From 1cd43b731b706829774ae6b1fec52ab2ef448e70 Mon Sep 17 00:00:00 2001 From: Matt W <436037+mlw@users.noreply.github.com> Date: Sat, 5 Oct 2024 20:07:44 +0200 Subject: [PATCH] Add codesigning information to the ProcessInfoLight message --- Source/common/santa.proto | 19 ++++++++++- .../EndpointSecurity/Serializers/Protobuf.mm | 32 ++++++++++++------- .../Serializers/ProtobufTest.mm | 8 +++++ .../testdata/protobuf/v1/allowlist.json | 5 +++ Source/santad/testdata/protobuf/v1/close.json | 5 +++ .../testdata/protobuf/v1/exchangedata.json | 5 +++ Source/santad/testdata/protobuf/v1/exec.json | 5 +++ Source/santad/testdata/protobuf/v1/exit.json | 5 +++ Source/santad/testdata/protobuf/v1/fork.json | 5 +++ Source/santad/testdata/protobuf/v1/link.json | 5 +++ .../santad/testdata/protobuf/v1/rename.json | 5 +++ .../santad/testdata/protobuf/v1/unlink.json | 5 +++ .../testdata/protobuf/v2/allowlist.json | 5 +++ Source/santad/testdata/protobuf/v2/close.json | 5 +++ .../testdata/protobuf/v2/exchangedata.json | 5 +++ Source/santad/testdata/protobuf/v2/exec.json | 5 +++ Source/santad/testdata/protobuf/v2/exit.json | 5 +++ Source/santad/testdata/protobuf/v2/fork.json | 5 +++ Source/santad/testdata/protobuf/v2/link.json | 5 +++ .../santad/testdata/protobuf/v2/rename.json | 5 +++ .../santad/testdata/protobuf/v2/unlink.json | 5 +++ .../testdata/protobuf/v4/allowlist.json | 5 +++ Source/santad/testdata/protobuf/v4/close.json | 5 +++ .../testdata/protobuf/v4/cs_invalidated.json | 5 +++ .../testdata/protobuf/v4/exchangedata.json | 5 +++ Source/santad/testdata/protobuf/v4/exec.json | 5 +++ Source/santad/testdata/protobuf/v4/exit.json | 5 +++ Source/santad/testdata/protobuf/v4/fork.json | 5 +++ Source/santad/testdata/protobuf/v4/link.json | 5 +++ .../santad/testdata/protobuf/v4/rename.json | 5 +++ .../santad/testdata/protobuf/v4/unlink.json | 5 +++ .../testdata/protobuf/v5/allowlist.json | 5 +++ Source/santad/testdata/protobuf/v5/close.json | 5 +++ .../testdata/protobuf/v5/cs_invalidated.json | 5 +++ .../testdata/protobuf/v5/exchangedata.json | 5 +++ Source/santad/testdata/protobuf/v5/exec.json | 5 +++ Source/santad/testdata/protobuf/v5/exit.json | 5 +++ Source/santad/testdata/protobuf/v5/fork.json | 5 +++ Source/santad/testdata/protobuf/v5/link.json | 5 +++ .../santad/testdata/protobuf/v5/rename.json | 5 +++ .../santad/testdata/protobuf/v5/unlink.json | 5 +++ .../testdata/protobuf/v6/allowlist.json | 5 +++ Source/santad/testdata/protobuf/v6/close.json | 5 +++ .../testdata/protobuf/v6/cs_invalidated.json | 5 +++ .../testdata/protobuf/v6/exchangedata.json | 5 +++ Source/santad/testdata/protobuf/v6/exec.json | 5 +++ Source/santad/testdata/protobuf/v6/exit.json | 5 +++ .../testdata/protobuf/v6/file_access.json | 7 +++- Source/santad/testdata/protobuf/v6/fork.json | 5 +++ Source/santad/testdata/protobuf/v6/link.json | 5 +++ .../testdata/protobuf/v6/login_login.json | 5 +++ .../v6/login_login_failed_attempt.json | 5 +++ .../testdata/protobuf/v6/lw_session_lock.json | 5 +++ .../protobuf/v6/lw_session_login.json | 5 +++ .../protobuf/v6/lw_session_logout.json | 5 +++ .../protobuf/v6/lw_session_unlock.json | 5 +++ .../testdata/protobuf/v6/openssh_login.json | 5 +++ .../v6/openssh_login_failed_attempt.json | 5 +++ .../testdata/protobuf/v6/openssh_logout.json | 5 +++ .../santad/testdata/protobuf/v6/rename.json | 5 +++ .../protobuf/v6/screensharing_attach.json | 5 +++ .../v6/screensharing_attach_unset_fields.json | 5 +++ .../protobuf/v6/screensharing_detach.json | 5 +++ .../santad/testdata/protobuf/v6/unlink.json | 5 +++ 64 files changed, 353 insertions(+), 13 deletions(-) diff --git a/Source/common/santa.proto b/Source/common/santa.proto index ba3cf328..1551ac18 100644 --- a/Source/common/santa.proto +++ b/Source/common/santa.proto @@ -1,4 +1,17 @@ -// Important: This schema is currently in BETA +/// Copyright 2024 Google LLC +/// Copyright 