celv2: expose AUDIT return value, trigger event upload with flag set (#956)

russellhancox · web-flow · commit 5b059d74ab18 · 2026-05-16T14:05:59.000-04:00
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -18,7 +18,7 @@ bazel_dep(name = "boringssl", version = "0.20260211.0")
 bazel_dep(name = "protos", version = "1.0.1", repo_name = "northpolesec_protos")
 git_override(
     module_name = "protos",
-    commit = "ae9f6e1cfca5cdbac04240cac6be46b58c4b1161",
+    commit = "df6b5ea22bdfeb185b5a22d7090553ec80ce081f",
     remote = "https://github.com/northpolesec/protos",
 )
 
diff --git a/Source/common/SNTCachedDecision.h b/Source/common/SNTCachedDecision.h
@@ -75,4 +75,11 @@
 @property BOOL silentTouchID;
 @property NSNumber* touchIDCooldownMinutes;  // nil = no caching (prompt every time)
 
+/// YES if the matching CEL rule returned AUDIT. The execution itself is
+/// allowed (the decision is set to the underlying allow event state, e.g.
+/// SNTEventStateAllowBinary or SNTEventStateAllowCELFallback) but the event
+/// is logged and uploaded with this flag set so audit-only matches can be
+/// distinguished from regular allow decisions on the server.
+@property BOOL auditReturn;
+
 @end
diff --git a/Source/common/SNTCachedDecision.mm b/Source/common/SNTCachedDecision.mm
@@ -87,6 +87,7 @@ - (id)copyWithZone:(NSZone*)zone {
   copy.holdAndAsk = _holdAndAsk;
   copy.silentTouchID = _silentTouchID;
   copy.touchIDCooldownMinutes = _touchIDCooldownMinutes;
+  copy.auditReturn = _auditReturn;
   return copy;
 }
 
diff --git a/Source/common/SNTStoredExecutionEvent.h b/Source/common/SNTStoredExecutionEvent.h
@@ -89,6 +89,11 @@
 /// The decision santad returned.
 @property SNTEventState decision;
 
+/// YES if the matching CEL rule returned AUDIT. The decision itself is an
+/// allow decision; this flag indicates the rule was audit-only and the event
+/// is uploaded so audit matches can be distinguished on the sync server.
+@property BOOL auditReturn;
+
 /// The decision depends on the user approving execution.
 @property BOOL holdAndAsk;
 
diff --git a/Source/common/SNTStoredExecutionEvent.mm b/Source/common/SNTStoredExecutionEvent.mm
@@ -80,6 +80,7 @@ - (void)encodeWithCoder:(NSCoder*)coder {
 
   ENCODE(coder, executingUser);
   ENCODE_BOXABLE(coder, decision);
+  ENCODE_BOXABLE(coder, auditReturn);
   ENCODE_BOXABLE(coder, holdAndAsk);
   ENCODE_BOXABLE(coder, silentTouchID);
   ENCODE_BOXABLE(coder, seatbeltRequired);
@@ -128,6 +129,7 @@ - (instancetype)initWithCoder:(NSCoder*)decoder {
 
     DECODE(decoder, executingUser, NSString);
     DECODE_SELECTOR(decoder, decision, NSNumber, unsignedLongLongValue);
+    DECODE_SELECTOR(decoder, auditReturn, NSNumber, boolValue);
     DECODE_SELECTOR(decoder, holdAndAsk, NSNumber, boolValue);
     DECODE_SELECTOR(decoder, silentTouchID, NSNumber, boolValue);
     DECODE_SELECTOR(decoder, seatbeltRequired, NSNumber, boolValue);
diff --git a/Source/common/cel/CELProtoTraits.h b/Source/common/cel/CELProtoTraits.h
@@ -78,6 +78,7 @@ struct CELProtoTraits<true> {
   static constexpr ReturnValue REQUIRE_TOUCHID_ONLY =
       ::santa::cel::v2::REQUIRE_TOUCHID_ONLY;
   static constexpr ReturnValue SEATBELT = ::santa::cel::v2::SEATBELT;
+  static constexpr ReturnValue AUDIT = ::santa::cel::v2::AUDIT;
 
