github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] Add advanced options for linux filesystem monitoring and migrations (#136287)

Browse source
This commit is contained in:
Kevin Logan 2022-07-19 10:20:02 -04:00 committed by GitHub
parent 022fe6180c
commit 407c105fa2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 240 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
x-pack/plugins/fleet/server/saved_objects/index.ts
View file

@ -40,7 +40,11 @@ import { migrateInstallationToV7160, migratePackagePolicyToV7160 } from './migra
import { migrateInstallationToV800, migrateOutputToV800 } from './migrations/to_v8_0_0';
import { migratePackagePolicyToV820 } from './migrations/to_v8_2_0';
import { migrateInstallationToV830, migratePackagePolicyToV830 } from './migrations/to_v8_3_0';
import { migrateInstallationToV840, migrateAgentPolicyToV840 } from './migrations/to_v8_4_0';
import {
migrateInstallationToV840,
migrateAgentPolicyToV840,
migratePackagePolicyToV840,
} from './migrations/to_v8_4_0';
/*
* Saved object types and mappings
@ -216,6 +220,7 @@ const getSavedObjectTypes = (
'7.16.0': migratePackagePolicyToV7160,
'8.2.0': migratePackagePolicyToV820,
'8.3.0': migratePackagePolicyToV830,
'8.4.0': migratePackagePolicyToV840,
},
},
[PACKAGES_SAVED_OBJECT_TYPE]: {

1
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/index.ts
View file

@ -13,3 +13,4 @@ export { migratePackagePolicyToV7150 } from './to_v7_15_0';
export { migratePackagePolicyToV7160 } from './to_v7_16_0';
export { migratePackagePolicyToV820 } from './to_v8_2_0';
export { migratePackagePolicyToV830 } from './to_v8_3_0';
export { migratePackagePolicyToV840 } from './to_v8_4_0';

147
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/to_v8_4_0.test.ts Normal file
View file

@ -0,0 +1,147 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { SavedObjectMigrationContext, SavedObjectUnsanitizedDoc } from '@kbn/core/server';
import type { PackagePolicy } from '../../../../common';
import { migratePackagePolicyToV840 as migration } from './to_v8_4_0';
describe('8.4.0 Endpoint Package Policy migration', () => {
const policyDoc = ({ linuxAdvanced = {} }) => {
return {
id: 'mock-saved-object-id',
attributes: {
name: 'Some Policy Name',
package: {
name: 'endpoint',
title: '',
version: '',
},
id: 'endpoint',
policy_id: '',
enabled: true,
namespace: '',
output_id: '',
revision: 0,
updated_at: '',
updated_by: '',
created_at: '',
created_by: '',
inputs: [
{
type: 'endpoint',
enabled: true,
streams: [],
config: {
policy: {
value: {
windows: {},
mac: {},
linux: {
...linuxAdvanced,
},
},
},
},
},
],
},
type: ' nested',
};
};
it('adds advanced file monitoring defaulted to false', () => {
const initialDoc = policyDoc({});
const migratedDoc = policyDoc({
linuxAdvanced: { advanced: { fanotify: { ignore_unknown_filesystems: false } } },
});
expect(migration(initialDoc, {} as SavedObjectMigrationContext)).toEqual(migratedDoc);
});
it('adds advanced file monitoring defaulted to false and preserves existing advanced fields', () => {
const initialDoc = policyDoc({
linuxAdvanced: { advanced: { existingAdvanced: true } },
});
const migratedDoc = policyDoc({
linuxAdvanced: {
advanced: { fanotify: { ignore_unknown_filesystems: false }, existingAdvanced: true },
},
});
expect(migration(initialDoc, {} as SavedObjectMigrationContext)).toEqual(migratedDoc);
});
it('does not modify non-endpoint package policies', () => {
const doc: SavedObjectUnsanitizedDoc<PackagePolicy> = {
id: 'mock-saved-object-id',
attributes: {
name: 'Some Policy Name',
package: {
name: 'notEndpoint',
title: '',
version: '',
},
id: 'notEndpoint',
policy_id: '',
enabled: true,
namespace: '',
output_id: '',
revision: 0,
updated_at: '',
updated_by: '',
created_at: '',
created_by: '',
inputs: [
{
type: 'notEndpoint',
enabled: true,
streams: [],
config: {},
},
],
},
type: ' nested',
};
expect(
migration(doc, {} as SavedObjectMigrationContext) as SavedObjectUnsanitizedDoc<PackagePolicy>
).toEqual({
attributes: {
name: 'Some Policy Name',
package: {
name: 'notEndpoint',
title: '',
version: '',
},
id: 'notEndpoint',
policy_id: '',
enabled: true,
namespace: '',
output_id: '',
revision: 0,
updated_at: '',
updated_by: '',
created_at: '',
created_by: '',
inputs: [
{
type: 'notEndpoint',
enabled: true,
streams: [],
config: {},
},
],
},
type: ' nested',
id: 'mock-saved-object-id',
});
});
});