2024 North Pole Security, Inc. +/// +/// Licensed under the Apache License, Version 2.0 (the "License"); +/// you may not use this file except in compliance with the License. +/// You may obtain a copy of the License at +/// +/// https://www.apache.org/licenses/LICENSE-2.0 +/// +/// Unless required by applicable law or agreed to in writing, software +/// distributed under the License is distributed on an "AS IS" BASIS, +/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +/// See the License for the specific language governing permissions and +/// limitations under the License. syntax = "proto3"; @@ -206,7 +219,11 @@ message ProcessInfoLight { // File information for the executable backing this process optional FileInfoLight executable = 10; + // Tags added by configured annotators optional process_tree.Annotations annotations = 11; + + // Code signature information for the process + optional CodeSignature code_signature = 12; } // Certificate information diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm b/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm index 4f2d5fd1..8487f70b 100644 --- a/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm +++ b/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm @@ -1,4 +1,5 @@ /// Copyright 2022 Google LLC +/// Copyright 2024 North Pole Security, Inc. /// /// Licensed under the Apache License, Version 2.0 (the "License"); /// you may not use this file except in compliance with the License. @@ -214,6 +215,23 @@ static inline void EncodeAnnotations(std::function<::pbv1::process_tree::Annotat } } +static inline void EncodeCodeSignature(std::function<::pbv1::CodeSignature *()> lazy_f, const es_process_t *es_proc) { + if (es_proc->codesigning_flags & CS_SIGNED) { + ::pbv1::CodeSignature *pb_code_sig = lazy_f(); + + pb_code_sig->set_cdhash(es_proc->cdhash, sizeof(es_proc->cdhash)); + + if (es_proc->signing_id.length > 0) { + pb_code_sig->set_signing_id(es_proc->signing_id.data, es_proc->signing_id.length); + } + + if (es_proc->team_id.length > 0) { + pb_code_sig->set_team_id(es_proc->team_id.data, es_proc->team_id.length); + } + } +} + + static inline void EncodeProcessInfoLight(::pbv1::ProcessInfoLight *pb_proc_info, const es_process_t *es_proc, const EnrichedProcess &enriched_proc) { @@ -236,6 +254,8 @@ static inline void EncodeProcessInfoLight(::pbv1::ProcessInfoLight *pb_proc_info EncodeFileInfoLight(pb_proc_info->mutable_executable(), es_proc->executable); EncodeAnnotations([pb_proc_info] { return pb_proc_info->mutable_annotations(); }, enriched_proc); + + EncodeCodeSignature([pb_proc_info] { return pb_proc_info->mutable_code_signature(); }, es_proc); } static inline void EncodeProcessInfoLight(::pbv1::ProcessInfoLight *pb_proc_info, @@ -269,17 +289,7 @@ static inline void EncodeProcessInfo(::pbv1::ProcessInfo *pb_proc_info, uint32_t pb_proc_info->set_is_platform_binary(es_proc->is_platform_binary); pb_proc_info->set_is_es_client(es_proc->is_es_client); - if (es_proc->codesigning_flags & CS_SIGNED) { - ::pbv1::CodeSignature *pb_code_sig = pb_proc_info->mutable_code_signature(); - pb_code_sig->set_cdhash(es_proc->cdhash, sizeof(es_proc->cdhash)); - if (es_proc->signing_id.length > 0) { - pb_code_sig->set_signing_id(es_proc->signing_id.data, es_proc->signing_id.length); - } - - if (es_proc->team_id.length > 0) { - pb_code_sig->set_team_id(es_proc->team_id.data, es_proc->team_id.length); - } - } + EncodeCodeSignature([pb_proc_info]{ return pb_proc_info->mutable_code_signature(); }, es_proc); pb_proc_info->set_cs_flags(es_proc->codesigning_flags); diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm b/Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm index d029dd5f..d94f4849 100644 --- a/Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm +++ b/Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm @@ -248,6 +248,10 @@ void