Extend management to sync meta and posture checks with peer (#1727)

* Add method to retrieve peer's applied posture checks * Add posture checks in server response and update proto messages * Refactor * Extends peer metadata synchronization through SyncRequest and propagate posture changes on syncResponse * Remove account lock * Pass system info on sync * Fix tests * Refactor * resolve merge * Evaluate process check on client (#1749) * implement server and client sync peer meta alongside mocks * wip: add check file and process * Add files to peer metadata for process check * wip: update peer meta on first sync * Add files to peer's metadata * Evaluate process check using files from peer metadata * Fix panic and append windows path to files * Fix check network address and files equality * Evaluate active process on darwin * Evaluate active process on linux * Skip processing processes if no paths are set * Return network map on peer meta-sync and update account peer's * Update client network map on meta sync * Get system info with applied checks * Add windows package * Remove a network map from sync meta-response * Update checks proto message * Keep client checks state and sync meta on checks change * Evaluate a running process * skip build for android and ios * skip check file and process for android and ios * bump gopsutil version * fix tests * move process check to separate os file * refactor * evaluate info with checks on receiving management events * skip meta-update for an old client with no meta-sync support * Check if peer meta is empty without reflection
2026-04-18 08:16:39 +00:00 · 2024-04-15 16:00:57 +03:00
parent 36582d13aa
commit c6ab215d9d
26 changed files with 1400 additions and 601 deletions
--- a/management/client/client.go
+++ b/management/client/client.go
@@ -3,19 +3,21 @@ package client
 import (
 	"io"

+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/management/proto"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

 type Client interface {
 	io.Closer
-	Sync(msgHandler func(msg *proto.SyncResponse) error) error
+	Sync(sysInfo *system.Info, msgHandler func(msg *proto.SyncResponse) error) error
 	GetServerPublicKey() (*wgtypes.Key, error)
 	Register(serverKey wgtypes.Key, setupKey string, jwtToken string, sysInfo *system.Info, sshKey []byte) (*proto.LoginResponse, error)
 	Login(serverKey wgtypes.Key, sysInfo *system.Info, sshKey []byte) (*proto.LoginResponse, error)
 	GetDeviceAuthorizationFlow(serverKey wgtypes.Key) (*proto.DeviceAuthorizationFlow, error)
 	GetPKCEAuthorizationFlow(serverKey wgtypes.Key) (*proto.PKCEAuthorizationFlow, error)
-	GetNetworkMap() (*proto.NetworkMap, error)
+	GetNetworkMap(sysInfo *system.Info) (*proto.NetworkMap, error)
 	IsHealthy() bool
+	SyncMeta(sysInfo *system.Info) error
 }
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -255,7 +255,7 @@ func TestClient_Sync(t *testing.T) {
 	ch := make(chan *mgmtProto.SyncResponse, 1)

 	go func() {
-		err = client.Sync(func(msg *mgmtProto.SyncResponse) error {
+		err = client.Sync(info, func(msg *mgmtProto.SyncResponse) error {
 			ch <- msg
 			return nil
 		})
--- a/management/client/grpc.go
+++ b/management/client/grpc.go
@@ -113,7 +113,7 @@ func (c *GrpcClient) ready() bool {

 // Sync wraps the real client's Sync endpoint call and takes care of retries and encryption/decryption of messages
 // Blocking request. The result will be sent via msgHandler callback function
-func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
+func (c *GrpcClient) Sync(sysInfo *system.Info, msgHandler func(msg *proto.SyncResponse) error) error {
 	backOff := defaultBackoff(c.ctx)

 	operation := func() error {
@@ -135,7 +135,7 @@ func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error

 		ctx, cancelStream := context.WithCancel(c.ctx)
 		defer cancelStream()
-		stream, err := c.connectToStream(ctx, *serverPubKey)
+		stream, err := c.connectToStream(ctx, *serverPubKey, sysInfo)
 		if err != nil {
 			log.Debugf("failed to open Management Service stream: %s", err)
 			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.PermissionDenied {
@@ -177,7 +177,7 @@ func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error
 }

 // GetNetworkMap return with the network map
-func (c *GrpcClient) GetNetworkMap() (*proto.NetworkMap, error) {
+func (c *GrpcClient) GetNetworkMap(sysInfo *system.Info) (*proto.NetworkMap, error) {
 	serverPubKey, err := c.GetServerPublicKey()
 	if err != nil {
 		log.Debugf("failed getting Management Service public key: %s", err)
@@ -186,7 +186,7 @@ func (c *GrpcClient) GetNetworkMap() (*proto.NetworkMap, error) {

 	ctx, cancelStream := context.WithCancel(c.ctx)
 	defer cancelStream()
-	stream, err := c.connectToStream(ctx, *serverPubKey)
+	stream, err := c.connectToStream(ctx, *serverPubKey, sysInfo)
 	if err != nil {
 		log.Debugf("failed to open Management Service stream: %s", err)
 		return nil, err
@@ -219,8 +219,8 @@ func (c *GrpcClient) GetNetworkMap() (*proto.NetworkMap, error) {
 	return decryptedResp.GetNetworkMap(), nil
 }

-func (c *GrpcClient) connectToStream(ctx context.Context, serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
-	req := &proto.SyncRequest{}
+func (c *GrpcClient) connectToStream(ctx context.Context, serverPubKey wgtypes.Key, sysInfo *system.Info) (proto.ManagementService_SyncClient, error) {
+	req := &proto.SyncRequest{Meta: infoToMetaData(sysInfo)}

 	myPrivateKey := c.key
 	myPublicKey := myPrivateKey.PublicKey()
@@ -430,6 +430,35 @@ func (c *GrpcClient) GetPKCEAuthorizationFlow(serverKey wgtypes.Key) (*proto.PKC
 	return flowInfoResp, nil
 }

