Merge 48ec036 into 3702af0

BUILD

@@ -48,6 +48,7 @@ run_command(
     cmd = """
 sudo launchctl unload /Library/LaunchDaemons/com.google.santad.plist 2>/dev/null
 sudo launchctl unload /Library/LaunchDaemons/com.google.santa.bundleservice.plist 2>/dev/null
+sudo launchctl unload /Library/LaunchDaemons/com.google.santa.metricservice.plist 2>/dev/null
 sudo kextunload -b com.google.santa-driver 2>/dev/null
 launchctl unload /Library/LaunchAgents/com.google.santa.plist 2>/dev/null
 """,
@@ -58,6 +59,7 @@ run_command(
     cmd = """
 sudo launchctl load /Library/LaunchDaemons/com.google.santad.plist
 sudo launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+sudo launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
 launchctl load /Library/LaunchAgents/com.google.santa.plist
 """,
 )
@@ -94,6 +96,7 @@ genrule(
         "Conf/install.sh",
         "Conf/uninstall.sh",
         "Conf/com.google.santa.bundleservice.plist",
+        "Conf/com.google.santa.metricservice.plist",
         "Conf/com.google.santad.plist",
         "Conf/com.google.santa.plist",
         "Conf/com.google.santa.asl.conf",
@@ -142,6 +145,10 @@ genrule(
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santabundleservice.dSYM
             ;;
+          *santametricservice.dSYM*Info.plist)
+            mkdir -p $(@D)/dsym
+            cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/santametricservice.dSYM
+            ;;
           *Santa.app.dSYM*Info.plist)
             mkdir -p $(@D)/dsym
             cp -LR $$(dirname $$(dirname $${SRC})) $(@D)/dsym/Santa.app.dSYM
@@ -225,6 +232,7 @@ test_suite(
     name = "unit_tests",
     tests = [
         "//Source/common:SNTFileInfoTest",
+        "//Source/common:SNTMetricSetTest",
         "//Source/common:SNTPrefixTreeTest",
         "//Source/common:SantaCacheTest",
         "//Source/santactl:SNTCommandFileInfoTest",
@@ -234,6 +242,7 @@ test_suite(
         "//Source/santad:SNTEventTableTest",
         "//Source/santad:SNTExecutionControllerTest",
         "//Source/santad:SNTRuleTableTest",
+        "//Source/santametricservice:unit_tests",
     ],
 )
 

Conf/Package/postinstall

@@ -24,6 +24,9 @@ mkdir -p /usr/local/bin
 # Load com.google.santa.bundleservice
 /bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
+# Load com.google.santa.metricservice
+/bin/launchctl load -w /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
 GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 [[ -z "${GUI_USER}" ]] && exit 0
 

Conf/Package/preinstall

@@ -8,6 +8,7 @@
 
 /bin/launchctl remove com.google.santad || true
 /bin/launchctl remove com.google.santa.bundleservice || true
+/bin/launchctl remove com.google.santa.metricservice || true
 
 /bin/sleep 1
 

Conf/com.google.santa.metricservice.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.google.santa.metricservice</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Applications/Santa.app/Contents/MacOS/santametricservice</string>
+		<string>--syslog</string>
+	</array>
+	<key>MachServices</key>
+	<dict>
+		<key>com.google.santa.metricservice</key>
+		<true/>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+</dict>
+</plist>

Conf/install.sh

@@ -24,6 +24,9 @@ fi
 # Unload bundle service
 /bin/launchctl remove com.google.santa.bundleservice >/dev/null 2>&1
 
+# Unload metric service
+/bin/launchctl remove com.google.santa.metricservice >/dev/null 2>&1
+
 # Unload kext.
 /sbin/kextunload -b com.google.santa-driver >/dev/null 2>&1
 
@@ -58,6 +61,7 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 
 /bin/cp ${CONF}/com.google.santa.plist /Library/LaunchAgents
 /bin/cp ${CONF}/com.google.santa.bundleservice.plist /Library/LaunchDaemons
+/bin/cp ${CONF}/com.google.santa.metricservice.plist /Library/LaunchDaemons
 /bin/cp ${CONF}/com.google.santad.plist /Library/LaunchDaemons
 /bin/cp ${CONF}/com.google.santa.asl.conf /etc/asl/
 /bin/cp ${CONF}/com.google.santa.newsyslog.conf /etc/newsyslog.d/
@@ -71,6 +75,9 @@ GUI_USER=$(/usr/bin/stat -f '%u' /dev/console)
 # Load com.google.santa.bundleservice
 /bin/launchctl load /Library/LaunchDaemons/com.google.santa.bundleservice.plist
 
+# Load com.google.santa.metricservice
+/bin/launchctl load /Library/LaunchDaemons/com.google.santa.metricservice.plist
+
 # Load GUI agent if someone is logged in.
 [[ -z "${GUI_USER}" ]] && exit 0
 