SerializeAndCheck(es_event_type_t eventType, es_process_t proc = MakeESProcess(&procFile, MakeAuditToken(12, 34), MakeAuditToken(56, 78)); es_message_t esMsg = MakeESMessage(eventType, &proc); esMsg.process->tty = &ttyFile; + esMsg.process->codesigning_flags = CS_SIGNED | CS_HARD | CS_KILL; + esMsg.process->signing_id = MakeESStringToken("my_signing_id"); + esMsg.process->team_id = MakeESStringToken("my_team_id"); + memset(esMsg.process->cdhash, 'A', sizeof(esMsg.process->cdhash)); esMsg.version = cur_version; mockESApi->SetExpectationsRetainReleaseMessage(); @@ -334,6 +338,10 @@ void SerializeAndCheckNonESEvents( es_process_t proc = MakeESProcess(&procFile, MakeAuditToken(12, 34), MakeAuditToken(56, 78)); es_message_t esMsg = MakeESMessage(eventType, &proc); esMsg.process->tty = &ttyFile; + esMsg.process->codesigning_flags = CS_SIGNED | CS_HARD | CS_KILL; + esMsg.process->signing_id = MakeESStringToken("my_signing_id"); + esMsg.process->team_id = MakeESStringToken("my_team_id"); + memset(esMsg.process->cdhash, 'A', sizeof(esMsg.process->cdhash)); esMsg.version = cur_version; messageSetup(mockESApi, &esMsg); diff --git a/Source/santad/testdata/protobuf/v1/allowlist.json b/Source/santad/testdata/protobuf/v1/allowlist.json index cd82ec9d..bb709479 100644 --- a/Source/santad/testdata/protobuf/v1/allowlist.json +++ b/Source/santad/testdata/protobuf/v1/allowlist.json @@ -26,6 +26,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v1/close.json b/Source/santad/testdata/protobuf/v1/close.json index 75d6b6f6..6c0a61ec 100644 --- a/Source/santad/testdata/protobuf/v1/close.json +++ b/Source/santad/testdata/protobuf/v1/close.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v1/exchangedata.json b/Source/santad/testdata/protobuf/v1/exchangedata.json index 8da856f3..6158e1ba 100644 --- a/Source/santad/testdata/protobuf/v1/exchangedata.json +++ b/Source/santad/testdata/protobuf/v1/exchangedata.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "file1": { diff --git a/Source/santad/testdata/protobuf/v1/exec.json b/Source/santad/testdata/protobuf/v1/exec.json index 7ae9e156..3ef12534 100644 --- a/Source/santad/testdata/protobuf/v1/exec.json +++ b/Source/santad/testdata/protobuf/v1/exec.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v1/exit.json b/Source/santad/testdata/protobuf/v1/exit.json index 1915757c..6ee961c9 100644 --- a/Source/santad/testdata/protobuf/v1/exit.json +++ b/Source/santad/testdata/protobuf/v1/exit.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "exited": { diff --git a/Source/santad/testdata/protobuf/v1/fork.json b/Source/santad/testdata/protobuf/v1/fork.json index bc3a2f0e..230224e9 100644 --- a/Source/santad/testdata/protobuf/v1/fork.json +++ b/Source/santad/testdata/protobuf/v1/fork.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "child": { diff --git a/Source/santad/testdata/protobuf/v1/link.json b/Source/santad/testdata/protobuf/v1/link.json index a459c288..fb4f7a0e 100644 --- a/Source/santad/testdata/protobuf/v1/link.json +++ b/Source/santad/testdata/protobuf/v1/link.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v1/rename.json b/Source/santad/testdata/protobuf/v1/rename.json index 21beeb9d..b54def32 100644 --- a/Source/santad/testdata/protobuf/v1/rename.json +++ b/Source/santad/testdata/protobuf/v1/rename.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v1/unlink.json b/Source/santad/testdata/protobuf/v1/unlink.json index f9d2425d..5b28a78b 100644 --- a/Source/santad/testdata/protobuf/v1/unlink.json +++ b/Source/santad/testdata/protobuf/v1/unlink.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v2/allowlist.json b/Source/santad/testdata/protobuf/v2/allowlist.json index cd82ec9d..bb709479 100644 --- a/Source/santad/testdata/protobuf/v2/allowlist.json +++ b/Source/santad/testdata/protobuf/v2/allowlist.json @@ -26,6 +26,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v2/close.json b/Source/santad/testdata/protobuf/v2/close.json index 75d6b6f6..6c0a61ec 100644 --- a/Source/santad/testdata/protobuf/v2/close.json +++ b/Source/santad/testdata/protobuf/v2/close.