   // Descriptor accessors
   static const google::protobuf::EnumDescriptor* ReturnValue_descriptor() {
diff --git a/Source/common/cel/Test.mm b/Source/common/cel/Test.mm
@@ -270,6 +270,66 @@ - (void)testBasic {
   }
 }
 
+- (void)testAuditReturnValue {
+  using ReturnValue = santa::cel::CELProtoTraits<true>::ReturnValue;
+  using ExecutableFileT = santa::cel::CELProtoTraits<true>::ExecutableFileT;
+  using AncestorT = santa::cel::CELProtoTraits<true>::AncestorT;
+  using FileDescriptorT = santa::cel::CELProtoTraits<true>::FileDescriptorT;
+
+  XCTAssertEqual(santa::cel::CELProtoTraits<true>::AUDIT, ::santa::cel::v2::AUDIT);
+
+  auto f = std::make_unique<ExecutableFileT>();
+  f->set_team_id("EQHXZ8M8AV");
+  santa::cel::Activation<true> activation(
+      std::move(f),
+      ^std::vector<std::string>() {
+        return {"hello", "world"};
+      },
+      ^std::map<std::string, std::string>() {
+        return {};
+      },
+      ^uid_t() {
+        return 0;
+      },
+      ^std::string() {
+        return "/";
+      },
+      ^std::string() {
+        return "/usr/bin/test";
+      },
+      ^std::vector<AncestorT>() {
+        return {};
+      },
+      ^std::vector<FileDescriptorT>() {
+        return {};
+      });
+
+  auto sut = santa::cel::Evaluator<true>::Create();
+  XCTAssertTrue(sut.ok());
+
+  {
+    // Static - AUDIT returned when team_id matches
+    auto result = sut.value()->CompileAndEvaluate(
+        "target.team_id == 'EQHXZ8M8AV' ? AUDIT : ALLOWLIST", activation);
+    if (!result.ok()) {
+      XCTFail("Failed to evaluate: %s", result.status().message().data());
+    } else {
+      XCTAssertEqual(result.value().value, ReturnValue::AUDIT);
+      XCTAssertEqual(result.value().cacheable, true);
+    }
+  }
+  {
+    // Dynamic - AUDIT returned when args non-empty
+    auto result = sut.value()->CompileAndEvaluate("size(args) > 0 ? AUDIT : ALLOWLIST", activation);
+    if (!result.ok()) {
+      XCTFail("Failed to evaluate: %s", result.status().message().data());
+    } else {
+      XCTAssertEqual(result.value().value, ReturnValue::AUDIT);
+      XCTAssertEqual(result.value().cacheable, false);
+    }
+  }
+}
+
 - (void)testV2Only {
   auto argsFn = ^std::vector<std::string>() {
     return {"hello", "world"};
diff --git a/Source/common/santa.proto b/Source/common/santa.proto
@@ -350,6 +350,13 @@ message Execution {
 
   // The server-assigned rule ID that was used to make the decision
   optional int64 rule_id = 18;
+
+  // True if the matching rule returned AUDIT from a CEL expression. The
+  // execution was allowed (as if the rule had returned ALLOWLIST), but the
+  // event is logged with this flag set so audit matches can be distinguished
+  // from regular allow decisions. The `decision` and `reason` fields still
+  // report the underlying allow decision (e.g. DECISION_ALLOW / REASON_BINARY).
+  optional bool audit_return = 19;
 }
 
 // Information about a fork event
diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm b/Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm
@@ -337,6 +337,10 @@ static inline void AppendSocketAddress(std::string& str, es_address_type_t type,
   str.append("|reason=");
   str.append(GetReasonString(cd.decision));
 
+  if (cd.auditReturn) {
+    str.append("|audit=true");
+  }
+
   if (cd.decisionExtra) {
     str.append("|explain=");
     str.append([cd.decisionExtra UTF8String]);
diff --git a/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm b/Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm
@@ -604,6 +604,10 @@ void EncodeEntitlements(::pbv1::Execution* pb_exec, SNTCachedDecision* cd) {
     pb_exec->set_rule_id(cd.ruleId);
   }
 
