Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add upload event struct and log execution events #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bfreezy merged 5 commits into from
Dec 20, 2023
Merged

Add upload event struct and log execution events #35

bfreezy merged 5 commits into from
Dec 20, 2023

Conversation

@bfreezy
Copy link
Collaborator

@bfreezy bfreezy commented Dec 20, 2023
edited
Loading

Summary

Adds new types:

  • EventUploadRequest - encapsulation of an /eventupload POST body sent by a Santa client. It's an array of santa events (see next type)
  • EventUploadEvent - a single event entry. This contains all the data the santa client collected around the block event.

Updates:

  • Bumps go version to 1.20
  • Changes the EventPayload.Content field to EventPayload.EventInfo. The former was a raw json type, it's replaced with a more specific type
  • Changes logging to show the execution events out in the log so the admin can see what was blocked. This is nice, because any logging backend can parse out the structured event fields easily.
  • Prior to this, Moroz was only logging the count of events and then writing them as a json file to /tmp/santa_events. That's nice and all, but it is not helpful in environments that use ephemeral containers.

For more info on the santa client upload fields, see https://santa.dev/development/sync-protocol.html#eventupload

Test plan

Ensure enable_all_event_upload = true is present in my toml config

Started server locally and tried to run a blocked application on my machine. The events are immediately sent to moroz from my santa client:

❯ ./build/darwin/moroz -configs ./configs/global.toml -http-addr=:3000 -use-tls=false -debug

{"addr":":3000","caller":"main.go:109","msg":"serve http","severity":"debug","tls":false,"ts":"2023-12-20T17:14:50.999877Z"}

{"caller":"svc_preflight.go:75","err":null,"machine_id":"brandonfriess","method":"Preflight","severity":"info","took":"443.792µs","ts":"2023-12-20T17:15:05.55886Z"}

{"caller":"svc_upload_event.go:106","err":null,"event":{"current_sessions":["brandonfriess@console","brandonfriess@ttys001","brandonfriess@ttys000","brandonfriess@ttys002","brandonfriess@ttys003","brandonfriess@ttys004","brandonfriess@ttys005"],"decision":"ALLOW_CERTIFICATE","executing_user":"root","execution_time":1703092487.530034,"file_bundle_binary_count":0,"file_bundle_executable_rel_path":"","file_bundle_hash":"","file_bundle_hash_millis":0,"file_bundle_id":"","file_bundle_name":"","file_bundle_path":"","file_bundle_version_string":"","file_bundle_version":"","file_name":"arch","file_path":"/usr/bin","file_sha256":"7cdb2cad3686c0d659d3ef39fefa567964437f3dfd5f134fb399e031b92294c1","logged_in_users":["brandonfriess"],"parent_name":"Python","ppid":31416,"pid":31422,"quarantine_agent_bundle_id":"","quarantine_data_url":"","quarantine_referer_url":"","quarantine_timestamp":0,"signing_chain":[{"cn":"Software Signing","org":"Apple Inc.","ou":"Apple Software","sha256":"d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57","valid_from":1603996358,"valid_until":1792863581},{"cn":"Apple Code Signing Certification Authority","org":"Apple Inc.","ou":"Apple Certification Authority","sha256":"5bdab1288fc16892fef50c658db54f1e2e19cf8f71cc55f77de2b95e051e2562","valid_from":1319477981,"valid_until":1792863581},{"cn":"Apple Root CA","org":"Apple Inc.","ou":"Apple Certification Authority","sha256":"b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024","valid_from":1146001236,"valid_until":2054670036}],"signing_id":"platform:com.apple.arch","team_id":""},"machine_id":"brandonfriess","method":"UploadEvent","severity":"info","took":"18.417375ms","ts":"2023-12-20T17:15:05.63825Z"}

