Add process posture check

management/server/http/api/openapi.yml

@@ -864,6 +864,8 @@ components:
           $ref: '#/components/schemas/GeoLocationCheck'
         peer_network_range_check:
           $ref: '#/components/schemas/PeerNetworkRangeCheck'
+        process_check:
+          $ref: '#/components/schemas/ProcessCheck'
     NBVersionCheck:
       description: Posture check for the version of NetBird
       type: object
@@ -952,6 +954,31 @@ components:
       required:
         - ranges
         - action
+    ProcessCheck:
+      description: Posture Check for binaries exist and are running in the peer’s system
+      type: object
+      properties:
+        processes:
+          type: array
+          items:
+            $ref: '#/components/schemas/Process'
+      required:
+        - processes
+    Process:
+      description: Describe the operational activity within peer's system.
+      type: object
+      properties:
+        path:
+          description: Path to the process executable file in a Unix-like operating system
+          type: string
+          example: "/usr/local/bin/netbird"
+        windows_path:
+          description: Path to the process executable file in a Windows operating system
+          type: string
+          example: "C:\ProgramData\NetBird\netbird.exe"
+      required:
+        - path
+        - windows_path
     Location:
       description: Describe geographical location information
       type: object

management/server/http/posture_checks_handler.go

@@ -221,6 +221,10 @@ func (p *PostureChecksHandler) savePostureChecks(
 		}
 	}
 
+	if processCheck := req.Checks.ProcessCheck; processCheck != nil {
+		postureChecks.Checks.ProcessCheck = toProcessCheck(processCheck)
+	}
+
 	if err := p.accountManager.SavePostureChecks(account.Id, user.Id, &postureChecks); err != nil {
 		util.WriteError(err, w)
 		return
@@ -235,7 +239,7 @@ func validatePostureChecksUpdate(req api.PostureCheckUpdate) error {
 	}
 
 	if req.Checks == nil || (req.Checks.NbVersionCheck == nil && req.Checks.OsVersionCheck == nil &&
-		req.Checks.GeoLocationCheck == nil && req.Checks.PeerNetworkRangeCheck == nil) {
+		req.Checks.GeoLocationCheck == nil && req.Checks.PeerNetworkRangeCheck == nil && req.Checks.ProcessCheck == nil) {
 		return status.Errorf(status.InvalidArgument, "posture checks shouldn't be empty")
 	}
 
@@ -292,6 +296,21 @@ func validatePostureChecksUpdate(req api.PostureCheckUpdate) error {
 		}
 	}
 
+	if processCheck := req.Checks.ProcessCheck; processCheck != nil {
+		if len(processCheck.Processes) == 0 {
+			return status.Errorf(status.InvalidArgument, "processes for process check shouldn't be empty")
+		}
+
+		for _, process := range processCheck.Processes {
+			if process.WindowsPath == "" {
+				return status.Errorf(status.InvalidArgument, "windows path for process check shouldn't be empty")
+			}
+			if process.Path == "" {
+				return status.Errorf(status.InvalidArgument, "path for process check shouldn't be empty")
+			}
+		}
+	}
+
 	return nil
 }
 
@@ -322,6 +341,10 @@ func toPostureChecksResponse(postureChecks *posture.Checks) *api.PostureCheck {
 		checks.PeerNetworkRangeCheck = toPeerNetworkRangeCheckResponse(postureChecks.Checks.PeerNetworkRangeCheck)
 	}
 
+	if postureChecks.Checks.ProcessCheck != nil {
+		checks.ProcessCheck = toProcessCheckResponse(postureChecks.Checks.ProcessCheck)
+	}
+
 	return &api.PostureCheck{
 		Id:          postureChecks.ID,
 		Name:        postureChecks.Name,
@@ -396,3 +419,28 @@ func toPeerNetworkRangeCheck(check *api.PeerNetworkRangeCheck) (*posture.PeerNet
 		Action: string(check.Action),
 	}, nil
 }
+
+func toProcessCheckResponse(check *posture.ProcessCheck) *api.ProcessCheck {
+	processes := make([]api.Process, 0, len(check.Processes))
+	for _, process := range check.Processes {
+		processes = append(processes, (api.Process)(process))
+	}
+
+	return &api.ProcessCheck{
+		Processes: processes,
+	}
+}
+
+func toProcessCheck(check *api.ProcessCheck) *posture.ProcessCheck {
+	processes := make([]posture.Process, 0, len(check.Processes))
+	for _, process := range check.Processes {
+		processes = append(processes, posture.Process{
+			Path:        process.Path,
+			WindowsPath: process.WindowsPath,
+		})
+	}
+
+	return &posture.ProcessCheck{
+		Processes: processes,
+	}
+}

