[
@@ -455,6 +465,7 @@ - (void)testExportNSDictionary {
         },
       },
       @"/santa/rules" : @{
+        @"description" : @"Number of rules.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
         @"fields" : @{
           @"rule_type" : @[
@@ -474,6 +485,7 @@ - (void)testExportNSDictionary {
         },
       },
       @"/santa/using_endpoint_security_framework" : @{
+        @"description" : @"Is santad using the endpoint security framework.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
         @"fields" : @{
           @"" : @[ @{
@@ -485,6 +497,7 @@ - (void)testExportNSDictionary {
         }
       },
       @"/proc/birth_timestamp" : @{
+        @"description" : @"Start time of this santad instance, in microseconds since epoch",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
         @"fields" : @{
           @"" : @[ @{
@@ -496,6 +509,7 @@ - (void)testExportNSDictionary {
         },
       },
       @"/proc/memory/virtual_size" : @{
+        @"description" : @"The virtual memory size of this process.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
         @"fields" : @{
           @"" : @[ @{
@@ -507,6 +521,7 @@ - (void)testExportNSDictionary {
         }
       },
       @"/proc/memory/resident_size" : @{
+        @"description" : @"The resident set size of this process.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
         @"fields" : @{
           @"" : @[ @{

Source/common/SNTXPCMetricServiceInterface.m

@@ -19,7 +19,8 @@ @implementation SNTXPCMetricServiceInterface
 + (NSXPCInterface *)metricServiceInterface {
   NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTMetricServiceXPC)];
 
-  [r setClasses:[NSSet setWithObjects:[NSDictionary class], nil]
+  [r setClasses:[NSSet setWithObjects:[NSDictionary class], [NSArray class], [NSNumber class],
+                                      [NSString class], [NSDate class], nil]
       forSelector:@selector(exportForMonitoring:)
     argumentIndex:0
           ofReply:NO];

Source/santa/BUILD

@@ -48,6 +48,7 @@ macos_application(
     additional_contents = {
         "//Source/santactl": "MacOS",
         "//Source/santabundleservice": "MacOS",
+        "//Source/santametricservice": "MacOS",
         "//Source/santad:com.google.santa.daemon": "Library/SystemExtensions",
     },
     app_icons = glob(["Resources/Images.xcassets/**"]),