Feature Request: Reusable process config for FAA

[ltk]

When configuring FAA, I often find that each Processes config ends up being a list of 1) the same handful of signing-ids for specific Apple binaries, 2) the same handful of signing-ids for some internal tool binaries, and 3) and one or more rules that are actually specific to the files being protected (e.g. Google's team ID for Chrome data). This makes managing a large number of watch items laborious and error-prone.

It'd be quite nice to be able to centralize the definition of 1 and 2 and allow their use in any watch item with config like:

[
  ProcessGroups: [
    [
      Name: "PlatformAllowlist",
      Processes: [
        [
          PlatformBinary: true,
          SigningID: "com.apple.apfsd",
        ],
        [
          PlatformBinary: true,
          SigningID: "com.apple.whatever",
        ],
      ]
    ],
    [
      Name: "InternalAllowlist",
      Processes: [
        [
          TeamID: "<our team id>",
          SigningID: "com.something.somewhere",
        ],
        [
          TeamID: "<our team id>",
          SigningID: "com.something.elsewhere",
        ],
      ]
    ]
  ],
  WatchItems: [
    [
      Path: "/Users/*/Library/Application Support/Google/*/*/Cookies",
      Processes: [
        [ProcessGroup: "PlatformAllowlist"],
        [ProcessGroup: "InternalAllowlist"],
        [TeamID: "<google's team id>"]
      ]
    ]
  ]
]

[pmarkowsky]

It's definitely an interesting idea.