management/server/http/posture_checks_handler_test.go

@@ -433,6 +433,43 @@ func TestPostureCheckUpdate(t *testing.T) {
 				handler.geolocationManager = nil
 			},
 		},
+		{
+			name:        "Create Posture Checks Process Check",
+			requestType: http.MethodPost,
+			requestPath: "/api/posture-checks",
+			requestBody: bytes.NewBuffer(
+				[]byte(`{
+					"name": "default",
+					"description": "default",
+					"checks": {
+						"process_check": {
+							"processes": [
+								{ 
+									"path": "/usr/local/bin/netbird",
+									"windows_path": "C:\\ProgramData\\NetBird\\netbird.exe"
+								}
+							]
+						}
+					}
+					}`)),
+			expectedStatus: http.StatusOK,
+			expectedBody:   true,
+			expectedPostureCheck: &api.PostureCheck{
+				Id:          "postureCheck",
+				Name:        "default",
+				Description: str("default"),
+				Checks: api.Checks{
+					ProcessCheck: &api.ProcessCheck{
+						Processes: []api.Process{
+							{
+								Path:        "/usr/local/bin/netbird",
+								WindowsPath: "C:\\ProgramData\\NetBird\\netbird.exe",
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name:        "Create Posture Checks Invalid Check",
 			requestType: http.MethodPost,
@@ -937,4 +974,45 @@ func TestPostureCheck_validatePostureChecksUpdate(t *testing.T) {
 		},
 	)
 	assert.Error(t, err)
+
+	// valid process check
+	processCheck := api.ProcessCheck{
+		Processes: []api.Process{
+			{
+				Path:        "/usr/local/bin/netbird",
+				WindowsPath: "C:\\ProgramData\\NetBird\\netbird.exe",
+			},
+		},
+	}
+	err = validatePostureChecksUpdate(api.PostureCheckUpdate{Name: "Default", Checks: &api.Checks{ProcessCheck: &processCheck}})
+	assert.NoError(t, err)
+
+	// invalid process check
+	processCheck = api.ProcessCheck{
+		Processes: make([]api.Process, 0),
+	}
+	err = validatePostureChecksUpdate(api.PostureCheckUpdate{Name: "Default", Checks: &api.Checks{ProcessCheck: &processCheck}})
+	assert.Error(t, err)
+
+	// invalid process check
+	processCheck = api.ProcessCheck{
+		Processes: []api.Process{
+			{
+				Path: "/usr/local/bin/netbird",
+			},
+		},
+	}
+	err = validatePostureChecksUpdate(api.PostureCheckUpdate{Name: "Default", Checks: &api.Checks{ProcessCheck: &processCheck}})
+	assert.Error(t, err)
+
+	// invalid process check
+	processCheck = api.ProcessCheck{
+		Processes: []api.Process{
+			{
+				WindowsPath: "C:\\ProgramData\\NetBird\\netbird.exe",
+			},
+		},
+	}
+	err = validatePostureChecksUpdate(api.PostureCheckUpdate{Name: "Default", Checks: &api.Checks{ProcessCheck: &processCheck}})
+	assert.Error(t, err)
 }

management/server/peer/peer.go

@@ -79,6 +79,11 @@ type Environment struct {
 	Platform string
 }
 
+// Process represents an active process on the peer's system.
+type Process struct {
+	Path string
+}
+
 // PeerSystemMeta is a metadata of a Peer machine system
 type PeerSystemMeta struct { //nolint:revive
 	Hostname           string
@@ -96,6 +101,7 @@ type PeerSystemMeta struct { //nolint:revive
 	SystemProductName  string
 	SystemManufacturer string
 	Environment        Environment `gorm:"serializer:json"`
+	Processes          []Process   `gorm:"-"`
 }
 
