Documentation ¶
Overview ¶
Package santa defines types for a Santa sync server.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ClientMode ¶
type ClientMode int
ClientMode specifies which mode the Santa client will evaluate rules in.
const ( Monitor ClientMode = iota Lockdown )
func (ClientMode) MarshalText ¶
func (c ClientMode) MarshalText() ([]byte, error)
func (*ClientMode) UnmarshalText ¶
func (c *ClientMode) UnmarshalText(text []byte) error
type Config ¶
type Config struct { MachineID string `toml:"machine_id,omitempty"` Preflight Rules []Rule `toml:"rules"` }
Config represents the combination of the Preflight configuration and Rules for a given MachineID.
type EventPayload ¶
type EventPayload struct { FileSHA string `json:"file_sha256"` UnixTime float64 `json:"execution_time"` EventInfo EventUploadEvent }
EventPayload represents derived metadata for events uploaded with the UploadEvent endpoint.
type EventUploadEvent ¶
type EventUploadEvent struct { CurrentSessions []string `json:"current_sessions"` Decision string `json:"decision"` ExecutingUser string `json:"executing_user"` ExecutionTime float64 `json:"execution_time"` FileBundleBinaryCount int64 `json:"file_bundle_binary_count"` FileBundleExecutableRelPath string `json:"file_bundle_executable_rel_path"` FileBundleHash string `json:"file_bundle_hash"` FileBundleHashMilliseconds float64 `json:"file_bundle_hash_millis"` FileBundleID string `json:"file_bundle_id"` FileBundleName string `json:"file_bundle_name"` FileBundlePath string `json:"file_bundle_path"` FileBundleShortVersionString string `json:"file_bundle_version_string"` FileBundleVersion string `json:"file_bundle_version"` FileName string `json:"file_name"` FilePath string `json:"file_path"` FileSHA256 string `json:"file_sha256"` LoggedInUsers []string `json:"logged_in_users"` ParentName string `json:"parent_name"` ParentProcessID int `json:"ppid"` ProcessID int `json:"pid"` QuarantineAgentBundleID string `json:"quarantine_agent_bundle_id"` QuarantineDataUrl string `json:"quarantine_data_url"` QuarantineRefererUrl string `json:"quarantine_referer_url"` QuarantineTimestamp float64 `json:"quarantine_timestamp"` SigningChain []SigningEntry `json:"signing_chain"` SigningID string `json:"signing_id"` TeamID string `json:"team_id"` }
EventUploadEvent is a single event entry
type EventUploadRequest ¶
type EventUploadRequest struct {
Events []EventUploadEvent `json:"events"`
}
EventUploadRequest encapsulation of an /eventupload POST body sent by a Santa client
type Policy ¶
type Policy int
Policy represents the Santa Rule Policy.
func (Policy) MarshalText ¶
func (*Policy) UnmarshalText ¶
type Preflight ¶
type Preflight struct { ClientMode ClientMode `json:"client_mode" toml:"client_mode"` BlockedPathRegex string `json:"blocked_path_regex" toml:"blocked_path_regex"` AllowedPathRegex string `json:"allowed_path_regex" toml:"allowed_path_regex"` BatchSize int `json:"batch_size" toml:"batch_size"` EnableAllEventUpload bool `json:"enable_all_event_upload" toml:"enable_all_event_upload"` EnableBundles bool `json:"enable_bundles" toml:"enable_bundles"` EnableTransitiveRules bool `json:"enable_transitive_rules" toml:"enable_transitive_rules"` CleanSync bool `json:"clean_sync" toml:"clean_sync"` FullSyncInterval int `json:"full_sync_interval" toml:"full_sync_interval"` }
Preflight represents sync response sent to a Santa client by the sync server.
type PreflightPayload ¶
type PreflightPayload struct { SerialNumber string `json:"serial_num"` Hostname string `json:"hostname"` OSVersion string `json:"os_version"` OSBuild string `json:"os_build"` ModelIdentifier string `json:"model_identifier"` SantaVersion string `json:"santa_version"` PrimaryUser string `json:"primary_user"` BinaryRuleCount int `json:"binary_rule_count"` CertificateRuleCount int `json:"certificate_rule_count"` CompilerRuleCount int `json:"compiler_rule_count"` TransitiveRuleCount int `json:"transitive_rule_count"` TeamIDRuleCount int `json:"teamid_rule_count"` ClientMode ClientMode `json:"client_mode"` RequestCleanSync bool `json:"request_clean_sync"` }
A PreflightPayload represents the request sent by a santa client to the sync server.
type Rule ¶
type Rule struct { RuleType RuleType `json:"rule_type" toml:"rule_type"` Policy Policy `json:"policy" toml:"policy"` Identifier string `json:"identifier" toml:"identifier"` CustomMessage string `json:"custom_msg,omitempty" toml:"custom_msg,omitempty"` }
Rule is a Santa rule. Full documentation: https://github.com/google/santa/blob/01df4623c7c534568ca3d310129455ff71cc3eef/Docs/details/rules.md
type RuleType ¶
type RuleType int
RuleType represents a Santa rule type.
const ( // Binary rules use the SHA-256 hash of the entire binary as an identifier. Binary RuleType = iota // Certificate rules are formed from the SHA-256 fingerprint of an X.509 leaf signing certificate. // This is a powerful rule type that has a much broader reach than an individual binary rule . // A signing certificate can sign any number of binaries. Certificate // TeamID rules are the 10-character identifier issued by Apple and tied to developer accounts/organizations. // This is an even more powerful rule with broader reach than individual certificate rules. // ie. EQHXZ8M8AV for Google TeamID // Signing IDs are arbitrary identifiers under developer control that are given to a binary at signing time. // Because the signing IDs are arbitrary, the Santa rule identifier must be prefixed with the Team ID associated // with the Apple developer certificate used to sign the application. // ie. EQHXZ8M8AV:com.google.Chrome SigningID )
func (RuleType) MarshalText ¶
func (*RuleType) UnmarshalText ¶
type SigningEntry ¶
type SigningEntry struct { CertificateName string `json:"cn"` Organization string `json:"org"` OrganizationalUnit string `json:"ou"` SHA256 string `json:"sha256"` ValidFrom int `json:"valid_from"` ValidUntil int `json:"valid_until"` }
SigningEntry is optionally present when an event includes a binary that is signed