[Security Solution] Mac and Linux env variables advanced option and default values (#150253)

## Summary Adds a new advanced option for Mac env variables and sets default values for new policies. Since we'll set the defaults in Kibana, Endpoint doesn't have to maintain any defaults. This will make it easier for the user to clear out values. In addition, we add new Policy defaults for the existing Linux env var New option with defaults: Mac: <img width="1728" alt="image" src="https://user-images.githubusercontent.com/56395104/216658460-01084fff-af67-4435-a76f-f8f85d622188.png"> <img width="1727" alt="image" src="https://user-images.githubusercontent.com/56395104/216658628-f4d1ab2f-76bd-437a-a8f7-b00e18991bef.png"> Linux: <img width="1728" alt="image" src="https://user-images.githubusercontent.com/56395104/216703543-518e9161-5a9b-4410-b63e-a1823a43136d.png"> <img width="1728" alt="image" src="https://user-images.githubusercontent.com/56395104/216703708-d6fff0ae-2d5d-4850-b91e-ca108c5cf419.png"> If we delete the options in Kibana, then we'll no longer send the options down: <img width="1728" alt="image" src="https://user-images.githubusercontent.com/56395104/216658861-0189f9e4-5022-4e27-aefc-8f81a5d9fea2.png"> ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2025-04-24 01:38:56 -04:00 · 2023-02-06 09:01:43 -05:00 · 2023-02-06 09:01:43 -05:00 · 8dc6da53cf
commit 8dc6da53cf
parent 6f4b5fd5de
4 changed files with 30 additions and 0 deletions
--- a/x-pack/plugins/security_solution/common/endpoint/models/policy_config.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/models/policy_config.ts
@ -105,6 +105,9 @@ export const policyFactory = (): PolicyConfig => {
      logging: {
        file: 'info',
      },
+      advanced: {
+        capture_env_vars: 'DYLD_INSERT_LIBRARIES,DYLD_FRAMEWORK_PATH,DYLD_LIBRARY_PATH,LD_PRELOAD',
+      },
    },
    linux: {
      events: {
@ -143,6 +146,9 @@ export const policyFactory = (): PolicyConfig => {
      logging: {
        file: 'info',
      },
+      advanced: {
+        capture_env_vars: 'LD_PRELOAD,LD_LIBRARY_PATH',
+      },
    },
  };
 };
--- a/x-pack/plugins/security_solution/common/endpoint/models/policy_config_helpers.test.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/models/policy_config_helpers.test.ts
@ -155,6 +155,9 @@ export const eventsOnlyPolicy: PolicyConfig = {
      memory_protection: { message: '', enabled: false },
    },
    logging: { file: 'info' },
+    advanced: {
+      capture_env_vars: 'DYLD_INSERT_LIBRARIES,DYLD_FRAMEWORK_PATH,DYLD_LIBRARY_PATH,LD_PRELOAD',
+    },
  },
  linux: {
    events: {
@ -173,5 +176,8 @@ export const eventsOnlyPolicy: PolicyConfig = {
      memory_protection: { message: '', enabled: false },
    },
    logging: { file: 'info' },
+    advanced: {
+      capture_env_vars: 'LD_PRELOAD,LD_LIBRARY_PATH',
+    },
  },
 };
--- a/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
@ -1059,4 +1059,15 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
      }
    ),
  },
+  {
+    key: 'mac.advanced.capture_env_vars',
+    first_supported_version: '8.7',
+    documentation: i18n.translate(
+      'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.capture_env_vars',
+      {
+        defaultMessage:
+          'The list of environment variables to capture (up to five), separated by commas.',
+      }
+    ),
+  },
 ];
--- a/x-pack/plugins/security_solution/public/management/pages/policy/store/policy_details/index.test.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/policy/store/policy_details/index.test.ts
@ -332,6 +332,10 @@ describe('policy details: ', () => {
                      },
                    },
                    logging: { file: 'info' },
+                    advanced: {
+                      capture_env_vars:
+                        'DYLD_INSERT_LIBRARIES,DYLD_FRAMEWORK_PATH,DYLD_LIBRARY_PATH,LD_PRELOAD',
+                    },
                  },
                  linux: {
                    events: {
@ -359,6 +363,9 @@ describe('policy details: ', () => {
                        message: '',
                      },
                    },
+                    advanced: {
+                      capture_env_vars: 'LD_PRELOAD,LD_LIBRARY_PATH',
+                    },
                  },
                },
              },