+  if (cd.auditReturn) {
+    pb_exec->set_audit_return(true);
+  }
+
   return FinalizeProto(santa_msg);
 }
 
diff --git a/Source/santad/SNTExecutionController.mm b/Source/santad/SNTExecutionController.mm
@@ -388,12 +388,13 @@ - (void)validateExecEvent:(const Message&)esMsg
   // Log to database if necessary.
   if (config.enableAllEventUpload ||
       (cd.decision == SNTEventStateAllowUnknown && !config.disableUnknownEventUpload) ||
-      (cd.decision & SNTEventStateAllow) == 0) {
+      cd.auditReturn || (cd.decision & SNTEventStateAllow) == 0) {
     SNTStoredExecutionEvent* se = [[SNTStoredExecutionEvent alloc] init];
     se.occurrenceDate = [[NSDate alloc] init];
     se.fileSHA256 = cd.sha256;
     se.filePath = binInfo.path;
     se.decision = cd.decision;
+    se.auditReturn = cd.auditReturn;
     se.holdAndAsk = cd.holdAndAsk;
     se.silentTouchID = cd.silentTouchID;
     se.seatbeltRequired = cd.seatbeltRequired;
diff --git a/Source/santad/SNTPolicyProcessor.mm b/Source/santad/SNTPolicyProcessor.mm
@@ -291,6 +291,13 @@ - (BOOL)evaluateCELFallbackExpressions:(SNTCachedDecision*)cd
       case ReturnValue::ALLOWLIST_COMPILER: resultState = SNTRuleStateAllowCompiler; break;
       case ReturnValue::BLOCKLIST: resultState = SNTRuleStateBlock; break;
       case ReturnValue::SILENT_BLOCKLIST: resultState = SNTRuleStateSilentBlock; break;
+      case ReturnValue::AUDIT:
+        // AUDIT is identical to ALLOWLIST on the client; the only difference
+        // is that the resulting event is flagged so the sync server can
+        // distinguish audit-only matches.
+        cd.auditReturn = YES;
+        resultState = SNTRuleStateAllow;
+        break;
       case ReturnValue::REQUIRE_TOUCHID_ONLY:
         // REQUIRE_TOUCHID_ONLY is like REQUIRE_TOUCHID but it skips the Santa dialog
         cd.silentTouchID = YES;
diff --git a/Source/santasyncservice/SNTSyncEventUpload.mm b/Source/santasyncservice/SNTSyncEventUpload.mm
@@ -317,6 +317,9 @@ BOOL EventUpload(SNTSyncEventUpload* self, NSArray<SNTStoredEvent*>* events) {
     if (event.ruleId > 0) {
       e->set_rule_id(event.ruleId);
     }
+    if (event.auditReturn) {
+      e->set_audit_return(true);
+    }
   }
 
   return e;

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ bazel_dep(name = "boringssl", version = "0.20260211.0")`
`18`	`18`	`bazel_dep(name = "protos", version = "1.0.1", repo_name = "northpolesec_protos")`
`19`	`19`	`git_override(`
`20`	`20`	`module_name = "protos",`
`21`		`- commit = "ae9f6e1cfca5cdbac04240cac6be46b58c4b1161",`
	`21`	`+ commit = "df6b5ea22bdfeb185b5a22d7090553ec80ce081f",`
`22`	`22`	`remote = "https://github.com/northpolesec/protos",`
`23`	`23`	`)`
`24`	`24`
Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,7 @@ - (id)copyWithZone:(NSZone*)zone {`
`87`	`87`	`copy.holdAndAsk = _holdAndAsk;`
`88`	`88`	`copy.silentTouchID = _silentTouchID;`
`89`	`89`	`copy.touchIDCooldownMinutes = _touchIDCooldownMinutes;`
	`90`	`+ copy.auditReturn = _auditReturn;`
`90`	`91`	`return copy;`
`91`	`92`	`}`
`92`	`93`
Original file line number	Diff line number	Diff line change
`@@ -604,6 +604,10 @@ void EncodeEntitlements(::pbv1::Execution* pb_exec, SNTCachedDecision* cd) {`
`604`	`604`	`pb_exec->set_rule_id(cd.ruleId);`
`605`	`605`	`}`
`606`	`606`
	`607`	`+ if (cd.auditReturn) {`
	`608`	`+ pb_exec->set_audit_return(true);`
	`609`	`+ }`
	`610`	`+`
`607`	`611`	`return FinalizeProto(santa_msg);`
`608`	`612`	`}`
`609`	`613`