36
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/to_v8_4_0.ts Normal file
View file

@ -0,0 +1,36 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { SavedObjectMigrationFn, SavedObjectUnsanitizedDoc } from '@kbn/core/server';
import { cloneDeep } from 'lodash';
import type { PackagePolicy } from '../../../../common';
export const migratePackagePolicyToV840: SavedObjectMigrationFn<PackagePolicy, PackagePolicy> = (
packagePolicyDoc
) => {
if (packagePolicyDoc.attributes.package?.name !== 'endpoint') {
return packagePolicyDoc;
}
const updatedPackagePolicyDoc: SavedObjectUnsanitizedDoc<PackagePolicy> =
cloneDeep(packagePolicyDoc);
const input = updatedPackagePolicyDoc.attributes.inputs[0];
if (input && input.config) {
const policy = input.config.policy.value;
const migratedPolicy = { fanotify: { ignore_unknown_filesystems: false } };
policy.linux.advanced = policy.linux.advanced
? { ...policy.linux.advanced, ...migratedPolicy }
: { ...migratedPolicy };
}
return updatedPackagePolicyDoc;
};

17
x-pack/plugins/fleet/server/saved_objects/migrations/to_v8_4_0.ts
View file

@ -7,10 +7,13 @@
import type { SavedObjectMigrationFn } from '@kbn/core/server';
import type { PackagePolicy } from '../../../common';
import type { Installation } from '../../../common';
import type { AgentPolicy } from '../../types';
import { migratePackagePolicyToV840 as SecSolMigratePackagePolicyToV840 } from './security_solution';
export const migrateInstallationToV840: SavedObjectMigrationFn<Installation, Installation> = (
installationDoc
) => {
@ -31,3 +34,17 @@ export const migrateAgentPolicyToV840: SavedObjectMigrationFn<
return agentPolicyDoc;
};
export const migratePackagePolicyToV840: SavedObjectMigrationFn<PackagePolicy, PackagePolicy> = (
packagePolicyDoc,
migrationContext
) => {
let updatedPackagePolicyDoc = packagePolicyDoc;
// Endpoint specific migrations
if (packagePolicyDoc.attributes.package?.name === 'endpoint') {
updatedPackagePolicyDoc = SecSolMigratePackagePolicyToV840(packagePolicyDoc, migrationContext);
}
return updatedPackagePolicyDoc;
};

33
x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
View file

@ -948,4 +948,37 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
),
license: 'platinum',
},
{
key: 'linux.advanced.fanotify.ignore_unknown_filesystems',
first_supported_version: '8.4',
documentation: i18n.translate(
'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.fanotify.ignore_unknown_filesystems',
{
defaultMessage:
'Whether fanotify should ignore unknown filesystems. When true, only CI tested filesystems will be marked by default; additional filesystems can be added or removed with "monitored_filesystems" and "ignored_filesystems", respectively. When false, only an internally curated list of filesystems will be ignored, all others will be marked; additional filesystems can be ignored via "ignored_filesystems". "monitored_filesystems" is ignored when "ignore_unknown_filesystems" is false. Default: true',
}
),
},
{
key: 'linux.advanced.fanotify.monitored_filesystems',
first_supported_version: '8.4',
documentation: i18n.translate(
'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.fanotify.monitored_filesystems',
{
defaultMessage:
'Additional filesystems for fanotify to monitor. The format is a comma separated list of filesystem names as they appear in "/proc/filesystems", e.g. "jfs,ufs,ramfs". It is recommended to avoid network-backed filesystems. When "ignore_unknown_filesystems" is false, this option is ignored. When "ignore_unknown_filesystems" is true, parsed entries of this option are monitored by fanotify unless overridden by entries in "ignored_filesystems" or internally known bad filesystems.',
}
),
},
{
key: 'linux.advanced.fanotify.ignored_filesystems',
first_supported_version: '8.4',
documentation: i18n.translate(
'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.fanotify.ignored_filesystems',
{
defaultMessage:
'Additional filesystems for fanotify to ignore. The format is a comma separated list of filesystem names as they appear in "/proc/filesystems", e.g. "ext4,tmpfs". When "ignore_unknown_filesystems" is false, parsed entries of this option supplement internally known bad filesystems to be ignored. When "ignore_unknown_filesystems" is true, parsed entries of this option override entries in "monitored_filesystems" and internally CI tested filesystems.',
}
),
},
];