Log pidversion along with pid.

google · Dec 8, 2020 · 01e35c5 · 01e35c5
1 parent eff2872
commit 01e35c5
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 10 deletions.
diff --git a/Source/common/SNTKernelCommon.h b/Source/common/SNTKernelCommon.h
@@ -119,6 +119,7 @@ typedef struct {
   uid_t uid;
   gid_t gid;
   pid_t pid;
+  int pidversion;
   pid_t ppid;
   char path[MAXPATHLEN];
   char newpath[MAXPATHLEN];

diff --git a/Source/santad/EventProviders/SNTEndpointSecurityManager.mm b/Source/santad/EventProviders/SNTEndpointSecurityManager.mm
@@ -78,6 +78,7 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) {
     es_client_t *client = NULL;
     es_new_client_result_t ret = es_new_client(&client, ^(es_client_t *c, const es_message_t *m) {
       pid_t pid = audit_token_to_pid(m->process->audit_token);
+      int pidversion = audit_token_to_pidversion(m->process->audit_token);
 
       // If enabled, skip any action generated from another endpoint security client.
       if (m->process->is_es_client && config.ignoreOtherEndpointSecurityClients) {
@@ -119,6 +120,7 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) {
             }
             sm.action = ACTION_NOTIFY_WHITELIST;
             sm.pid = pid;
+            sm.pidversion = pidversion;
             LOGI(@"CLOSE: creating a transitive rule: path=%s pid=%d", sm.path, sm.pid);
             self.decisionCallback(sm);
           }
@@ -140,6 +142,7 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) {
             }
             sm.action = ACTION_NOTIFY_WHITELIST;
             sm.pid = pid;
+            sm.pidversion = pidversion;
             LOGI(@"RENAME: creating a transitive rule: path=%s pid=%d", sm.path, sm.pid);
             self.decisionCallback(sm);
           }
@@ -156,6 +159,7 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) {
           santa_message_t sm = {};
           sm.action = ACTION_NOTIFY_EXIT;
           sm.pid = pid;
+          sm.pidversion = pidversion;
           sm.ppid = m->process->original_ppid;
           audit_token_t at = m->process->audit_token;
           sm.uid = audit_token_to_ruid(at);
@@ -173,6 +177,7 @@ - (void)establishClient API_AVAILABLE(macos(10.15)) {
           sm.ppid = m->event.fork.child->original_ppid;
           audit_token_t at = m->event.fork.child->audit_token;
           sm.pid = audit_token_to_pid(at);
+          sm.pidversion = audit_token_to_pidversion(at);
           sm.uid = audit_token_to_ruid(at);
           sm.gid = audit_token_to_rgid(at);
           dispatch_async(self.esNotifyQueue, ^{
@@ -387,6 +392,7 @@ - (void)messageHandler:(es_message_t *)m API_AVAILABLE(macos(10.15)) {
   sm.uid = audit_token_to_ruid(targetProcess->audit_token);
   sm.gid = audit_token_to_rgid(targetProcess->audit_token);
   sm.pid = audit_token_to_pid(targetProcess->audit_token);
+  sm.pidversion = audit_token_to_pidversion(targetProcess->audit_token);
   sm.ppid = targetProcess->original_ppid;
   proc_name((m->event_type == ES_EVENT_TYPE_AUTH_EXEC) ? sm.ppid : sm.pid, sm.pname, 1024);
   callback(sm);

diff --git a/Source/santad/Logs/SNTSyslogEventLog.m b/Source/santad/Logs/SNTSyslogEventLog.m
@@ -65,8 +65,8 @@ - (void)logFileModification:(santa_message_t)message {
   char ppath[PATH_MAX] = "(null)";
   proc_pidpath(message.pid, ppath, PATH_MAX);
 
-  [outStr appendFormat:@"|pid=%d|ppid=%d|process=%s|processpath=%s|uid=%d|user=%@|gid=%d|group=%@",
-      message.pid, message.ppid, message.pname, ppath,
+  [outStr appendFormat:@"|pid=%d|pidversion=%d|ppid=%d|process=%s|processpath=%s|uid=%d|user=%@|gid=%d|group=%@",
+      message.pid, message.pidversion, message.ppid, message.pname, ppath,
       message.uid, [self nameForUID:message.uid],
       message.gid, [self nameForGID:message.gid]];
 
@@ -169,8 +169,8 @@ - (void)logExecution:(santa_message_t)message withDecision:(SNTCachedDecision *)
       mode = @"U"; break;
   }
 
-  [outLog appendFormat:@"|pid=%d|ppid=%d|uid=%d|user=%@|gid=%d|group=%@|mode=%@|path=%@",
-      message.pid, message.ppid,
+  [outLog appendFormat:@"|pid=%d|pidversion=%d|ppid=%d|uid=%d|user=%@|gid=%d|group=%@|mode=%@|path=%@",
+      message.pid, message.pidversion, message.ppid,
       message.uid, [self nameForUID:message.uid],
       message.gid, [self nameForGID:message.gid],
       mode, [self sanitizeString:@(message.path)]];
@@ -269,15 +269,15 @@ - (void)logBundleHashingEvents:(NSArray<SNTStoredEvent *> *)events {
 }
 
 - (void)logFork:(santa_message_t)message {
-  NSString *s = [NSString stringWithFormat:@"action=FORK|pid=%d|ppid=%d|uid=%d|gid=%d",
-                    message.pid, message.ppid, message.uid, message.gid];
+  NSString *s = [NSString stringWithFormat:@"action=FORK|pid=%d|pidversion=%d|ppid=%d|uid=%d|gid=%d",
+                    message.pid, message.pidversion, message.ppid, message.uid, message.gid];
   [self writeLog:s];
 
 }
 
 - (void)logExit:(santa_message_t)message {
-  NSString *s = [NSString stringWithFormat:@"action=EXIT|pid=%d|ppid=%d|uid=%d|gid=%d",
-                    message.pid, message.ppid, message.uid, message.gid];
+  NSString *s = [NSString stringWithFormat:@"action=EXIT|pid=%d|pidversion=%d|ppid=%d|uid=%d|gid=%d",
+                    message.pid, message.pidversion, message.ppid, message.uid, message.gid];
   [self writeLog:s];
 }
 

diff --git a/Source/santad/SNTCompilerController.m b/Source/santad/SNTCompilerController.m
@@ -85,8 +85,8 @@ - (void)createTransitiveRule:(santa_message_t)message {
         LOGE(@"unable to add new transitive rule to database: %@", err.localizedDescription);
       } else {
         [self.eventLog
-            writeLog:[NSString stringWithFormat:@"action=ALLOWLIST|pid=%d|path=%s|sha256=%@",
-                                                message.pid, target, fi.SHA256]];
+            writeLog:[NSString stringWithFormat:@"action=ALLOWLIST|pid=%d|pidversion=%d|path=%s|sha256=%@",
+                                                message.pid, message.pidversion, target, fi.SHA256]];
       }
     }
   }