+// SyncMeta sends updated system metadata to the Management Service.
+// It should be used if there is changes on peer posture check after initial sync.
+func (c *GrpcClient) SyncMeta(sysInfo *system.Info) error {
+	if !c.ready() {
+		return fmt.Errorf("no connection to management")
+	}
+
+	serverPubKey, err := c.GetServerPublicKey()
+	if err != nil {
+		log.Debugf("failed getting Management Service public key: %s", err)
+		return err
+	}
+
+	syncMetaReq, err := encryption.EncryptMessage(*serverPubKey, c.key, &proto.SyncMetaRequest{Meta: infoToMetaData(sysInfo)})
+	if err != nil {
+		log.Errorf("failed to encrypt message: %s", err)
+		return err
+	}
+
+	mgmCtx, cancel := context.WithTimeout(c.ctx, ConnectTimeout)
+	defer cancel()
+
+	_, err = c.realClient.SyncMeta(mgmCtx, &proto.EncryptedMessage{
+		WgPubKey: c.key.PublicKey().String(),
+		Body:     syncMetaReq,
+	})
+	return err
+}
+
 func (c *GrpcClient) notifyDisconnected(err error) {
 	c.connStateCallbackLock.RLock()
 	defer c.connStateCallbackLock.RUnlock()
@@ -463,6 +492,15 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 		})
 	}

+	files := make([]*proto.File, 0, len(info.Files))
+	for _, file := range info.Files {
+		files = append(files, &proto.File{
+			Path:             file.Path,
+			Exist:            file.Exist,
+			ProcessIsRunning: file.ProcessIsRunning,
+		})
+	}
+
 	return &proto.PeerSystemMeta{
 		Hostname:           info.Hostname,
 		GoOS:               info.GoOS,
@@ -482,5 +520,6 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 			Cloud:    info.Environment.Cloud,
 			Platform: info.Environment.Platform,
 		},
+		Files: files,
 	}
 }
--- a/management/client/mock.go
+++ b/management/client/mock.go
@@ -9,12 +9,13 @@ import (

 type MockClient struct {
 	CloseFunc                      func() error
-	SyncFunc                       func(msgHandler func(msg *proto.SyncResponse) error) error
+	SyncFunc                       func(sysInfo *system.Info, msgHandler func(msg *proto.SyncResponse) error) error
 	GetServerPublicKeyFunc         func() (*wgtypes.Key, error)
 	RegisterFunc                   func(serverKey wgtypes.Key, setupKey string, jwtToken string, info *system.Info, sshKey []byte) (*proto.LoginResponse, error)
 	LoginFunc                      func(serverKey wgtypes.Key, info *system.Info, sshKey []byte) (*proto.LoginResponse, error)
 	GetDeviceAuthorizationFlowFunc func(serverKey wgtypes.Key) (*proto.DeviceAuthorizationFlow, error)
 	GetPKCEAuthorizationFlowFunc   func(serverKey wgtypes.Key) (*proto.PKCEAuthorizationFlow, error)
+	SyncMetaFunc                   func(sysInfo *system.Info) error
 }

 func (m *MockClient) IsHealthy() bool {
@@ -28,11 +29,11 @@ func (m *MockClient) Close() error {
 	return m.CloseFunc()
 }

-func (m *MockClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
+func (m *MockClient) Sync(sysInfo *system.Info, msgHandler func(msg *proto.SyncResponse) error) error {
 	if m.SyncFunc == nil {
 		return nil
 	}
-	return m.SyncFunc(msgHandler)
+	return m.SyncFunc(sysInfo, msgHandler)
 }

 func (m *MockClient) GetServerPublicKey() (*wgtypes.Key, error) {
@@ -71,6 +72,13 @@ func (m *MockClient) GetPKCEAuthorizationFlow(serverKey wgtypes.Key) (*proto.PKC
 }

 // GetNetworkMap mock implementation of GetNetworkMap from mgm.Client interface
-func (m *MockClient) GetNetworkMap() (*proto.NetworkMap, error) {
+func (m *MockClient) GetNetworkMap(_ *system.Info) (*proto.NetworkMap, error) {
 	return nil, nil
 }
+
+func (m *MockClient) SyncMeta(sysInfo *system.Info) error {
+	if m.SyncMetaFunc == nil {
+		return nil
+	}
+	return m.SyncMetaFunc(sysInfo)
+}
--- a/management/proto/management.pb.go
+++ b/management/proto/management.pb.go
--- a/management/proto/management.proto
+++ b/management/proto/management.proto
@@ -38,6 +38,12 @@ service ManagementService {
  // EncryptedMessage of the request has a body of PKCEAuthorizationFlowRequest.
  // EncryptedMessage of the response has a body of PKCEAuthorizationFlow.
  rpc GetPKCEAuthorizationFlow(EncryptedMessage) returns (EncryptedMessage) {}
+
+  // SyncMeta is used to sync metadata of the peer.
+  // After sync the peer if there is a change in peer posture check which  needs to be evaluated by the client,
+  // sync meta will evaluate the checks and update the peer meta with the result.
+  // EncryptedMessage of the request has a body of Empty.
+  rpc  SyncMeta(EncryptedMessage) returns (Empty) {}
 }

 message EncryptedMessage {
@@ -50,7 +56,10 @@ message EncryptedMessage {
  int32 version = 3;
 }

-message SyncRequest {}
+message SyncRequest {
+  // Meta data of the peer
+  PeerSystemMeta meta = 1;
+}

 // SyncResponse represents a state that should be applied to the local peer (e.g. Wiretrustee servers config as well as local peer and remote peers configs)
 message SyncResponse {
@@ -69,6 +78,14 @@ message SyncResponse {
  bool remotePeersIsEmpty = 4;

  NetworkMap NetworkMap = 5;
+
+  // Posture checks to be evaluated by client
+  repeated Checks Checks = 6;
+}
+
+message  SyncMetaRequest {
+  // Meta data of the peer
+  PeerSystemMeta meta = 1;
 }

 message LoginRequest {
@@ -82,6 +99,7 @@ message LoginRequest {
  PeerKeys peerKeys = 4;

