github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 01:13:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] Policy config overlap (#136217)

Browse source 
* policy config overlap

* default advanced settings added to policy config

* add back original logic

* null check + remove unused func

* clean up/rename

* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'

* add unit tests

* add unit tests

* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'

* linting

* linting

* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'

* fix linting

* fix linting

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
JD Kurma 2022-07-25 17:00:35 -04:00 committed by GitHub
parent 616f7be237
commit d3ae221bed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 730 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

223
x-pack/plugins/security_solution/server/lib/telemetry/constants.ts
View file

@ -32,3 +32,226 @@ export const LIST_ENDPOINT_EVENT_FILTER = 'endpoint_event_filter';
export const LIST_TRUSTED_APPLICATION = 'trusted_application';
export const INSIGHTS_CHANNEL = 'security-insights-v1';
export const DEFAULT_ADVANCED_POLICY_CONFIG_SETTINGS = {
linux: {
advanced: {
agent: {
connection_delay: null,
},
alerts: {
require_user_artifacts: null,
},
artifacts: {
global: {
base_url: null,
manifest_relative_url: null,
public_key: null,
interval: null,
ca_cert: null,
},
user: {
public_key: null,
ca_cert: null,
base_url: null,
interval: null,
},
},
elasticsearch: {
delay: null,
tls: {
verify_peer: null,
verify_hostname: null,
ca_cert: null,
},
},
fanotify: {
ignore_unknown_filesystems: null,
monitored_filesystems: null,
ignored_filesystems: null,
},
logging: {
file: null,
stdout: null,
stderr: null,
syslog: null,
},
diagnostic: {
enabled: null,
},
malware: {
quarantine: null,
},
memory_protection: {
memory_scan_collect_sample: null,
memory_scan: null,
},
kernel: {
capture_mode: null,
},
event_filter: {
default: null,
},
utilization_limits: {
cpu: null,
},
logstash: {
delay: null,
},
},
},
mac: {
advanced: {
agent: {
connection_delay: null,
},
artifacts: {
global: {
base_url: null,
manifest_relative_url: null,
public_key: null,
interval: null,
ca_cert: null,
},
user: {
public_key: null,
ca_cert: null,
base_url: null,
interval: null,
},
},
elasticsearch: {
delay: null,
tls: {
verify_peer: null,
verify_hostname: null,
ca_cert: null,
},
},
logging: {
file: null,
stdout: null,
stderr: null,
syslog: null,
},
logstash: {
delay: null,
},
malware: {
quarantine: null,
threshold: null,
},
kernel: {
connect: null,
harden: null,
process: null,
filewrite: null,
network: null,
network_extension: {
enable_content_filtering: null,
enable_packet_filtering: null,
},
},
harden: {
self_protect: null,
},
diagnostic: {
enabled: null,
},
alerts: {
cloud_lookup: null,
cloud_lookup_url: null,
},
memory_protection: {
memory_scan_collect_sample: false,
memory_scan: null,
},
event_filter: {
default: null,
},
},
},
windows: {
advanced: {
agent: {
connection_delay: null,
},
artifacts: {
global: {
base_url: null,
manifest_relative_url: null,
public_key: null,
interval: null,
ca_cert: null,
},
user: {
public_key: null,
ca_cert: null,
base_url: null,
interval: null,
},
},
elasticsearch: {
delay: null,
tls: {
verify_peer: null,
verify_hostname: null,
ca_cert: null,
},
},
logging: {
file: null,
stdout: null,
stderr: null,
syslog: null,
},
malware: {
quarantine: null,
threshold: null,
},
kernel: {
connect: null,
harden: null,
process: null,
filewrite: null,
network: null,
fileopen: null,
asyncimageload: null,
syncimageload: null,
registry: null,
fileaccess: null,
registryaccess: null,
process_handle: null,
},
diagnostic: {
enabled: null,
rollback_telemetry_enabled: null,
},
alerts: {
cloud_lookup: null,
cloud_lookup_url: null,
require_user_artifacts: null,
},
ransomware: {
mbr: null,
canary: null,
},
memory_protection: {
context_manipulation_detection: null,
shellcode: null,
memory_scan: null,
shellcode_collect_sample: null,
memory_scan_collect_sample: null,
shellcode_enhanced_pe_parsing: null,
shellcode_trampoline_detection: null,
},
event_filter: {
default: null,
},
utilization_limits: {
cpu: null,
},
},
},
};

495
x-pack/plugins/security_solution/server/lib/telemetry/helpers.test.ts
View file