Conf/uninstall.sh

@@ -24,6 +24,7 @@ user=$(/usr/bin/stat -f '%u' /dev/console)
 /bin/rm -f /Library/LaunchAgents/com.google.santa.plist
 /bin/rm -f /Library/LaunchDaemons/com.google.santad.plist
 /bin/rm -f /Library/LaunchDaemons/com.google.santa.bundleservice.plist
+/bin/rm -f /Library/LaunchDaemons/com.google.santa.metricservice.plist
 /bin/rm -f /private/etc/asl/com.google.santa.asl.conf
 /bin/rm -f /private/etc/newsyslog.d/com.google.santa.newsyslog.conf
 /bin/rm -f /usr/local/bin/santactl # just a symlink

Source/common/SNTMetricSet.h

@@ -100,6 +100,15 @@ typedef NS_ENUM(NSInteger, SNTMetricType) {
                            fieldNames:(NSArray<NSString *> *)fieldNames
                              helpText:(NSString *)text;
 
+/**
+ * Returns a shared global instance with default root labels and metrics registerd.
+ */
++ (instancetype)sharedInstance;
+
+
+/**
+ *  Add a root label to the MetricSet.
+ */
 - (void)addRootLabel:(NSString *)label value:(NSString *)value;
 
 /**

Source/common/SNTMetricSet.m

@@ -432,6 +432,17 @@ @implementation SNTMetricSet {
   NSMutableArray<void (^)(void)> *_callbacks;
 }
 
++ (instancetype)sharedInstance {
+  static SNTMetricSet *sharedMetrics;
+  static dispatch_once_t onceToken;
+
+  dispatch_once(&onceToken, ^{
+    sharedMetrics = [[SNTMetricSet alloc] init];
+  });
+
+  return sharedMetrics;
+}
+
 - (instancetype)init {
   self = [super init];
   if (self) {

Source/common/SNTMetricSetTest.m

@@ -60,6 +60,7 @@ - (void)testExportNSDictionary {
 
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
+    @"description" : @"Count of exec events broken out by rule type.",
     @"fields" : @{
       @"rule_type" : @[ @{
         @"value" : @"certificate",
@@ -96,6 +97,7 @@ - (void)testExportNSDictionary {
   [b set:true forFieldValues:@[]];
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeBool],
+    @"description" : @"Is the daemon connected.",
     @"fields" : @{
       @"" : @[ @{
         @"value" : @"",
@@ -150,6 +152,7 @@ - (void)testExportNSDictionary {
 
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
+    @"description" : @"Count of rules broken out by rule type.",
     @"fields" : @{
       @"rule_type" : @[ @{
         @"value" : @"binary",
@@ -201,6 +204,7 @@ - (void)testExportNSDictionary {
 
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeDouble],
+    @"description" : @"CPU time consumed by this process.",
     @"fields" : @{
       @"mode" : @[
         @{
@@ -244,6 +248,7 @@ - (void)testExportNSDictionary {
 
   NSDictionary *expected = @{
     @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeString],
+    @"description" : @"String description of the mode.",
     @"fields" : @{
       @"" : @[ @{
         @"value" : @"",
@@ -313,6 +318,7 @@ - (void)testAddConstantBool {
 
   NSDictionary *expected = @{
     @"/tautology" : @{
+      @"description" : @"The first rule of tautology club is the first rule",
       @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
       @"fields" : @{
         @"" : @[ @{
@@ -337,6 +343,7 @@ - (void)testAddConstantString {
 
   NSDictionary *expected = @{
     @"/build/label" : @{
+      @"description" : @"Build label for the binary",
       @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
       @"fields" : @{
         @"" : @[ @{
@@ -360,6 +367,7 @@ - (void)testAddConstantInt {
 
   NSDictionary *expected = @{
     @"/deep/thought/answer" : @{
+      @"description" : @"Life, the universe, and everything",
       @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
       @"fields" : @{
         @"" : @[ @{
@@ -386,10 +394,10 @@ - (void)testExportNSDictionary {
   [metricSet addConstantBooleanWithName:@"/santa/using_endpoint_security_framework"
                                helpText:@"Is santad using the endpoint security framework."
                                   value:TRUE];
-  [metricSet addConstantIntegerWithName:@"/proc/birth_timestamp"
-                               helpText:@"Start time of this LogDumper instance, in microseconds "
-                                        @"since epoch"
-                                  value:(long long)(0x12345668910)];
+  [metricSet
+    addConstantIntegerWithName:@"/proc/birth_timestamp"
+                      helpText:@"Start time of this santad instance, in microseconds  since epoch"
+                         value:(long long)(0x12345668910)];
   // Add Metrics
   SNTMetricCounter *c = [metricSet counterWithName:@"/santa/events"
                                         fieldNames:@[ @"rule_type" ]
@@ -414,7 +422,7 @@ - (void)testExportNSDictionary {
   SNTMetricInt64Gauge *residentMemoryGauge =
     [metricSet int64GaugeWithName:@"/proc/memory/resident_size"
                        fieldNames:@[]
-                         helpText:@"The resident set siz of this process."];
+                         helpText:@"The resident set size of this process."];
 
