From f9a937a6e49044e7efec6c06a497e19aeb08c8b6 Mon Sep 17 00:00:00 2001
From: Matt W <436037+mlw@users.noreply.github.com>
Date: Thu, 2 Nov 2023 20:27:57 -0400
Subject: [PATCH] Record metrics for device manager startup operations (#1218)

* Record metrics for device manager startup operations

* Update help text

* Update help text
---
 Source/santad/BUILD                           |  1 +
 .../SNTEndpointSecurityDeviceManager.mm       | 33 +++++++++++++++++++
 .../Serializers/BasicString.mm                |  2 +-
 Source/santad/Metrics.mm                      |  2 +-
 4 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/Source/santad/BUILD b/Source/santad/BUILD
index 6ed04fcfd..d61b09b15 100644
--- a/Source/santad/BUILD
+++ b/Source/santad/BUILD
@@ -398,6 +398,7 @@ objc_library(
         "//Source/common:SNTCommonEnums",
         "//Source/common:SNTDeviceEvent",
         "//Source/common:SNTLogging",
+        "//Source/common:SNTMetricSet",
     ],
 )
 
diff --git a/Source/santad/EventProviders/SNTEndpointSecurityDeviceManager.mm b/Source/santad/EventProviders/SNTEndpointSecurityDeviceManager.mm
index 113195d15..3d0adc608 100644
--- a/Source/santad/EventProviders/SNTEndpointSecurityDeviceManager.mm
+++ b/Source/santad/EventProviders/SNTEndpointSecurityDeviceManager.mm
@@ -29,6 +29,7 @@
 
 #import "Source/common/SNTDeviceEvent.h"
 #import "Source/common/SNTLogging.h"
+#import "Source/common/SNTMetricSet.h"
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
 #include "Source/santad/Metrics.h"
 
@@ -40,11 +41,18 @@
 using santa::santad::event_providers::endpoint_security::Message;
 using santa::santad::logs::endpoint_security::Logger;
 
+static NSString *const kMetricStartupDiskOperationSkip = @"Skipped";
+static NSString *const kMetricStartupDiskOperationAllowed = @"Allowed";
+static NSString *const kMetricStartupDiskOperationUnmountFailed = @"UnmountFailed";
+static NSString *const kMetricStartupDiskOperationRemountFailed = @"RemountFailed";
+static NSString *const kMetricStartupDiskOperationSuccess = @"Success";
+
 @interface SNTEndpointSecurityDeviceManager ()
 
 - (void)logDiskAppeared:(NSDictionary *)props;
 - (void)logDiskDisappeared:(NSDictionary *)props;
 
+@property SNTMetricCounter *startupDiskMetrics;
 @property DASessionRef diskArbSession;
 @property(nonatomic, readonly) dispatch_queue_t diskQueue;
 @property dispatch_semaphore_t diskSema;
@@ -182,6 +190,20 @@ - (instancetype)initWithESAPI:(std::shared_ptr<EndpointSecurityAPI>)esApi
     _diskArbSession = DASessionCreate(NULL);
     DASessionSetDispatchQueue(_diskArbSession, _diskQueue);
 
+    SNTMetricInt64Gauge *startupPrefsMetric = [[SNTMetricSet sharedInstance]
+      int64GaugeWithName:@"/santa/device_manager/startup_preference"
+              fieldNames:@[]
+                helpText:@"The current startup preference value"];
+
+    [[SNTMetricSet sharedInstance] registerCallback:^{
+      [startupPrefsMetric set:startupPrefs forFieldValues:@[]];
+    }];
+
+    _startupDiskMetrics = [[SNTMetricSet sharedInstance]
+      counterWithName:@"/santa/device_manager/startup_disk_operation"
+           fieldNames:@[ @"operation" ]
+             helpText:@"Count of the number of USB devices encountered per operation"];
+
     [self performStartupTasks:startupPrefs];
 
     [self establishClientOrDie];
@@ -233,6 +255,10 @@ - (BOOL)remountUSBModeContainsFlags:(uint32_t)flags {
   return (flags & requiredFlags) == requiredFlags;
 }
 
