Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) #1281

Merged
merged 15 commits into from
Mar 14, 2024
Merged

ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) #1281

merged 15 commits into from
Mar 14, 2024

Conversation

kallsyms
Copy link
Contributor

@kallsyms kallsyms commented Feb 5, 2024

This PR:

  • Instantiates a process tree in SantaDeps, and threads it through to the enricher and proto serializer.
  • Adds a new SNTEndpointSecurityTreeAwareClient which clients subclass from to automatically have the tree updated before they run.
  • Adds a ProcessToken to the core Message type passed through Santa, which causes the tree to automatically "hold on" to process information, even after the process' exit event is received. This means the clients can get process information out of the tree at any point, even in (delayed) async processing.
  • Adds the basic configuration knobs to change which annotations are enabled (and if none are, disables the tree entirely).

N.B. Due to the last bullet above, while this code does technically begin to interact with event processing, the tree remains entirely disabled unless the config key is set.

@kallsyms kallsyms marked this pull request as ready for review February 20, 2024 20:12
@kallsyms kallsyms requested a review from a team as a code owner February 20, 2024 20:12
mlw
mlw suggested changes Mar 6, 2024
View reviewed changes
Source/common/SNTConfigurator.h Show resolved Hide resolved
Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h Outdated Show resolved Hide resolved
Source/santad/EventProviders/EndpointSecurity/Enricher.mm Outdated Show resolved Hide resolved
Source/santad/EventProviders/EndpointSecurity/Enricher.h Outdated Show resolved Hide resolved
Source/santad/EventProviders/EndpointSecurity/Message.h Outdated Show resolved Hide resolved
Source/santad/EventProviders/SNTEndpointSecurityTreeAwareClient.h Outdated Show resolved Hide resolved
Source/santad/EventProviders/SNTEndpointSecurityTreeAwareClient.mm Outdated Show resolved Hide resolved
Source/santad/SantadDeps.mm Outdated Show resolved Hide resolved
Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm Outdated Show resolved Hide resolved
Source/santad/EventProviders/SNTEndpointSecurityTreeAwareClient.mm Show resolved Hide resolved
@kallsyms kallsyms merged commit 77d191a into google:main Mar 14, 2024
9 checks passed
@kallsyms kallsyms deleted the pt-3 branch March 14, 2024 15:32
@mlw mlw added this to the 2024.3 milestone Mar 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlw mlw mlw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2024.3
Development

Successfully merging this pull request may close these issues.
2 participants
@kallsyms @mlw