   [metricSet registerCallback:^(void) {
     [virtualMemoryGauge set:987654321 forFieldValues:@[]];
@@ -425,6 +433,7 @@ - (void)testExportNSDictionary {
     @"root_labels" : @{@"hostname" : @"testHost", @"username" : @"testUser"},
     @"metrics" : @{
       @"/build/label" : @{
+        @"description" : @"Software version running.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantString],
         @"fields" : @{
           @"" : @[ @{
@@ -436,6 +445,7 @@ - (void)testExportNSDictionary {
         }
       },
       @"/santa/events" : @{
+        @"description" : @"Count of events on the host",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeCounter],
         @"fields" : @{
           @"rule_type" : @[
@@ -455,6 +465,7 @@ - (void)testExportNSDictionary {
         },
       },
       @"/santa/rules" : @{
+        @"description" : @"Number of rules.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
         @"fields" : @{
           @"rule_type" : @[
@@ -474,6 +485,7 @@ - (void)testExportNSDictionary {
         },
       },
       @"/santa/using_endpoint_security_framework" : @{
+        @"description" : @"Is santad using the endpoint security framework.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantBool],
         @"fields" : @{
           @"" : @[ @{
@@ -485,6 +497,7 @@ - (void)testExportNSDictionary {
         }
       },
       @"/proc/birth_timestamp" : @{
+        @"description" : @"Start time of this santad instance, in microseconds  since epoch",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeConstantInt64],
         @"fields" : @{
           @"" : @[ @{
@@ -496,6 +509,7 @@ - (void)testExportNSDictionary {
         },
       },
       @"/proc/memory/virtual_size" : @{
+        @"description" : @"The virtual memory size of this process.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
         @"fields" : @{
           @"" : @[ @{
@@ -507,6 +521,7 @@ - (void)testExportNSDictionary {
         }
       },
       @"/proc/memory/resident_size" : @{
+        @"description" : @"The resident set size of this process.",
         @"type" : [NSNumber numberWithInt:(int)SNTMetricTypeGaugeInt64],
         @"fields" : @{
           @"" : @[ @{

Source/common/SNTXPCMetricServiceInterface.m

@@ -19,7 +19,8 @@ @implementation SNTXPCMetricServiceInterface
 + (NSXPCInterface *)metricServiceInterface {
   NSXPCInterface *r = [NSXPCInterface interfaceWithProtocol:@protocol(SNTMetricServiceXPC)];
 
-  [r setClasses:[NSSet setWithObjects:[NSDictionary class], nil]
+  [r setClasses:[NSSet setWithObjects:[NSDictionary class], [NSArray class], [NSNumber class],
+                                      [NSString class], [NSDate class], nil]
       forSelector:@selector(exportForMonitoring:)
     argumentIndex:0
           ofReply:NO];

Source/santa/BUILD

@@ -48,6 +48,7 @@ macos_application(
     additional_contents = {
         "//Source/santactl": "MacOS",
         "//Source/santabundleservice": "MacOS",
+        "//Source/santametricservice": "MacOS",
         "//Source/santad:com.google.santa.daemon": "Library/SystemExtensions",
     },
     app_icons = glob(["Resources/Images.xcassets/**"]),

Source/santad/BUILD

@@ -60,19 +60,33 @@ objc_library(
         "//Source/common:SNTFileInfo",
         "//Source/common:SNTKernelCommon",
         "//Source/common:SNTLogging",
+        "//Source/common:SNTMetricSet",
         "//Source/common:SNTPrefixTree",
         "//Source/common:SNTRule",
         "//Source/common:SNTStoredEvent",
         "//Source/common:SNTXPCControlInterface",
+        "//Source/common:SNTXPCMetricServiceInterface",
         "//Source/common:SNTXPCNotifierInterface",
         "//Source/common:SNTXPCSyncdInterface",
         "//Source/common:SantaCache",
+        "//Source/santad:SNTApplicationCoreMetrics",
         "@FMDB",
         "@MOLCodesignChecker",
         "@MOLXPCConnection",
     ],
 )
 
+objc_library(
+    name = "SNTApplicationCoreMetrics",
+    srcs = ["SNTApplicationCoreMetrics.m"],
+    hdrs = ["SNTApplicationCoreMetrics.h"],
+    deps = [
+        "//Source/common:SNTCommonEnums",
+        "//Source/common:SNTConfigurator",
+        "//Source/common:SNTMetricSet",
+    ],
+)
+
 objc_library(
     name = "EndpointSecurityTestLib",
     testonly = 1,
@@ -261,3 +275,18 @@ santa_unit_test(
         "@OCMock",
     ],
 )
+
+santa_unit_test(
+    name = "SNTApplicationCoreMetricsTest",
+    srcs = [
+        "SNTApplicationCoreMetricsTest.m",
+    ],
+    minimum_os_version = "10.15",
+    deps = [
+        ":SNTApplicationCoreMetrics",
+        "//Source/common:SNTCommonEnums",
+        "//Source/common:SNTMetricSet",
+        "//Source/santametricservice/Formats:SNTMetricFormatTestHelper",
+        "@OCMock",
+    ],
+)