Skip to content

Commit

Permalink
Merge 5c5687b into be87b3e
Browse files Browse the repository at this point in the history
  • Loading branch information
@mlw
mlw authored Mar 31, 2023
2 parents be87b3e + 5c5687b commit c9204e5
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 37 deletions.
21 changes: 11 additions & 10 deletions Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,14 +153,14 @@ static inline void AppendProcess(std::string &str, const es_process_t *es_proc)
static inline void AppendUserGroup(std::string &str, const audit_token_t &tok,
const std::optional<std::shared_ptr<std::string>> &user,
const std::optional<std::shared_ptr<std::string>> &group) {
str.append("|uid=");
str.append(std::to_string(RealUser(tok)));
str.append("|user=");
str.append(user.has_value() ? user->get()->c_str() : "(null)");
str.append("|gid=");
str.append(std::to_string(RealGroup(tok)));
str.append("|uid=");
str.append(std::to_string(RealUser(tok)));
str.append("|group=");
str.append(group.has_value() ? group->get()->c_str() : "(null)");
str.append("|gid=");
str.append(std::to_string(RealGroup(tok)));
}

static char *FormattedDateString(char *buf, size_t len) {
Expand Down Expand Up @@ -287,9 +287,6 @@ static inline void AppendUserGroup(std::string &str, const audit_token_t &tok,
str.append("|ppid=");
str.append(std::to_string(esm.event.exec.target->original_ppid));

AppendUserGroup(str, esm.event.exec.target->audit_token, msg.instigator().real_user(),
msg.instigator().real_group());

str.append("|mode=");
str.append(GetModeString([configurator clientMode]));
str.append("|path=");
Expand All @@ -313,6 +310,10 @@ static inline void AppendUserGroup(std::string &str, const audit_token_t &tok,
}
}

// N.B. Appending user/group field last to optimize for internal workflow
AppendUserGroup(str, esm.event.exec.target->audit_token, msg.instigator().real_user(),
msg.instigator().real_group());

return FinalizeString(str);
}

Expand Down Expand Up @@ -456,9 +457,7 @@ static inline void AppendUserGroup(std::string &str, const audit_token_t &tok,
std::vector<uint8_t> BasicString::SerializeBundleHashingEvent(SNTStoredEvent *event) {
std::string str = CreateDefaultString();

str.append("action=BUNDLE|sha256=");
str.append([NonNull(event.fileSHA256) UTF8String]);
str.append("|bundlehash=");
str.append("action=BUNDLE|bundlehash=");
str.append([NonNull(event.fileBundleHash) UTF8String]);
str.append("|bundlename=");
str.append([NonNull(event.fileBundleName) UTF8String]);
Expand All @@ -468,6 +467,8 @@ static inline void AppendUserGroup(std::string &str, const audit_token_t &tok,
str.append([NonNull(event.fileBundlePath) UTF8String]);
str.append("|path=");
str.append([NonNull(event.filePath) UTF8String]);
str.append("|sha256=");
str.append([NonNull(event.fileSHA256) UTF8String]);

return FinalizeString(str);
}
Expand Down
48 changes: 21 additions & 27 deletions Source/santad/Logs/EndpointSecurity/Serializers/BasicStringTest.mm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,8 @@ - (void)testSerializeMessageClose {
esMsg.event.close.target = &file;

std::string got = BasicStringSerializeMessage(&esMsg);
std::string want = "action=WRITE|path=close_file"
"|pid=12|ppid=56|process=foo|processpath=foo"
"|uid=-2|user=nobody|gid=-1|group=nogroup|machineid=my_id\n";
std::string want = "action=WRITE|path=close_file|pid=12|ppid=56|process=foo|processpath=foo|user="
"nobody|uid=-2|group=nogroup|gid=-1|machineid=my_id\n";

XCTAssertCppStringEqual(got, want);
}
Expand All @@ -138,9 +137,8 @@ - (void)testSerializeMessageExchange {
OCMStub([self.mockConfigurator enableMachineIDDecoration]).andReturn(NO);

std::string got = BasicStringSerializeMessage(&esMsg);
std::string want = "action=EXCHANGE|path=exchange_1|newpath=exchange_2"
"|pid=12|ppid=56|process=foo|processpath=foo"
"|uid=-2|user=nobody|gid=-1|group=nogroup\n";
std::string want = "action=EXCHANGE|path=exchange_1|newpath=exchange_2|pid=12|ppid=56|process="
"foo|processpath=foo|user=nobody|uid=-2|group=nogroup|gid=-1\n";