+- (void)incrementStartupMetricsOperation:(NSString *)op {
+  [self.startupDiskMetrics incrementForFieldValues:@[ op ]];
+}
+
 // NB: Remount options are implemented as separate "unmount" and "mount"
 // operations instead of using the "update"/MNT_UPDATE flag. This is because
 // filesystems often don't support many transitions (e.g. RW to RO). Performing
@@ -268,12 +294,14 @@ - (void)performStartupTasks:(SNTDeviceManagerStartupPreferences)startupPrefs {
     CFAutorelease(disk);
 
     if (![self shouldOperateOnDisk:disk]) {
+      [self incrementStartupMetricsOperation:kMetricStartupDiskOperationSkip];
       continue;
     }
 
     if (self.remountArgs != nil && [self remountUSBModeContainsFlags:sfs->f_flags]) {
       LOGI(@"Allowing existing mount as flags contain RemountUSBMode. '%s' -> '%s'",
            sfs->f_mntfromname, sfs->f_mntonname);
+      [self incrementStartupMetricsOperation:kMetricStartupDiskOperationAllowed];
       continue;
     }
 
@@ -293,6 +321,7 @@ - (void)performStartupTasks:(SNTDeviceManagerStartupPreferences)startupPrefs {
       LOGW(
         @"Unmounting '%s' mounted on '%s' took longer than expected. Device may still be mounted.",
         sfs->f_mntfromname, sfs->f_mntonname);
+      [self incrementStartupMetricsOperation:kMetricStartupDiskOperationUnmountFailed];
       continue;
     }
 
@@ -307,8 +336,12 @@ - (void)performStartupTasks:(SNTDeviceManagerStartupPreferences)startupPrefs {
       if (dispatch_semaphore_wait(self.diskSema,
                                   dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC))) {
         LOGW(@"Failed to remount device after unmounting: %s", sfs->f_mntfromname);
+        [self incrementStartupMetricsOperation:kMetricStartupDiskOperationRemountFailed];
+        continue;
       }
     }
+
+    [self incrementStartupMetricsOperation:kMetricStartupDiskOperationSuccess];
   }
 }
 
diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm b/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm
index 4a6506bd4..3cda73241 100644
--- a/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm
+++ b/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm
@@ -37,6 +37,7 @@
 
 using santa::santad::event_providers::endpoint_security::EndpointSecurityAPI;
 using santa::santad::event_providers::endpoint_security::EnrichedClose;
+using santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated;
 using santa::santad::event_providers::endpoint_security::EnrichedExchange;
 using santa::santad::event_providers::endpoint_security::EnrichedExec;
 using santa::santad::event_providers::endpoint_security::EnrichedExit;
@@ -45,7 +46,6 @@
 using santa::santad::event_providers::endpoint_security::EnrichedProcess;
 using santa::santad::event_providers::endpoint_security::EnrichedRename;
 using santa::santad::event_providers::endpoint_security::EnrichedUnlink;
-using santa::santad::event_providers::endpoint_security::EnrichedCSInvalidated;
 using santa::santad::event_providers::endpoint_security::Message;
 using santa::santad::logs::endpoint_security::serializers::Utilities::MountFromName;
 using santa::santad::logs::endpoint_security::serializers::Utilities::NonNull;
diff --git a/Source/santad/Metrics.mm b/Source/santad/Metrics.mm
index e2501fd10..60dbebd32 100644
--- a/Source/santad/Metrics.mm
+++ b/Source/santad/Metrics.mm
@@ -167,7 +167,7 @@
                      fieldNames:@[ @"Processor" ]
                        helpText:@"Events rate limited by each processor"];
 
-  SNTMetricCounter *faa_event_counts = [[SNTMetricSet sharedInstance]
+  SNTMetricCounter *faa_event_counts = [metric_set
     counterWithName:@"/santa/file_access_authorizer/log/count"
          fieldNames:@[
            @"config_version", @"access_type", @"rule_id", @"status", @"operation", @"decision"