 }
+
 // PeerKeys is additional peer info like SSH pub key and WireGuard public key.
 // This message is sent on Login or register requests, or when a key rotation has to happen.
 message PeerKeys {
@@ -100,6 +118,16 @@ message Environment {
  string platform = 2;
 }

+// File represents a file on the system.
+message File {
+  // path is the path to the file.
+  string path = 1;
+  // exist indicate whether the file exists.
+  bool exist = 2;
+  // processIsRunning indicates whether the file is a running process or not.
+  bool processIsRunning = 3;
+}
+
 // PeerSystemMeta is machine meta data like OS and version.
 message PeerSystemMeta {
  string hostname = 1;
@@ -117,6 +145,7 @@ message PeerSystemMeta {
  string sysProductName = 13;
  string sysManufacturer = 14;
  Environment environment = 15;
+  repeated File files = 16;
 }

 message LoginResponse {
@@ -124,6 +153,8 @@ message LoginResponse {
  WiretrusteeConfig wiretrusteeConfig = 1;
  // Peer local config
  PeerConfig peerConfig = 2;
+  // Posture checks to be evaluated by client
+  repeated Checks Checks = 3;
 }

 message ServerKeyResponse {
@@ -371,3 +402,7 @@ message NetworkAddress {
  string netIP = 1;
  string mac = 2;
 }
+
+message Checks {
+  repeated string Files= 1;
+}
--- a/management/proto/management_grpc.pb.go
+++ b/management/proto/management_grpc.pb.go
@@ -43,6 +43,11 @@ type ManagementServiceClient interface {
 	// EncryptedMessage of the request has a body of PKCEAuthorizationFlowRequest.
 	// EncryptedMessage of the response has a body of PKCEAuthorizationFlow.
 	GetPKCEAuthorizationFlow(ctx context.Context, in *EncryptedMessage, opts ...grpc.CallOption) (*EncryptedMessage, error)
+	// SyncMeta is used to sync metadata of the peer.
+	// After sync the peer if there is a change in peer posture check which  needs to be evaluated by the client,
+	// sync meta will evaluate the checks and update the peer meta with the result.
+	// EncryptedMessage of the request has a body of Empty.
+	SyncMeta(ctx context.Context, in *EncryptedMessage, opts ...grpc.CallOption) (*Empty, error)
 }

 type managementServiceClient struct {
@@ -130,6 +135,15 @@ func (c *managementServiceClient) GetPKCEAuthorizationFlow(ctx context.Context,
 	return out, nil
 }

+func (c *managementServiceClient) SyncMeta(ctx context.Context, in *EncryptedMessage, opts ...grpc.CallOption) (*Empty, error) {
+	out := new(Empty)
+	err := c.cc.Invoke(ctx, "/management.ManagementService/SyncMeta", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // ManagementServiceServer is the server API for ManagementService service.
 // All implementations must embed UnimplementedManagementServiceServer
 // for forward compatibility
@@ -159,6 +173,11 @@ type ManagementServiceServer interface {
 	// EncryptedMessage of the request has a body of PKCEAuthorizationFlowRequest.
 	// EncryptedMessage of the response has a body of PKCEAuthorizationFlow.
 	GetPKCEAuthorizationFlow(context.Context, *EncryptedMessage) (*EncryptedMessage, error)
+	// SyncMeta is used to sync metadata of the peer.
+	// After sync the peer if there is a change in peer posture check which  needs to be evaluated by the client,
+	// sync meta will evaluate the checks and update the peer meta with the result.
+	// EncryptedMessage of the request has a body of Empty.
+	SyncMeta(context.Context, *EncryptedMessage) (*Empty, error)
 	mustEmbedUnimplementedManagementServiceServer()
 }

@@ -184,6 +203,9 @@ func (UnimplementedManagementServiceServer) GetDeviceAuthorizationFlow(context.C
 func (UnimplementedManagementServiceServer) GetPKCEAuthorizationFlow(context.Context, *EncryptedMessage) (*EncryptedMessage, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetPKCEAuthorizationFlow not implemented")
 }
+func (UnimplementedManagementServiceServer) SyncMeta(context.Context, *EncryptedMessage) (*Empty, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SyncMeta not implemented")
+}
 func (UnimplementedManagementServiceServer) mustEmbedUnimplementedManagementServiceServer() {}

 // UnsafeManagementServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -308,6 +330,24 @@ func _ManagementService_GetPKCEAuthorizationFlow_Handler(srv interface{}, ctx co
 	return interceptor(ctx, in, info, handler)
 }

+func _ManagementService_SyncMeta_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(EncryptedMessage)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ManagementServiceServer).SyncMeta(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/management.ManagementService/SyncMeta",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ManagementServiceServer).SyncMeta(ctx, req.(*EncryptedMessage))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // ManagementService_ServiceDesc is the grpc.ServiceDesc for ManagementService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -335,6 +375,10 @@ var ManagementService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetPKCEAuthorizationFlow",
 			Handler:    _ManagementService_GetPKCEAuthorizationFlow_Handler,
 		},
+		{
+			MethodName: "SyncMeta",
+			Handler:    _ManagementService_SyncMeta_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -114,6 +114,7 @@ type AccountManager interface {
 	GetDNSSettings(accountID string, userID string) (*DNSSettings, error)
 	SaveDNSSettings(accountID string, userID string, dnsSettingsToSave *DNSSettings) error
 	GetPeer(accountID, peerID, userID string) (*nbpeer.Peer, error)
+	GetPeerAppliedPostureChecks(peerKey string) ([]posture.Checks, error)
 	UpdateAccountSettings(accountID, userID string, newSettings *Settings) (*Account, error)
 	LoginPeer(login PeerLogin) (*nbpeer.Peer, *NetworkMap, error) // used by peer gRPC API
 	SyncPeer(sync PeerSync) (*nbpeer.Peer, *NetworkMap, error)    // used by peer gRPC API
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -134,7 +134,14 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 		return err
 	}