{"caller":"svc_upload_event.go:106","err":null,"event":{"current_sessions":["brandonfriess@console","brandonfriess@ttys001","brandonfriess@ttys000","brandonfriess@ttys002","brandonfriess@ttys003","brandonfriess@ttys004","brandonfriess@ttys005"],"decision":"ALLOW_SCOPE","executing_user":"brandonfriess","execution_time":1703092414.421201,"file_bundle_binary_count":0,"file_bundle_executable_rel_path":"","file_bundle_hash":"","file_bundle_hash_millis":0,"file_bundle_id":"","file_bundle_name":"","file_bundle_path":"","file_bundle_version_string":"","file_bundle_version":"","file_name":"asm","file_path":"/opt/homebrew/Cellar/go/1.20.7/libexec/pkg/tool/darwin_arm64","file_sha256":"98cfa707deb8c0fcd785b3dde7292d6a9ba8eb7651b5e48d15a61cb959d1859c","logged_in_users":["brandonfriess"],"parent_name":"go","ppid":30143,"pid":30155,"quarantine_agent_bundle_id":"","quarantine_data_url":"","quarantine_referer_url":"","quarantine_timestamp":0,"signing_chain":[],"signing_id":"","team_id":""},"machine_id":"brandonfriess","method":"UploadEvent","severity":"info","took":"18.527542ms","ts":"2023-12-20T17:15:05.638347Z"}

Json file still exist on disk as well:

❯ bat /tmp/santa_events/01d2871fe74f82a3a436d0eb4952f5a31e73de1d5aebcca520c728085d03fddd/brandonfriess/1703092298.278724.json
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: /tmp/santa_events/01d2871fe74f82a3a436d0eb4952f5a31e73de1d5aebcca520c728085d03fddd/brandonfriess/1703092298.278724.json
       │ Size: 1.5 KB
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ {"current_sessions":["brandonfriess@console","brandonfriess@ttys001","brandonfriess@ttys000","brandonfriess@ttys002","brandonfriess@ttys003","brandonfriess@ttys004","brandon
       │ friess@ttys005"],"decision":"ALLOW_CERTIFICATE","executing_user":"root","execution_time":1703092298.278724,"file_bundle_binary_count":0,"file_bundle_executable_rel_path":"",
       │ "file_bundle_hash":"","file_bundle_hash_millis":0,"file_bundle_id":"","file_bundle_name":"","file_bundle_path":"","file_bundle_version_string":"","file_bundle_version":"","f
       │ ile_name":"defaults","file_path":"/usr/bin","file_sha256":"01d2871fe74f82a3a436d0eb4952f5a31e73de1d5aebcca520c728085d03fddd","logged_in_users":["brandonfriess"],"parent_name
       │ ":"jamf","ppid":28173,"pid":28179,"quarantine_agent_bundle_id":"","quarantine_data_url":"","quarantine_referer_url":"","quarantine_timestamp":0,"signing_chain":[{"cn":"Softw
       │ are Signing","org":"Apple Inc.","ou":"Apple Software","sha256":"d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57","valid_from":1603996358,"valid_until":17928
       │ 63581},{"cn":"Apple Code Signing Certification Authority","org":"Apple Inc.","ou":"Apple Certification Authority","sha256":"5bdab1288fc16892fef50c658db54f1e2e19cf8f71cc55f77
       │ de2b95e051e2562","valid_from":1319477981,"valid_until":1792863581},{"cn":"Apple Root CA","org":"Apple Inc.","ou":"Apple Certification Authority","sha256":"b0b1730ecbc7ff4505
       │ 142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024","valid_from":1146001236,"valid_until":2054670036}],"signing_id":"platform:com.apple.defaults","team_id":""}
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

@bfreezy bfreezy requested a review from weswhet December 20, 2023 17:34
@bfreezy bfreezy merged commit cdf7c51 into groob:master Dec 20, 2023
@bfreezy bfreezy mentioned this pull request Dec 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weswhet weswhet Awaiting requested review from weswhet

1 more reviewer

@wesw-stripe wesw-stripe wesw-stripe approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bfreezy @wesw-stripe @brandonfriess-stripe