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v2/exchangedata.json b/Source/santad/testdata/protobuf/v2/exchangedata.json index 8da856f3..6158e1ba 100644 --- a/Source/santad/testdata/protobuf/v2/exchangedata.json +++ b/Source/santad/testdata/protobuf/v2/exchangedata.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "file1": { diff --git a/Source/santad/testdata/protobuf/v2/exec.json b/Source/santad/testdata/protobuf/v2/exec.json index 92b030da..4d67b2e6 100644 --- a/Source/santad/testdata/protobuf/v2/exec.json +++ b/Source/santad/testdata/protobuf/v2/exec.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v2/exit.json b/Source/santad/testdata/protobuf/v2/exit.json index 1915757c..6ee961c9 100644 --- a/Source/santad/testdata/protobuf/v2/exit.json +++ b/Source/santad/testdata/protobuf/v2/exit.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "exited": { diff --git a/Source/santad/testdata/protobuf/v2/fork.json b/Source/santad/testdata/protobuf/v2/fork.json index bc3a2f0e..230224e9 100644 --- a/Source/santad/testdata/protobuf/v2/fork.json +++ b/Source/santad/testdata/protobuf/v2/fork.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "child": { diff --git a/Source/santad/testdata/protobuf/v2/link.json b/Source/santad/testdata/protobuf/v2/link.json index a459c288..fb4f7a0e 100644 --- a/Source/santad/testdata/protobuf/v2/link.json +++ b/Source/santad/testdata/protobuf/v2/link.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v2/rename.json b/Source/santad/testdata/protobuf/v2/rename.json index 21beeb9d..b54def32 100644 --- a/Source/santad/testdata/protobuf/v2/rename.json +++ b/Source/santad/testdata/protobuf/v2/rename.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v2/unlink.json b/Source/santad/testdata/protobuf/v2/unlink.json index f9d2425d..5b28a78b 100644 --- a/Source/santad/testdata/protobuf/v2/unlink.json +++ b/Source/santad/testdata/protobuf/v2/unlink.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v4/allowlist.json b/Source/santad/testdata/protobuf/v4/allowlist.json index cd82ec9d..bb709479 100644 --- a/Source/santad/testdata/protobuf/v4/allowlist.json +++ b/Source/santad/testdata/protobuf/v4/allowlist.json @@ -26,6 +26,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v4/close.json b/Source/santad/testdata/protobuf/v4/close.json index 75d6b6f6..6c0a61ec 100644 --- a/Source/santad/testdata/protobuf/v4/close.json +++ b/Source/santad/testdata/protobuf/v4/close.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v4/cs_invalidated.json b/Source/santad/testdata/protobuf/v4/cs_invalidated.json index 888bec41..3c6b2d82 100644 --- a/Source/santad/testdata/protobuf/v4/cs_invalidated.json +++ b/Source/santad/testdata/protobuf/v4/cs_invalidated.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } } } diff --git a/Source/santad/testdata/protobuf/v4/exchangedata.json b/Source/santad/testdata/protobuf/v4/exchangedata.json index 8da856f3..6158e1ba 100644 --- a/Source/santad/testdata/protobuf/v4/exchangedata.json +++ b/Source/santad/testdata/protobuf/v4/exchangedata.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "file1": { diff --git a/Source/santad/testdata/protobuf/v4/exec.json b/Source/santad/testdata/protobuf/v4/exec.json index 684c4a86..5abd3bbb 100644 --- a/Source/santad/testdata/protobuf/v4/exec.json +++ b/Source/santad/testdata/protobuf/v4/exec.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v4/exit.json b/Source/santad/testdata/protobuf/v4/exit.json index 1915757c..6ee961c9 100644 --- a/Source/santad/testdata/protobuf/v4/exit.json +++ b/Source/santad/testdata/protobuf/v4/exit.