@ -20,9 +20,11 @@ import {
batchTelemetryRecords,
isPackagePolicyList,
templateExceptionList,
addDefaultAdvancedPolicyConfigSettings,
} from './helpers';
import type { ESClusterInfo, ESLicense, ExceptionListItem } from './types';
import type { PolicyData } from '../../../common/endpoint/types';
import type { PolicyConfig, PolicyData } from '../../../common/endpoint/types';
import { cloneDeep, set } from 'lodash';
describe('test diagnostic telemetry scheduled task timing helper', () => {
test('test -5 mins is returned when there is no previous task run', async () => {
@ -304,3 +306,494 @@ describe('test endpoint policy data config extraction', () => {
expect(endpointPolicyConfig).toBeNull();
});
});
describe('test advanced policy config overlap ', () => {
const defaultStubPolicyConfig = {
windows: {
events: {
dll_and_driver_load: true,
dns: true,
file: true,
network: true,
process: true,
registry: true,
security: true,
},
malware: {
mode: 'prevent',
blocklist: true,
},
ransomware: {
mode: 'prevent',
supported: true,
},
memory_protection: {
mode: 'prevent',
supported: true,
},
behavior_protection: {
mode: 'prevent',
supported: true,
},
popup: {
malware: {
message: '',
enabled: true,
},
ransomware: {
message: '',
enabled: true,
},
memory_protection: {
message: '',
enabled: true,
},
behavior_protection: {
message: '',
enabled: true,
},
},
logging: {
file: 'info',
},
antivirus_registration: {
enabled: false,
},
},
mac: {
events: {
process: true,
file: true,
network: true,
},
malware: {
mode: 'prevent',
blocklist: true,
},
behavior_protection: {
mode: 'prevent',
supported: true,
},
memory_protection: {
mode: 'prevent',
supported: true,
},
popup: {
malware: {
message: '',
enabled: true,
},
behavior_protection: {
message: '',
enabled: true,
},
memory_protection: {
message: '',
enabled: true,
},
},
logging: {
file: 'info',
},
},
linux: {
events: {
process: true,
file: true,
network: true,
session_data: false,
},
malware: {
mode: 'prevent',
blocklist: true,
},
behavior_protection: {
mode: 'prevent',
supported: true,
},
memory_protection: {
mode: 'prevent',
supported: true,
},
popup: {
malware: {
message: '',
enabled: true,
},
behavior_protection: {
message: '',
enabled: true,
},
memory_protection: {
message: '',
enabled: true,
},
},
logging: {
file: 'info',
},
},
} as unknown as PolicyConfig;
const defaultStubPolicyConfigResponse = {
linux: {
events: {
process: true,
file: true,
network: true,
session_data: false,
},
malware: {
mode: 'prevent',
blocklist: true,
},
behavior_protection: {
mode: 'prevent',
supported: true,
},
memory_protection: {
mode: 'prevent',
supported: true,
},
popup: {
malware: {
message: '',
enabled: true,
},
behavior_protection: {
message: '',
enabled: true,
},
memory_protection: {
message: '',
enabled: true,
},
},
logging: {
file: 'info',
},
advanced: {
agent: {
connection_delay: null,
},
alerts: {
require_user_artifacts: null,
},
artifacts: {
global: {
base_url: null,
manifest_relative_url: null,
public_key: null,
interval: null,
ca_cert: null,
},
user: {
public_key: null,
ca_cert: null,
base_url: null,
interval: null,
},
},
elasticsearch: {
delay: null,
tls: {
verify_peer: null,
verify_hostname: null,
ca_cert: null,
},
},
fanotify: {
ignore_unknown_filesystems: null,
monitored_filesystems: null,
ignored_filesystems: null,
},
logging: {
file: null,
stdout: null,
stderr: null,
syslog: null,
},
diagnostic: {
enabled: null,
},
malware: {
quarantine: null,
},
memory_protection: {
memory_scan_collect_sample: null,
memory_scan: null,
},
kernel: {
capture_mode: null,
},
event_filter: {
default: null,
},
utilization_limits: {
cpu: null,
},
logstash: {
delay: null,
},
},
},
mac: {
events: {
process: true,
file: true,
network: true,
},
malware: {
mode: 'prevent',
blocklist: true,
},
behavior_protection: {
mode: 'prevent',
supported: true,
},
memory_protection: {
mode: 'prevent',
supported: true,
},
popup: {
malware: {
message: '',
enabled: true,
},
behavior_protection: {
message: '',
enabled: true,
},
memory_protection: {
message: '',
enabled: true,
},
},
logging: {
file: 'info',
},
advanced: {
agent: {
connection_delay: null,
},
artifacts: {
global: {
base_url: null,
manifest_relative_url: null,
public_key: null,
interval: null,
ca_cert: null,
},
user: {
public_key: null,
ca_cert: null,
base_url: null,
interval: null,
},
},
elasticsearch: {
delay: null,
tls: {
verify_peer: null,
verify_hostname: null,
ca_cert: null,
},
},
logging: {
file: null,
stdout: null,
stderr: null,
syslog: null,
},
logstash: {
delay: null,
},
malware: {
quarantine: null,
threshold: null,
},
kernel: {
connect: null,
harden: null,
process: null,
filewrite: null,
network: null,
network_extension: {
enable_content_filtering: null,
enable_packet_filtering: null,
},
},
harden: {
self_protect: null,
},
diagnostic: {
enabled: null,
},
alerts: {
cloud_lookup: null,
cloud_lookup_url: null,
},
memory_protection: {
memory_scan_collect_sample: false,
memory_scan: null,
},
event_filter: {
default: null,
},
},
},
windows: {
events: {
dll_and_driver_load: true,
dns: true,
file: true,
network: true,
process: true,
registry: true,
security: true,
},
malware: {
mode: 'prevent',
blocklist: true,
},
ransomware: {
mode: 'prevent',
supported: true,
},
memory_protection: {
mode: 'prevent',
supported: true,
},
behavior_protection: {
mode: 'prevent',
supported: true,
},
popup: {
malware: {
message: '',
enabled: true,
},
ransomware: {
message: '',
enabled: true,
},
memory_protection: {
message: '',
enabled: true,
},
behavior_protection: {
message: '',
enabled: true,
},
},
logging: {
file: 'info',
},
antivirus_registration: {
enabled: false,
},
advanced: {
agent: {
connection_delay: null,
},
artifacts: {
global: {
base_url: null,
manifest_relative_url: null,
public_key: null,
interval: null,
ca_cert: null,
},
user: {
public_key: null,
ca_cert: null,
base_url: null,
interval: null,
},
},
elasticsearch: {
delay: null,
tls: {
verify_peer: null,
verify_hostname: null,
ca_cert: null,
},
},
logging: {
file: null,
stdout: null,
stderr: null,
syslog: null,
},
malware: {
quarantine: null,
threshold: null,
},
kernel: {
connect: null,
harden: null,
process: null,
filewrite: null,
network: null,
fileopen: null,
asyncimageload: null,
syncimageload: null,
registry: null,
fileaccess: null,
registryaccess: null,
process_handle: null,
},
diagnostic: {
enabled: null,
rollback_telemetry_enabled: null,
},
alerts: {
cloud_lookup: null,
cloud_lookup_url: null,
require_user_artifacts: null,
},
ransomware: {
mbr: null,
canary: null,
},
memory_protection: {
context_manipulation_detection: null,
shellcode: null,
memory_scan: null,
shellcode_collect_sample: null,
memory_scan_collect_sample: null,
shellcode_enhanced_pe_parsing: null,
shellcode_trampoline_detection: null,
},
event_filter: {
default: null,
},
utilization_limits: {
cpu: null,
},
},
},
};
test('can succeed when policy config does not have any advanced settings already set', async () => {
const endpointPolicyConfig = addDefaultAdvancedPolicyConfigSettings(
cloneDeep(defaultStubPolicyConfig)
);
expect(endpointPolicyConfig).toEqual(defaultStubPolicyConfigResponse);
});
test('can succeed and preserve existing advanced settings', async () => {
const stubPolicyConfigWithAdvancedSettings = cloneDeep(defaultStubPolicyConfig);
stubPolicyConfigWithAdvancedSettings.linux.advanced = {
agent: {
connection_delay: 20,
},
};
const stubPolicyConfigWithAdvancedSettingsResponse = cloneDeep(defaultStubPolicyConfigResponse);
set(stubPolicyConfigWithAdvancedSettingsResponse, 'linux.advanced.agent.connection_delay', 20);
const endpointPolicyConfig = addDefaultAdvancedPolicyConfigSettings(
stubPolicyConfigWithAdvancedSettings
);
expect(endpointPolicyConfig).toEqual(stubPolicyConfigWithAdvancedSettingsResponse);
});
});