-	peer, netMap, err := s.accountManager.SyncPeer(PeerSync{WireGuardPubKey: peerKey.String()})
+	if syncReq.GetMeta() == nil {
+		log.Tracef("peer system meta has to be provided on sync. Peer %s, remote addr %s", peerKey.String(), realIP)
+	}
+
+	peer, netMap, err := s.accountManager.SyncPeer(PeerSync{
+		WireGuardPubKey: peerKey.String(),
+		Meta:            extractPeerMeta(syncReq.GetMeta()),
+	})
 	if err != nil {
 		return mapError(err)
 	}
@@ -255,14 +262,18 @@ func mapError(err error) error {
 	return status.Errorf(codes.Internal, "failed handling request")
 }

-func extractPeerMeta(loginReq *proto.LoginRequest) nbpeer.PeerSystemMeta {
-	osVersion := loginReq.GetMeta().GetOSVersion()
-	if osVersion == "" {
-		osVersion = loginReq.GetMeta().GetCore()
+func extractPeerMeta(meta *proto.PeerSystemMeta) nbpeer.PeerSystemMeta {
+	if meta == nil {
+		return nbpeer.PeerSystemMeta{}
 	}

-	networkAddresses := make([]nbpeer.NetworkAddress, 0, len(loginReq.GetMeta().GetNetworkAddresses()))
-	for _, addr := range loginReq.GetMeta().GetNetworkAddresses() {
+	osVersion := meta.GetOSVersion()
+	if osVersion == "" {
+		osVersion = meta.GetCore()
+	}
+
+	networkAddresses := make([]nbpeer.NetworkAddress, 0, len(meta.GetNetworkAddresses()))
+	for _, addr := range meta.GetNetworkAddresses() {
 		netAddr, err := netip.ParsePrefix(addr.GetNetIP())
 		if err != nil {
 			log.Warnf("failed to parse netip address, %s: %v", addr.GetNetIP(), err)
@@ -274,24 +285,34 @@ func extractPeerMeta(loginReq *proto.LoginRequest) nbpeer.PeerSystemMeta {
 		})
 	}

+	files := make([]nbpeer.File, 0, len(meta.GetFiles()))
+	for _, file := range meta.GetFiles() {
+		files = append(files, nbpeer.File{
+			Path:             file.GetPath(),
+			Exist:            file.GetExist(),
+			ProcessIsRunning: file.GetProcessIsRunning(),
+		})
+	}
+
 	return nbpeer.PeerSystemMeta{
-		Hostname:           loginReq.GetMeta().GetHostname(),
-		GoOS:               loginReq.GetMeta().GetGoOS(),
-		Kernel:             loginReq.GetMeta().GetKernel(),
-		Platform:           loginReq.GetMeta().GetPlatform(),
-		OS:                 loginReq.GetMeta().GetOS(),
+		Hostname:           meta.GetHostname(),
+		GoOS:               meta.GetGoOS(),
+		Kernel:             meta.GetKernel(),
+		Platform:           meta.GetPlatform(),
+		OS:                 meta.GetOS(),
 		OSVersion:          osVersion,
-		WtVersion:          loginReq.GetMeta().GetWiretrusteeVersion(),
-		UIVersion:          loginReq.GetMeta().GetUiVersion(),
-		KernelVersion:      loginReq.GetMeta().GetKernelVersion(),
+		WtVersion:          meta.GetWiretrusteeVersion(),
+		UIVersion:          meta.GetUiVersion(),
+		KernelVersion:      meta.GetKernelVersion(),
 		NetworkAddresses:   networkAddresses,
-		SystemSerialNumber: loginReq.GetMeta().GetSysSerialNumber(),
-		SystemProductName:  loginReq.GetMeta().GetSysProductName(),
-		SystemManufacturer: loginReq.GetMeta().GetSysManufacturer(),
+		SystemSerialNumber: meta.GetSysSerialNumber(),
+		SystemProductName:  meta.GetSysProductName(),
+		SystemManufacturer: meta.GetSysManufacturer(),
 		Environment: nbpeer.Environment{
-			Cloud:    loginReq.GetMeta().GetEnvironment().GetCloud(),
-			Platform: loginReq.GetMeta().GetEnvironment().GetPlatform(),
+			Cloud:    meta.GetEnvironment().GetCloud(),
+			Platform: meta.GetEnvironment().GetPlatform(),
 		},
+		Files: files,
 	}
 }

@@ -366,7 +387,7 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 	peer, netMap, err := s.accountManager.LoginPeer(PeerLogin{
 		WireGuardPubKey: peerKey.String(),
 		SSHKey:          string(sshKey),
-		Meta:            extractPeerMeta(loginReq),
+		Meta:            extractPeerMeta(loginReq.GetMeta()),
 		UserID:          userID,
 		SetupKey:        loginReq.GetSetupKey(),
 		ConnectionIP:    realIP,
@@ -386,6 +407,7 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 	loginResp := &proto.LoginResponse{
 		WiretrusteeConfig: toWiretrusteeConfig(s.config, nil),
 		PeerConfig:        toPeerConfig(peer, netMap.Network, s.accountManager.GetDNSDomain()),
+		Checks:            toPeerChecks(s.accountManager, peerKey.String()),
 	}
 	encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, loginResp)
 	if err != nil {
@@ -482,7 +504,7 @@ func toRemotePeerConfig(peers []*nbpeer.Peer, dnsName string) []*proto.RemotePee
 	return remotePeers
 }

-func toSyncResponse(config *Config, peer *nbpeer.Peer, turnCredentials *TURNCredentials, networkMap *NetworkMap, dnsName string) *proto.SyncResponse {
+func toSyncResponse(accountManager AccountManager, config *Config, peer *nbpeer.Peer, turnCredentials *TURNCredentials, networkMap *NetworkMap, dnsName string) *proto.SyncResponse {
 	wtConfig := toWiretrusteeConfig(config, turnCredentials)

 	pConfig := toPeerConfig(peer, networkMap.Network, dnsName)
@@ -513,6 +535,7 @@ func toSyncResponse(config *Config, peer *nbpeer.Peer, turnCredentials *TURNCred
 			FirewallRules:        firewallRules,
 			FirewallRulesIsEmpty: len(firewallRules) == 0,
 		},
+		Checks: toPeerChecks(accountManager, peer.Key),
 	}
 }