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "exited": { diff --git a/Source/santad/testdata/protobuf/v4/fork.json b/Source/santad/testdata/protobuf/v4/fork.json index bc3a2f0e..230224e9 100644 --- a/Source/santad/testdata/protobuf/v4/fork.json +++ b/Source/santad/testdata/protobuf/v4/fork.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "child": { diff --git a/Source/santad/testdata/protobuf/v4/link.json b/Source/santad/testdata/protobuf/v4/link.json index a459c288..fb4f7a0e 100644 --- a/Source/santad/testdata/protobuf/v4/link.json +++ b/Source/santad/testdata/protobuf/v4/link.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v4/rename.json b/Source/santad/testdata/protobuf/v4/rename.json index 87b0b7e7..4dc1c8de 100644 --- a/Source/santad/testdata/protobuf/v4/rename.json +++ b/Source/santad/testdata/protobuf/v4/rename.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v4/unlink.json b/Source/santad/testdata/protobuf/v4/unlink.json index f9d2425d..5b28a78b 100644 --- a/Source/santad/testdata/protobuf/v4/unlink.json +++ b/Source/santad/testdata/protobuf/v4/unlink.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v5/allowlist.json b/Source/santad/testdata/protobuf/v5/allowlist.json index cd82ec9d..bb709479 100644 --- a/Source/santad/testdata/protobuf/v5/allowlist.json +++ b/Source/santad/testdata/protobuf/v5/allowlist.json @@ -26,6 +26,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v5/close.json b/Source/santad/testdata/protobuf/v5/close.json index 75d6b6f6..6c0a61ec 100644 --- a/Source/santad/testdata/protobuf/v5/close.json +++ b/Source/santad/testdata/protobuf/v5/close.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v5/cs_invalidated.json b/Source/santad/testdata/protobuf/v5/cs_invalidated.json index 888bec41..3c6b2d82 100644 --- a/Source/santad/testdata/protobuf/v5/cs_invalidated.json +++ b/Source/santad/testdata/protobuf/v5/cs_invalidated.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } } } diff --git a/Source/santad/testdata/protobuf/v5/exchangedata.json b/Source/santad/testdata/protobuf/v5/exchangedata.json index 8da856f3..6158e1ba 100644 --- a/Source/santad/testdata/protobuf/v5/exchangedata.json +++ b/Source/santad/testdata/protobuf/v5/exchangedata.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "file1": { diff --git a/Source/santad/testdata/protobuf/v5/exec.json b/Source/santad/testdata/protobuf/v5/exec.json index 814e6e36..e05e1e17 100644 --- a/Source/santad/testdata/protobuf/v5/exec.json +++ b/Source/santad/testdata/protobuf/v5/exec.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v5/exit.json b/Source/santad/testdata/protobuf/v5/exit.json index 1915757c..6ee961c9 100644 --- a/Source/santad/testdata/protobuf/v5/exit.json +++ b/Source/santad/testdata/protobuf/v5/exit.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "exited": { diff --git a/Source/santad/testdata/protobuf/v5/fork.json b/Source/santad/testdata/protobuf/v5/fork.json index bc3a2f0e..230224e9 100644 --- a/Source/santad/testdata/protobuf/v5/fork.json +++ b/Source/santad/testdata/protobuf/v5/fork.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "child": { diff --git a/Source/santad/testdata/protobuf/v5/link.json b/Source/santad/testdata/protobuf/v5/link.json index a459c288..fb4f7a0e 100644 --- a/Source/santad/testdata/protobuf/v5/link.json +++ b/Source/santad/testdata/protobuf/v5/link.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v5/rename.json b/Source/santad/testdata/protobuf/v5/rename.json index 21beeb9d..b54def32 100644 --- a/Source/santad/testdata/protobuf/v5/rename.json +++ b/Source/santad/testdata/protobuf/v5/rename.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v5/unlink.json b/Source/santad/testdata/protobuf/v5/unlink.json index f9d2425d..5b28a78b 100644 --- a/Source/santad/testdata/protobuf/v5/unlink.json +++ b/Source/santad/testdata/protobuf/v5/unlink.