XCTAssertCppStringEqual(got, want);
}
Expand All @@ -164,11 +162,10 @@ - (void)testSerializeMessageExec {
.WillOnce(testing::Return(es_string_token_t{8, "-v\r--foo"}));

std::string got = BasicStringSerializeMessage(mockESApi, &esMsg);
std::string want =
"action=EXEC|decision=ALLOW|reason=BINARY|explain=extra!|sha256=1234_hash|"
"cert_sha256=5678_hash|cert_cn=|quarantine_url=google.com|pid=12|pidversion="
"89|ppid=56|uid=-2|user=nobody|gid=-1|group=nogroup|mode=L|path=execpath<pipe>|"
"args=exec<pipe>path -l\\n-t -v\\r--foo|machineid=my_id\n";
std::string want = "action=EXEC|decision=ALLOW|reason=BINARY|explain=extra!|sha256=1234_hash|"
"cert_sha256=5678_hash|cert_cn=|quarantine_url=google.com|pid=12|pidversion="
"89|ppid=56|mode=L|path=execpath<pipe>|args=exec<pipe>path -l\\n-t "
"-v\\r--foo|user=nobody|uid=-2|group=nogroup|gid=-1|machineid=my_id\n";

XCTAssertCppStringEqual(got, want);
}
Expand Down Expand Up @@ -210,9 +207,9 @@ - (void)testSerializeMessageLink {
esMsg.event.link.target_filename = MakeESStringToken("link_name");

std::string got = BasicStringSerializeMessage(&esMsg);
std::string want = "action=LINK|path=link_src|newpath=link_dst/link_name"
"|pid=12|ppid=56|process=foo|processpath=foo"
"|uid=-2|user=nobody|gid=-1|group=nogroup|machineid=my_id\n";
std::string want = "action=LINK|path=link_src|newpath=link_dst/"
"link_name|pid=12|ppid=56|process=foo|processpath=foo|user=nobody|uid=-2|"
"group=nogroup|gid=-1|machineid=my_id\n";

XCTAssertCppStringEqual(got, want);
}
Expand All @@ -228,9 +225,8 @@ - (void)testSerializeMessageRename {
esMsg.event.rename.destination.existing_file = &dstFile;

std::string got = BasicStringSerializeMessage(&esMsg);
std::string want = "action=RENAME|path=rename_src|newpath=rename_dst"
"|pid=12|ppid=56|process=foo|processpath=foo"
"|uid=-2|user=nobody|gid=-1|group=nogroup|machineid=my_id\n";
std::string want = "action=RENAME|path=rename_src|newpath=rename_dst|pid=12|ppid=56|process=foo|"
"processpath=foo|user=nobody|uid=-2|group=nogroup|gid=-1|machineid=my_id\n";

XCTAssertCppStringEqual(got, want);
}
Expand All @@ -243,9 +239,8 @@ - (void)testSerializeMessageUnlink {
esMsg.event.unlink.target = &targetFile;

std::string got = BasicStringSerializeMessage(&esMsg);
std::string want = "action=DELETE|path=deleted_file"
"|pid=12|ppid=56|process=foo|processpath=foo"
"|uid=-2|user=nobody|gid=-1|group=nogroup|machineid=my_id\n";
std::string want = "action=DELETE|path=deleted_file|pid=12|ppid=56|process=foo|processpath=foo|"
"user=nobody|uid=-2|group=nogroup|gid=-1|machineid=my_id\n";

XCTAssertCppStringEqual(got, want);
}
Expand Down Expand Up @@ -294,10 +289,9 @@ - (void)testSerializeFileAccess {
Enricher().Enrich(*esMsg.process), "file_target",
FileAccessPolicyDecision::kAllowedAuditOnly);
std::string got(ret.begin(), ret.end());
std::string want =
"action=FILE_ACCESS|policy_version=v1.0|policy_name=pol_name|path=file_target|access_type=OPEN|"
"decision=AUDIT_ONLY|pid=12|ppid=56|"
"process=foo|processpath=foo|uid=-2|user=nobody|gid=-1|group=nogroup|machineid=my_id\n";
std::string want = "action=FILE_ACCESS|policy_version=v1.0|policy_name=pol_name|path=file_target|"
"access_type=OPEN|decision=AUDIT_ONLY|pid=12|ppid=56|process=foo|processpath="
"foo|user=nobody|uid=-2|group=nogroup|gid=-1|machineid=my_id\n";
XCTAssertCppStringEqual(got, want);
}

Expand Down Expand Up @@ -336,9 +330,9 @@ - (void)testSerializeBundleHashingEvent {
std::vector<uint8_t> ret = BasicString::Create(nullptr, false)->SerializeBundleHashingEvent(se);
std::string got(ret.begin(), ret.end());

std::string want = "action=BUNDLE|sha256=file_hash"
"|bundlehash=file_bundle_hash|bundlename=file_bundle_Name|bundleid="
"|bundlepath=file_bundle_path|path=file_path|machineid=my_id\n";
std::string want =
"action=BUNDLE|bundlehash=file_bundle_hash|bundlename=file_bundle_Name|bundleid=|bundlepath="
"file_bundle_path|path=file_path|sha256=file_hash|machineid=my_id\n";

XCTAssertCppStringEqual(got, want);
}
Expand Down

0 comments on commit c9204e5

Please sign in to comment.