@@ -531,7 +554,7 @@ func (s *GRPCServer) sendInitialSync(peerKey wgtypes.Key, peer *nbpeer.Peer, net
 	} else {
 		turnCredentials = nil
 	}
-	plainResp := toSyncResponse(s.config, peer, turnCredentials, networkMap, s.accountManager.GetDNSDomain())
+	plainResp := toSyncResponse(s.accountManager, s.config, peer, turnCredentials, networkMap, s.accountManager.GetDNSDomain())

 	encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, plainResp)
 	if err != nil {
@@ -648,3 +671,62 @@ func (s *GRPCServer) GetPKCEAuthorizationFlow(_ context.Context, req *proto.Encr
 		Body:     encryptedResp,
 	}, nil
 }
+
+// SyncMeta endpoint is used to synchronize peer's system metadata and notifies the connected,
+// peer's under the same account of any updates.
+func (s *GRPCServer) SyncMeta(ctx context.Context, req *proto.EncryptedMessage) (*proto.Empty, error) {
+	realIP := getRealIP(ctx)
+	log.Debugf("Sync meta request from peer [%s] [%s]", req.WgPubKey, realIP.String())
+
+	syncMetaReq := &proto.SyncMetaRequest{}
+	peerKey, err := s.parseRequest(req, syncMetaReq)
+	if err != nil {
+		return nil, err
+	}
+
+	if syncMetaReq.GetMeta() == nil {
+		msg := status.Errorf(codes.FailedPrecondition,
+			"peer system meta has to be provided on sync. Peer %s, remote addr %s", peerKey.String(), realIP)
+		log.Warn(msg)
+		return nil, msg
+	}
+
+	_, _, err = s.accountManager.SyncPeer(PeerSync{
+		WireGuardPubKey:    peerKey.String(),
+		Meta:               extractPeerMeta(syncMetaReq.GetMeta()),
+		UpdateAccountPeers: true,
+	})
+	if err != nil {
+		return nil, mapError(err)
+	}
+
+	return &proto.Empty{}, nil
+}
+
+// toPeerChecks returns posture checks for the peer that needs to be evaluated on the client side.
+func toPeerChecks(accountManager AccountManager, peerKey string) []*proto.Checks {
+	postureChecks, err := accountManager.GetPeerAppliedPostureChecks(peerKey)
+	if err != nil {
+		log.Errorf("failed getting peer's: %s posture checks: %v", peerKey, err)
+		return nil
+	}
+
+	protoChecks := make([]*proto.Checks, 0)
+	for _, postureCheck := range postureChecks {
+		protoCheck := &proto.Checks{}
+
+		if check := postureCheck.Checks.ProcessCheck; check != nil {
+			for _, process := range check.Processes {
+				if process.Path != "" {
+					protoCheck.Files = append(protoCheck.Files, process.Path)
+				}
+				if process.WindowsPath != "" {
+					protoCheck.Files = append(protoCheck.Files, process.WindowsPath)
+				}
+			}
+		}
+		protoChecks = append(protoChecks, protoCheck)
+	}
+
+	return protoChecks
+}
--- a/management/server/management_proto_test.go
+++ b/management/server/management_proto_test.go
@@ -134,7 +134,8 @@ func Test_SyncProtocol(t *testing.T) {
 	// take the first registered peer as a base for the test. Total four.
 	key := *peers[0]

-	message, err := encryption.EncryptMessage(*serverKey, key, &mgmtProto.SyncRequest{})
+	syncReq := &mgmtProto.SyncRequest{Meta: &mgmtProto.PeerSystemMeta{}}
+	message, err := encryption.EncryptMessage(*serverKey, key, syncReq)
 	if err != nil {
 		t.Fatal(err)
 		return
--- a/management/server/management_test.go
+++ b/management/server/management_test.go
@@ -93,7 +93,8 @@ var _ = Describe("Management service", func() {
 				key, _ := wgtypes.GenerateKey()
 				loginPeerWithValidSetupKey(serverPubKey, key, client)

-				encryptedBytes, err := encryption.EncryptMessage(serverPubKey, key, &mgmtProto.SyncRequest{})
+				syncReq := &mgmtProto.SyncRequest{Meta: &mgmtProto.PeerSystemMeta{}}
+				encryptedBytes, err := encryption.EncryptMessage(serverPubKey, key, syncReq)
 				Expect(err).NotTo(HaveOccurred())

 				sync, err := client.Sync(context.TODO(), &mgmtProto.EncryptedMessage{
@@ -143,7 +144,7 @@ var _ = Describe("Management service", func() {
 				loginPeerWithValidSetupKey(serverPubKey, key1, client)
 				loginPeerWithValidSetupKey(serverPubKey, key2, client)

-				messageBytes, err := pb.Marshal(&mgmtProto.SyncRequest{})
+				messageBytes, err := pb.Marshal(&mgmtProto.SyncRequest{Meta: &mgmtProto.PeerSystemMeta{}})
 				Expect(err).NotTo(HaveOccurred())
 				encryptedBytes, err := encryption.Encrypt(messageBytes, serverPubKey, key)
 				Expect(err).NotTo(HaveOccurred())
@@ -176,7 +177,7 @@ var _ = Describe("Management service", func() {
 				key, _ := wgtypes.GenerateKey()
 				loginPeerWithValidSetupKey(serverPubKey, key, client)

