github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Cloud Posture] use benchmark id in rule config updates (#136270)

Browse source
This commit is contained in:
Or Ouziel 2022-07-20 11:56:14 +03:00 committed by GitHub
parent 8c239088e0
commit 927770c157
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 58 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

4
x-pack/plugins/cloud_security_posture/common/schemas/csp_rule_metadata.ts
View file

@ -6,11 +6,13 @@
*/
import { schema as rt, TypeOf } from '@kbn/config-schema';
export const benchmarkIdSchema = rt.oneOf([rt.literal('cis_k8s'), rt.literal('cis_eks')]);
export const cspRuleMetadataSchema = rt.object({
audit: rt.string(),
benchmark: rt.object({
name: rt.string(),
id: rt.oneOf([rt.literal('cis_k8s'), rt.literal('cis_eks')]),
id: benchmarkIdSchema,
version: rt.string(),
}),
default_value: rt.maybe(rt.string()),

5
x-pack/plugins/cloud_security_posture/common/schemas/csp_rules_configuration.ts
View file

@ -5,13 +5,12 @@
* 2.0.
*/
import { schema as rt, TypeOf } from '@kbn/config-schema';
import { benchmarkIdSchema } from './csp_rule_metadata';
// cspRulesConfigSchema has to match the 'DataYaml' struct in https://github.com/elastic/cloudbeat/blob/main/config/config.go#L45-L51
export const cspRulesConfigSchema = rt.object({
data_yaml: rt.object({
activated_rules: rt.object({
cis_k8s: rt.arrayOf(rt.string()),
}),
activated_rules: rt.recordOf(benchmarkIdSchema, rt.arrayOf(rt.string())),
}),
});

3
x-pack/plugins/cloud_security_posture/common/types.ts
View file

@ -6,6 +6,7 @@
*/
import type { PackagePolicy, GetAgentPoliciesResponseItem } from '@kbn/fleet-plugin/common';
import type { CspRuleMetadata } from './schemas/csp_rule_metadata';
export type Evaluation = 'passed' | 'failed' | 'NA';
/** number between 1-100 */
@ -95,3 +96,5 @@ export interface Benchmark {
agent_policy: Pick<GetAgentPoliciesResponseItem, 'id' | 'name' | 'agents'>;
rules: CspRulesStatus;
}
export type BenchmarkId = CspRuleMetadata['benchmark']['id'];

4
x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.ts
View file

@ -24,10 +24,10 @@ import {
CSP_RULE_SAVED_OBJECT_TYPE,
CSP_RULE_TEMPLATE_SAVED_OBJECT_TYPE,
} from '../../common/constants';
import type { CspRule, CspRuleMetadata, CspRuleTemplate } from '../../common/schemas';
import type { CspRule, CspRuleTemplate } from '../../common/schemas';
import type { BenchmarkId } from '../../common/types';
type CloudbeatInputType = keyof typeof CIS_INTEGRATION_INPUTS_MAP;
type BenchmarkId = CspRuleMetadata['benchmark']['id'];
const getBenchmarkTypeFilter = (type: BenchmarkId): string =>
`${CSP_RULE_TEMPLATE_SAVED_OBJECT_TYPE}.attributes.metadata.benchmark.id: "${type}"`;

20
x-pack/plugins/cloud_security_posture/server/plugin.test.ts
View file

@ -82,9 +82,20 @@ describe('Cloud Security Posture Plugin', () => {
const findMock = mockRouteContext.core.savedObjects.client.find as jest.Mock;
findMock.mockReturnValue(
Promise.resolve({
saved_objects: [],
total: 0,
per_page: 0,
saved_objects: [
{
type: 'csp_rule',
attributes: {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_1',
benchmark: { id: 'cis_k8s' },
},
},
},
],
total: 1,
per_page: 10,
page: 1,
})
);
@ -295,6 +306,9 @@ describe('Cloud Security Posture Plugin', () => {
{
type: 'csp-rule-template',
id: 'csp_rule_template-41308bcdaaf665761478bb6f0d745a5c',
benchmark: {
id: 'cis_k8s',
},
},
],
})

13
x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.test.ts
View file

@ -139,6 +139,7 @@ describe('Update rules configuration API', () => {
enabled: true,
metadata: {
rego_rule_id: 'cis_1_1_1',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -148,6 +149,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_2',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -157,6 +159,7 @@ describe('Update rules configuration API', () => {
enabled: true,
metadata: {
rego_rule_id: 'cis_1_1_3',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -180,6 +183,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_1',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -189,6 +193,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_2',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -198,6 +203,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_3',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -252,6 +258,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_1',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -261,6 +268,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_2',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -270,6 +278,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_3',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -314,6 +323,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_1',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -323,6 +333,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_2',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -332,6 +343,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_3',
benchmark: { id: 'cis_k8s' },
},
},
},
@ -388,6 +400,7 @@ describe('Update rules configuration API', () => {
enabled: false,
metadata: {
rego_rule_id: 'cis_1_1_1',
benchmark: { id: 'cis_k8s' },
},
},
},

31
x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.ts
View file

@ -65,21 +65,26 @@ export const getCspRules = (
});
};
const getEnabledRulesByBenchmark = (rules: SavedObjectsFindResponse<CspRule>['saved_objects']) =>
rules.reduce<CspRulesConfiguration['data_yaml']['activated_rules']>(
(benchmarks, rule) => {
const benchmark = benchmarks[rule.attributes.metadata.benchmark.id];
if (!rule.attributes.enabled || !benchmark) return benchmarks;
benchmark.push(rule.attributes.metadata.rego_rule_id);
return benchmarks;
},
{ cis_k8s: [], cis_eks: [] }
);
export const createRulesConfig = (
cspRules: SavedObjectsFindResponse<CspRule>
): CspRulesConfiguration => {
const activatedRules = cspRules.saved_objects.filter((cspRule) => cspRule.attributes.enabled);
const config = {
data_yaml: {
activated_rules: {
cis_k8s: activatedRules.map(
(activatedRule) => activatedRule.attributes.metadata.rego_rule_id
),
},
},
};
return config;
};
): CspRulesConfiguration => ({
data_yaml: {
activated_rules: getEnabledRulesByBenchmark(cspRules.saved_objects),
},
});
export const convertRulesConfigToYaml = (config: CspRulesConfiguration): string => {
return yaml.safeDump(config);