 func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {

management/server/posture/checks.go

@@ -14,6 +14,7 @@ const (
 	OSVersionCheckName        = "OSVersionCheck"
 	GeoLocationCheckName      = "GeoLocationCheck"
 	PeerNetworkRangeCheckName = "PeerNetworkRangeCheck"
+	ProcessCheckName          = "ProcessCheck"
 
 	CheckActionAllow string = "allow"
 	CheckActionDeny  string = "deny"
@@ -48,6 +49,7 @@ type ChecksDefinition struct {
 	OSVersionCheck        *OSVersionCheck        `json:",omitempty"`
 	GeoLocationCheck      *GeoLocationCheck      `json:",omitempty"`
 	PeerNetworkRangeCheck *PeerNetworkRangeCheck `json:",omitempty"`
+	ProcessCheck          *ProcessCheck          `json:",omitempty"`
 }
 
 // Copy returns a copy of a checks definition.
@@ -93,6 +95,13 @@ func (cd ChecksDefinition) Copy() ChecksDefinition {
 		}
 		copy(cdCopy.PeerNetworkRangeCheck.Ranges, peerNetRangeCheck.Ranges)
 	}
+	if cd.ProcessCheck != nil {
+		processCheck := cd.ProcessCheck
+		cdCopy.ProcessCheck = &ProcessCheck{
+			Processes: make([]Process, len(processCheck.Processes)),
+		}
+		copy(cdCopy.ProcessCheck.Processes, processCheck.Processes)
+	}
 	return cdCopy
 }
 
@@ -133,6 +142,9 @@ func (pc *Checks) GetChecks() []Check {
 	if pc.Checks.PeerNetworkRangeCheck != nil {
 		checks = append(checks, pc.Checks.PeerNetworkRangeCheck)
 	}
+	if pc.Checks.ProcessCheck != nil {
+		checks = append(checks, pc.Checks.ProcessCheck)
+	}
 	return checks
 }
 

management/server/posture/checks_test.go

@@ -261,6 +261,14 @@ func TestChecks_Copy(t *testing.T) {
 				},
 				Action: CheckActionDeny,
 			},
+			ProcessCheck: &ProcessCheck{
+				Processes: []Process{
+					{
+						Path:        "/Applications/NetBird.app/Contents/MacOS/netbird",
+						WindowsPath: "C:\\ProgramData\\NetBird\\netbird.exe",
+					},
+				},
+			},
 		},
 	}
 	checkCopy := check.Copy()

management/server/posture/process.go

@@ -0,0 +1,49 @@
+package posture
+
+import (
+	"fmt"
+	"slices"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+)
+
+type Process struct {
+	Path        string
+	WindowsPath string
+}
+
+type ProcessCheck struct {
+	Processes []Process
+}
+
+var _ Check = (*ProcessCheck)(nil)
+
+func (p *ProcessCheck) Check(peer nbpeer.Peer) (bool, error) {
+	peerActiveProcesses := make([]string, 0, len(peer.Meta.Processes))
+	for _, process := range peer.Meta.Processes {
+		peerActiveProcesses = append(peerActiveProcesses, process.Path)
+	}
+
+	switch peer.Meta.GoOS {
+	case "darwin", "linux":
+		for _, process := range p.Processes {
+			if !slices.Contains(peerActiveProcesses, process.Path) {
+				return false, nil
+			}
+		}
+		return true, nil
+	case "windows":
+		for _, process := range p.Processes {
+			if !slices.Contains(peerActiveProcesses, process.WindowsPath) {
+				return false, nil
+			}
+		}
+		return true, nil
+	default:
+		return false, fmt.Errorf("unsupported peer's operating system: %s", peer.Meta.GoOS)
+	}
+}
+
+func (p *ProcessCheck) Name() string {
+	return ProcessCheckName
+}