-				messageBytes, err := pb.Marshal(&mgmtProto.SyncRequest{})
+				messageBytes, err := pb.Marshal(&mgmtProto.SyncRequest{Meta: &mgmtProto.PeerSystemMeta{}})
 				Expect(err).NotTo(HaveOccurred())
 				encryptedBytes, err := encryption.Encrypt(messageBytes, serverPubKey, key)
 				Expect(err).NotTo(HaveOccurred())
@@ -329,7 +330,7 @@ var _ = Describe("Management service", func() {

 				var clients []mgmtProto.ManagementService_SyncClient
 				for _, peer := range peers {
-					messageBytes, err := pb.Marshal(&mgmtProto.SyncRequest{})
+					messageBytes, err := pb.Marshal(&mgmtProto.SyncRequest{Meta: &mgmtProto.PeerSystemMeta{}})
 					Expect(err).NotTo(HaveOccurred())
 					encryptedBytes, err := encryption.Encrypt(messageBytes, serverPubKey, peer)
 					Expect(err).NotTo(HaveOccurred())
@@ -394,7 +395,8 @@ var _ = Describe("Management service", func() {
 					defer GinkgoRecover()
 					key, _ := wgtypes.GenerateKey()
 					loginPeerWithValidSetupKey(serverPubKey, key, client)
-					encryptedBytes, err := encryption.EncryptMessage(serverPubKey, key, &mgmtProto.SyncRequest{})
+					syncReq := &mgmtProto.SyncRequest{Meta: &mgmtProto.PeerSystemMeta{}}
+					encryptedBytes, err := encryption.EncryptMessage(serverPubKey, key, syncReq)
 					Expect(err).NotTo(HaveOccurred())

 					// open stream
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -80,6 +80,7 @@ type MockAccountManager struct {
 	GetDNSSettingsFunc              func(accountID, userID string) (*server.DNSSettings, error)
 	SaveDNSSettingsFunc             func(accountID, userID string, dnsSettingsToSave *server.DNSSettings) error
 	GetPeerFunc                     func(accountID, peerID, userID string) (*nbpeer.Peer, error)
+	GetPeerAppliedPostureChecksFunc func(peerKey string) ([]posture.Checks, error)
 	UpdateAccountSettingsFunc       func(accountID, userID string, newSettings *server.Settings) (*server.Account, error)
 	LoginPeerFunc                   func(login server.PeerLogin) (*nbpeer.Peer, *server.NetworkMap, error)
 	SyncPeerFunc                    func(sync server.PeerSync) (*nbpeer.Peer, *server.NetworkMap, error)
@@ -609,6 +610,14 @@ func (am *MockAccountManager) GetPeer(accountID, peerID, userID string) (*nbpeer
 	return nil, status.Errorf(codes.Unimplemented, "method GetPeer is not implemented")
 }

+// GetPeerAppliedPostureChecks mocks GetPeerAppliedPostureChecks of the AccountManager interface
+func (am *MockAccountManager) GetPeerAppliedPostureChecks(peerKey string) ([]posture.Checks, error) {
+	if am.GetPeerAppliedPostureChecksFunc != nil {
+		return am.GetPeerAppliedPostureChecksFunc(peerKey)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method GetPeerAppliedPostureChecks is not implemented")
+}
+
 // UpdateAccountSettings mocks UpdateAccountSettings of the AccountManager interface
 func (am *MockAccountManager) UpdateAccountSettings(accountID, userID string, newSettings *server.Settings) (*server.Account, error) {
 	if am.UpdateAccountSettingsFunc != nil {
--- a/management/server/mock_server/management_server_mock.go
+++ b/management/server/mock_server/management_server_mock.go
@@ -3,9 +3,10 @@ package mock_server
 import (
 	"context"

-	"github.com/netbirdio/netbird/management/proto"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/management/proto"
 )

 type ManagementServiceServerMock struct {
@@ -17,6 +18,7 @@ type ManagementServiceServerMock struct {
 	IsHealthyFunc                  func(context.Context, *proto.Empty) (*proto.Empty, error)
 	GetDeviceAuthorizationFlowFunc func(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
 	GetPKCEAuthorizationFlowFunc   func(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
+	SyncMetaFunc                   func(ctx context.Context, req *proto.EncryptedMessage) (*proto.Empty, error)
 }

 func (m ManagementServiceServerMock) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
@@ -60,3 +62,10 @@ func (m ManagementServiceServerMock) GetPKCEAuthorizationFlow(ctx context.Contex
 	}
 	return nil, status.Errorf(codes.Unimplemented, "method GetPKCEAuthorizationFlow not implemented")
 }
+
+func (m ManagementServiceServerMock) SyncMeta(ctx context.Context, req *proto.EncryptedMessage) (*proto.Empty, error) {
+	if m.SyncMetaFunc != nil {
+		return m.SyncMetaFunc(ctx, req)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method SyncMeta not implemented")
+}
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -3,6 +3,7 @@ package server
 import (
 	"fmt"
 	"net"
+	"slices"
 	"strings"
 	"time"

@@ -12,6 +13,7 @@ import (
 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/status"
 )

@@ -19,6 +21,11 @@ import (
 type PeerSync struct {
 	// WireGuardPubKey is a peers WireGuard public key
 	WireGuardPubKey string
+	// Meta is the system information passed by peer, must be always present
+	Meta nbpeer.PeerSystemMeta
+	// UpdateAccountPeers indicate updating account peers,
+	// which occurs when the peer's metadata is updated
+	UpdateAccountPeers bool
 }

 // PeerLogin used as a data object between the gRPC API and AccountManager on Login request.
@@ -551,6 +558,18 @@ func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*nbpeer.Peer, *Network
 		return nil, nil, status.Errorf(status.PermissionDenied, "peer login has expired, please log in once more")
 	}