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v6/allowlist.json b/Source/santad/testdata/protobuf/v6/allowlist.json index cd82ec9d..bb709479 100644 --- a/Source/santad/testdata/protobuf/v6/allowlist.json +++ b/Source/santad/testdata/protobuf/v6/allowlist.json @@ -26,6 +26,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v6/close.json b/Source/santad/testdata/protobuf/v6/close.json index 75d6b6f6..6c0a61ec 100644 --- a/Source/santad/testdata/protobuf/v6/close.json +++ b/Source/santad/testdata/protobuf/v6/close.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v6/cs_invalidated.json b/Source/santad/testdata/protobuf/v6/cs_invalidated.json index 888bec41..3c6b2d82 100644 --- a/Source/santad/testdata/protobuf/v6/cs_invalidated.json +++ b/Source/santad/testdata/protobuf/v6/cs_invalidated.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } } } diff --git a/Source/santad/testdata/protobuf/v6/exchangedata.json b/Source/santad/testdata/protobuf/v6/exchangedata.json index 8da856f3..6158e1ba 100644 --- a/Source/santad/testdata/protobuf/v6/exchangedata.json +++ b/Source/santad/testdata/protobuf/v6/exchangedata.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "file1": { diff --git a/Source/santad/testdata/protobuf/v6/exec.json b/Source/santad/testdata/protobuf/v6/exec.json index 684c4a86..5abd3bbb 100644 --- a/Source/santad/testdata/protobuf/v6/exec.json +++ b/Source/santad/testdata/protobuf/v6/exec.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": { diff --git a/Source/santad/testdata/protobuf/v6/exit.json b/Source/santad/testdata/protobuf/v6/exit.json index 1915757c..6ee961c9 100644 --- a/Source/santad/testdata/protobuf/v6/exit.json +++ b/Source/santad/testdata/protobuf/v6/exit.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "exited": { diff --git a/Source/santad/testdata/protobuf/v6/file_access.json b/Source/santad/testdata/protobuf/v6/file_access.json index 8e944101..fe748b90 100644 --- a/Source/santad/testdata/protobuf/v6/file_access.json +++ b/Source/santad/testdata/protobuf/v6/file_access.json @@ -33,7 +33,12 @@ }, "is_platform_binary": true, "is_es_client": true, - "cs_flags": 0, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" + }, + "cs_flags": 536871680, "executable": { "path": "foo", "truncated": false, diff --git a/Source/santad/testdata/protobuf/v6/fork.json b/Source/santad/testdata/protobuf/v6/fork.json index bc3a2f0e..230224e9 100644 --- a/Source/santad/testdata/protobuf/v6/fork.json +++ b/Source/santad/testdata/protobuf/v6/fork.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "child": { diff --git a/Source/santad/testdata/protobuf/v6/link.json b/Source/santad/testdata/protobuf/v6/link.json index a459c288..fb4f7a0e 100644 --- a/Source/santad/testdata/protobuf/v6/link.json +++ b/Source/santad/testdata/protobuf/v6/link.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v6/login_login.json b/Source/santad/testdata/protobuf/v6/login_login.json index 89e62c7f..55ee5e52 100644 --- a/Source/santad/testdata/protobuf/v6/login_login.json +++ b/Source/santad/testdata/protobuf/v6/login_login.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "success": true, diff --git a/Source/santad/testdata/protobuf/v6/login_login_failed_attempt.json b/Source/santad/testdata/protobuf/v6/login_login_failed_attempt.json index 9d24c602..7290b631 100644 --- a/Source/santad/testdata/protobuf/v6/login_login_failed_attempt.json +++ b/Source/santad/testdata/protobuf/v6/login_login_failed_attempt.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "success": false, diff --git a/Source/santad/testdata/protobuf/v6/lw_session_lock.json b/Source/santad/testdata/protobuf/v6/lw_session_lock.json index 07eb74f9..82ee488e 100644 --- a/Source/santad/testdata/protobuf/v6/lw_session_lock.json +++ b/Source/santad/testdata/protobuf/v6/lw_session_lock.