santa icon indicating copy to clipboard operation
santa copied to clipboard
verified publisher icon google

[DRAFT] ES/Logging Components Redesign

Open mlw opened this issue 3 years ago • 0 comments

This is a work-in-progress, being released in draft form in order to solicit early feedback.

Building / Running

Build using the following command:

bazel build --apple_generate_dsym -c opt --verbose_failures --sandbox_debug //Source/santad:com.google.santad.sysext

You can then run the binary directly via:

sudo /path/to/compiled/binary [--quick [timeout_seconds]]

Using the optional --quick flag will cause the program to exit after 5 seconds. An optional number of seconds can also be passed.

Currently, logged events are echoed to the console via the LOGE macro. (This is temporary for during development and won't stay around.)

Completed

EndpointSecurity Interfaces/Classes/Wrappers

  • Source/santad/EventProviders/EndpointSecurity
    • EndpointSecurityAPI - Wraps the EndpointSecurity framework functions. Bridges between the wrapped types below and the ES types.
    • Client - This object wraps an es_client_t
    • Message - This object wraps an es_message_t
    • EnrichedTypes - Defines all the various per-event-type enriched variants for a Message
    • Enricher - Takes a Message and produces an appropriate EnrichedMessage

EndpointSecurity Clients

  • Source/santad/EventProviders
    • SNTEndpointSecurityClientBase - Protocol declaring the base class interfaces available to ES clients
    • SNTEndpointSecurityClient - The base class for ES clients
    • SNTEndpointSecurityAuthorizer - AUTH EXEC control. Also does caching.
    • SNTEndpointSecurityRecorder - Subscribes to events that will get enriched and logged
    • SNTEndpointSecurityDeviceManager - MOUNT/REMOUNT/UNMOUNT actions
    • SNTEndpointSecurityTamperResistance - Provides functionality to help protect Santa and its resources

Resources

  • AuthResultCache - Wrapper for the "root" and "nonroot" caches. Provided to the various clients that need to interact with the caches
  • SNTDecisionCache - Wrapped for what was previously in the SNTEventLog. It stores SNTCachedDecisions.

Logging

  • Source/santad/LogsEndpointSecurity
    • Logger - Provides the primary logging interfaces. Composed of a serializer and a writer.
    • Serializers/
      • Serializer - Abstract base class for all serializers
      • BasicString - Functionality previously provided by SNTSyslogEventLog
    • Writers/
      • Syslog - Currently just dumps to ULS.

Other

  • SNTExecutionController - Interfaces changed to have fewer dependencies.
  • SNTCompilerController - Now does all compiler process tracking instead of SNTEndpointSecurityManager
  • SNTEventProvider - Complete overhaul. Split into SNTEventProvider and SNTCachingEventProvider
  • SNTCommon - santa_message_t has been removed. Removed a bunch from santa_action_t.

~~ NOT COMPLETED ~~

Still a bunch left TODO. The following is very likely an incomplete list:

  • santad.mm - Needs an overhaul. Right now just sort of a dumping ground as I add more features.
  • Additional Writers
    • File-based writer
    • SimpleMaildir-based writer
  • Hookup santactl
  • Hookup all the other agents/daemons (e.g. syncservice, bundleservice, metricservice, etc.)
  • Hookup listening for configuration changes
  • Split logging for santactl which needs the legacy macros and new logging which can go to ULS.
  • gMock/gTest integration
  • Protobuf support (??? may just leave this out since we want to overhaul that next)
  • Remove a whole bunch of now-unused files

mlw avatar Jul 08 '22 20:07 mlw

Closing the draft PR. It's now quite outdated.

mlw avatar Aug 29 '22 15:08 mlw