+	peer, updated := updatePeerMeta(peer, sync.Meta, account)
+	if updated {
+		err = am.Store.SaveAccount(account)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		if sync.UpdateAccountPeers {
+			am.updateAccountPeers(account)
+		}
+	}
+
 	requiresApproval, isStatusChanged := am.integratedPeerValidator.IsNotValidPeer(account.Id, peer, account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
 	if requiresApproval {
 		emptyMap := &NetworkMap{
@@ -866,7 +885,65 @@ func (am *DefaultAccountManager) updateAccountPeers(account *Account) {
 	}
 	for _, peer := range peers {
 		remotePeerNetworkMap := account.GetPeerNetworkMap(peer.ID, am.dnsDomain, approvedPeersMap)
-		update := toSyncResponse(nil, peer, nil, remotePeerNetworkMap, am.GetDNSDomain())
+		update := toSyncResponse(am, nil, peer, nil, remotePeerNetworkMap, am.GetDNSDomain())
 		am.peersUpdateManager.SendUpdate(peer.ID, &UpdateMessage{Update: update})
 	}
 }
+
+// GetPeerAppliedPostureChecks returns posture checks that are applied to the peer.
+func (am *DefaultAccountManager) GetPeerAppliedPostureChecks(peerKey string) ([]posture.Checks, error) {
+	account, err := am.Store.GetAccountByPeerPubKey(peerKey)
+	if err != nil {
+		log.Errorf("failed while getting peer %s: %v", peerKey, err)
+		return nil, err
+	}
+
+	peer, err := account.FindPeerByPubKey(peerKey)
+	if err != nil {
+		return nil, status.Errorf(status.NotFound, "peer is not registered")
+	}
+	if peer == nil {
+		return nil, nil
+	}
+
+	peerPostureChecks := make(map[string]posture.Checks)
+	for _, policy := range account.Policies {
+		if !policy.Enabled {
+			continue
+		}
+
+	outerLoop:
+		for _, rule := range policy.Rules {
+			if !rule.Enabled {
+				continue
+			}
+
+			for _, sourceGroup := range rule.Sources {
+				group, ok := account.Groups[sourceGroup]
+				if !ok {
+					continue
+				}
+
+				// check if peer is in the rule source group
+				if slices.Contains(group.Peers, peer.ID) {
+					for _, sourcePostureCheckID := range policy.SourcePostureChecks {
+						for _, postureChecks := range account.PostureChecks {
+							if postureChecks.ID == sourcePostureCheckID {
+								peerPostureChecks[sourcePostureCheckID] = *postureChecks
+							}
+						}
+					}
+
+					break outerLoop
+				}
+			}
+		}
+	}
+
+	postureChecksList := make([]posture.Checks, 0, len(peerPostureChecks))
+	for _, check := range peerPostureChecks {
+		postureChecksList = append(postureChecksList, check)
+	}
+
+	return postureChecksList, nil
+}
--- a/management/server/peer/peer.go
+++ b/management/server/peer/peer.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"slices"
 	"time"
 )

@@ -79,9 +80,11 @@ type Environment struct {
 	Platform string
 }

-// Process represents an active process on the peer's system.
-type Process struct {
-	Path string
+// File is a file on the system.
+type File struct {
+	Path             string
+	Exist            bool
+	ProcessIsRunning bool
 }

 // PeerSystemMeta is a metadata of a Peer machine system
@@ -101,25 +104,22 @@ type PeerSystemMeta struct { //nolint:revive
 	SystemProductName  string
 	SystemManufacturer string
 	Environment        Environment `gorm:"serializer:json"`
-	Processes          []Process   `gorm:"-"`
+	Files              []File      `gorm:"serializer:json"`
 }

 func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
-	if len(p.NetworkAddresses) != len(other.NetworkAddresses) {
+	equalNetworkAddresses := slices.EqualFunc(p.NetworkAddresses, other.NetworkAddresses, func(addr NetworkAddress, oAddr NetworkAddress) bool {
+		return addr.Mac == oAddr.Mac && addr.NetIP == oAddr.NetIP
+	})
+	if !equalNetworkAddresses {
 		return false
 	}

-	for _, addr := range p.NetworkAddresses {
-		var found bool
-		for _, oAddr := range other.NetworkAddresses {
-			if addr.Mac == oAddr.Mac && addr.NetIP == oAddr.NetIP {
-				found = true
-				continue
-			}
-		}
-		if !found {
-			return false
-		}
+	equalFiles := slices.EqualFunc(p.Files, other.Files, func(file File, oFile File) bool {
+		return file.Path == oFile.Path && file.Exist == oFile.Exist && file.ProcessIsRunning == oFile.ProcessIsRunning
+	})
+	if !equalFiles {
+		return false
 	}

 	return p.Hostname == other.Hostname &&
@@ -139,6 +139,26 @@ func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
 		p.Environment.Platform == other.Environment.Platform
 }

+func (p PeerSystemMeta) isEmpty() bool {
+	return p.Hostname == "" &&
+		p.GoOS == "" &&
+		p.Kernel == "" &&
+		p.Core == "" &&
+		p.Platform == "" &&
+		p.OS == "" &&
+		p.OSVersion == "" &&
+		p.WtVersion == "" &&
+		p.UIVersion == "" &&
+		p.KernelVersion == "" &&
+		len(p.NetworkAddresses) == 0 &&
+		p.SystemSerialNumber == "" &&
+		p.SystemProductName == "" &&
+		p.SystemManufacturer == "" &&
+		p.Environment.Cloud == "" &&
+		p.Environment.Platform == "" &&
+		len(p.Files) == 0
+}
+
 // AddedWithSSOLogin indicates whether this peer has been added with an SSO login by a user.
 func (p *Peer) AddedWithSSOLogin() bool {
 	return p.UserID != ""
@@ -174,6 +194,10 @@ func (p *Peer) Copy() *Peer {
 // UpdateMetaIfNew updates peer's system metadata if new information is provided
 // returns true if meta was updated, false otherwise
 func (p *Peer) UpdateMetaIfNew(meta PeerSystemMeta) bool {
+	if meta.isEmpty() {
+		return false
+	}
+
 	// Avoid overwriting UIVersion if the update was triggered sole by the CLI client
 	if meta.UIVersion == "" {
 		meta.UIVersion = p.Meta.UIVersion
--- a/management/server/posture/process.go
+++ b/management/server/posture/process.go
@@ -19,9 +19,11 @@ type ProcessCheck struct {
 var _ Check = (*ProcessCheck)(nil)