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "user": { diff --git a/Source/santad/testdata/protobuf/v6/lw_session_login.json b/Source/santad/testdata/protobuf/v6/lw_session_login.json index 0a5d8888..38756d95 100644 --- a/Source/santad/testdata/protobuf/v6/lw_session_login.json +++ b/Source/santad/testdata/protobuf/v6/lw_session_login.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "user": { diff --git a/Source/santad/testdata/protobuf/v6/lw_session_logout.json b/Source/santad/testdata/protobuf/v6/lw_session_logout.json index 9dd8ac17..d38061b4 100644 --- a/Source/santad/testdata/protobuf/v6/lw_session_logout.json +++ b/Source/santad/testdata/protobuf/v6/lw_session_logout.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "user": { diff --git a/Source/santad/testdata/protobuf/v6/lw_session_unlock.json b/Source/santad/testdata/protobuf/v6/lw_session_unlock.json index d1904033..f7573925 100644 --- a/Source/santad/testdata/protobuf/v6/lw_session_unlock.json +++ b/Source/santad/testdata/protobuf/v6/lw_session_unlock.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "user": { diff --git a/Source/santad/testdata/protobuf/v6/openssh_login.json b/Source/santad/testdata/protobuf/v6/openssh_login.json index 5abbba0c..4b02b059 100644 --- a/Source/santad/testdata/protobuf/v6/openssh_login.json +++ b/Source/santad/testdata/protobuf/v6/openssh_login.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "result": "RESULT_AUTH_SUCCESS", diff --git a/Source/santad/testdata/protobuf/v6/openssh_login_failed_attempt.json b/Source/santad/testdata/protobuf/v6/openssh_login_failed_attempt.json index fbedd711..69224ab3 100644 --- a/Source/santad/testdata/protobuf/v6/openssh_login_failed_attempt.json +++ b/Source/santad/testdata/protobuf/v6/openssh_login_failed_attempt.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "result": "RESULT_AUTH_FAIL_HOSTBASED", diff --git a/Source/santad/testdata/protobuf/v6/openssh_logout.json b/Source/santad/testdata/protobuf/v6/openssh_logout.json index 8dec3b26..b8b4ea0a 100644 --- a/Source/santad/testdata/protobuf/v6/openssh_logout.json +++ b/Source/santad/testdata/protobuf/v6/openssh_logout.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v6/rename.json b/Source/santad/testdata/protobuf/v6/rename.json index 21beeb9d..b54def32 100644 --- a/Source/santad/testdata/protobuf/v6/rename.json +++ b/Source/santad/testdata/protobuf/v6/rename.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v6/screensharing_attach.json b/Source/santad/testdata/protobuf/v6/screensharing_attach.json index 9d7df3c8..fab64857 100644 --- a/Source/santad/testdata/protobuf/v6/screensharing_attach.json +++ b/Source/santad/testdata/protobuf/v6/screensharing_attach.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "success": true, diff --git a/Source/santad/testdata/protobuf/v6/screensharing_attach_unset_fields.json b/Source/santad/testdata/protobuf/v6/screensharing_attach_unset_fields.json index c6fc4dd5..f734b0ed 100644 --- a/Source/santad/testdata/protobuf/v6/screensharing_attach_unset_fields.json +++ b/Source/santad/testdata/protobuf/v6/screensharing_attach_unset_fields.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "success": true, diff --git a/Source/santad/testdata/protobuf/v6/screensharing_detach.json b/Source/santad/testdata/protobuf/v6/screensharing_detach.json index e23ac511..a5f20644 100644 --- a/Source/santad/testdata/protobuf/v6/screensharing_detach.json +++ b/Source/santad/testdata/protobuf/v6/screensharing_detach.json @@ -31,6 +31,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "source": { diff --git a/Source/santad/testdata/protobuf/v6/unlink.json b/Source/santad/testdata/protobuf/v6/unlink.json index f9d2425d..5b28a78b 100644 --- a/Source/santad/testdata/protobuf/v6/unlink.json +++ b/Source/santad/testdata/protobuf/v6/unlink.json @@ -30,6 +30,11 @@ "executable": { "path": "foo", "truncated": false + }, + "code_signature": { + "cdhash": "QUFBQUFBQUFBQUFBQUFBQUFBQUE=", + "signing_id": "my_signing_id", + "team_id": "my_team_id" } }, "target": {