 func (p *ProcessCheck) Check(peer nbpeer.Peer) (bool, error) {
-	peerActiveProcesses := make([]string, 0, len(peer.Meta.Processes))
-	for _, process := range peer.Meta.Processes {
-		peerActiveProcesses = append(peerActiveProcesses, process.Path)
+	peerActiveProcesses := make([]string, 0, len(peer.Meta.Files))
+	for _, file := range peer.Meta.Files {
+		if file.ProcessIsRunning {
+			peerActiveProcesses = append(peerActiveProcesses, file.Path)
+		}
 	}

 	switch peer.Meta.GoOS {
--- a/management/server/posture/process_test.go
+++ b/management/server/posture/process_test.go
@@ -17,13 +17,14 @@ func TestProcessCheck_Check(t *testing.T) {
 		isValid bool
 	}{
 		{
-			name: "darwin with matching processes",
+			name: "darwin with matching running processes",
 			input: peer.Peer{
 				Meta: peer.PeerSystemMeta{
 					GoOS: "darwin",
-					Processes: []peer.Process{
-						{Path: "/Applications/process1.app"},
-						{Path: "/Applications/process2.app"}},
+					Files: []peer.File{
+						{Path: "/Applications/process1.app", ProcessIsRunning: true},
+						{Path: "/Applications/process2.app", ProcessIsRunning: true},
+					},
 				},
 			},
 			check: ProcessCheck{
@@ -40,9 +41,9 @@ func TestProcessCheck_Check(t *testing.T) {
 			input: peer.Peer{
 				Meta: peer.PeerSystemMeta{
 					GoOS: "darwin",
-					Processes: []peer.Process{
-						{Path: "/Applications/process1.app"},
-						{Path: "/Applications/process2.app"},
+					Files: []peer.File{
+						{Path: "/Applications/process1.app", ProcessIsRunning: true},
+						{Path: "/Applications/process2.app", ProcessIsRunning: true},
 					},
 				},
 			},
@@ -56,13 +57,13 @@ func TestProcessCheck_Check(t *testing.T) {
 			isValid: false,
 		},
 		{
-			name: "linux with matching processes",
+			name: "linux with matching running processes",
 			input: peer.Peer{
 				Meta: peer.PeerSystemMeta{
 					GoOS: "linux",
-					Processes: []peer.Process{
-						{Path: "/usr/bin/process1"},
-						{Path: "/usr/bin/process2"},
+					Files: []peer.File{
+						{Path: "/usr/bin/process1", ProcessIsRunning: true},
+						{Path: "/usr/bin/process2", ProcessIsRunning: true},
 					},
 				},
 			},
@@ -75,13 +76,33 @@ func TestProcessCheck_Check(t *testing.T) {
 			wantErr: false,
 			isValid: true,
 		},
+		{
+			name: "linux with matching no running processes",
+			input: peer.Peer{
+				Meta: peer.PeerSystemMeta{
+					GoOS: "linux",
+					Files: []peer.File{
+						{Path: "/usr/bin/process1", ProcessIsRunning: true},
+						{Path: "/usr/bin/process2", ProcessIsRunning: false},
+					},
+				},
+			},
+			check: ProcessCheck{
+				Processes: []Process{
+					{Path: "/usr/bin/process1"},
+					{Path: "/usr/bin/process2"},
+				},
+			},
+			wantErr: false,
+			isValid: false,
+		},
 		{
 			name: "linux with windows process paths",
 			input: peer.Peer{
 				Meta: peer.PeerSystemMeta{
 					GoOS: "linux",
-					Processes: []peer.Process{
-						{Path: "/usr/bin/process1"},
+					Files: []peer.File{
+						{Path: "/usr/bin/process1", ProcessIsRunning: true},
 						{Path: "/usr/bin/process2"},
 					},
 				},
@@ -100,7 +121,7 @@ func TestProcessCheck_Check(t *testing.T) {
 			input: peer.Peer{
 				Meta: peer.PeerSystemMeta{
 					GoOS: "linux",
-					Processes: []peer.Process{
+					Files: []peer.File{
 						{Path: "/usr/bin/process3"},
 						{Path: "/usr/bin/process4"},
 					},
@@ -116,13 +137,13 @@ func TestProcessCheck_Check(t *testing.T) {
 			isValid: false,
 		},
 		{
-			name: "windows with matching processes",
+			name: "windows with matching running processes",
 			input: peer.Peer{
 				Meta: peer.PeerSystemMeta{
 					GoOS: "windows",
-					Processes: []peer.Process{
-						{Path: "C:\\Program Files\\process1.exe"},
-						{Path: "C:\\Program Files\\process1.exe"},
+					Files: []peer.File{
+						{Path: "C:\\Program Files\\process1.exe", ProcessIsRunning: true},
+						{Path: "C:\\Program Files\\process1.exe", ProcessIsRunning: true},
 					},
 				},
 			},
@@ -140,7 +161,7 @@ func TestProcessCheck_Check(t *testing.T) {
 			input: peer.Peer{
 				Meta: peer.PeerSystemMeta{
 					GoOS: "windows",
-					Processes: []peer.Process{
+					Files: []peer.File{
 						{Path: "C:\\Program Files\\process1.exe"},
 						{Path: "C:\\Program Files\\process1.exe"},
 					},
@@ -160,7 +181,7 @@ func TestProcessCheck_Check(t *testing.T) {
 			input: peer.Peer{
 				Meta: peer.PeerSystemMeta{
 					GoOS: "windows",
-					Processes: []peer.Process{
+					Files: []peer.File{
 						{Path: "C:\\Program Files\\process3.exe"},
 						{Path: "C:\\Program Files\\process4.exe"},
 					},