8
x-pack/plugins/security_solution/server/lib/telemetry/helpers.ts
View file

@ -8,8 +8,9 @@
import moment from 'moment';
import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
import type { PackagePolicy } from '@kbn/fleet-plugin/common/types/models/package_policy';
import { merge } from 'lodash';
import { copyAllowlistedFields, exceptionListAllowlistFields } from './filterlists';
import type { PolicyData } from '../../../common/endpoint/types';
import type { PolicyConfig, PolicyData } from '../../../common/endpoint/types';
import type {
ExceptionListItem,
ESClusterInfo,
@ -22,6 +23,7 @@ import {
LIST_ENDPOINT_EXCEPTION,
LIST_ENDPOINT_EVENT_FILTER,
LIST_TRUSTED_APPLICATION,
DEFAULT_ADVANCED_POLICY_CONFIG_SETTINGS,
} from './constants';
import { tagsToEffectScope } from '../../../common/endpoint/service/trusted_apps/mapping';
@ -228,3 +230,7 @@ export const extractEndpointPolicyConfig = (policyData: PolicyData | null) => {
const epPolicyConfig = policyData?.inputs[0]?.config?.policy;
return epPolicyConfig ? epPolicyConfig : null;
};
export const addDefaultAdvancedPolicyConfigSettings = (policyConfig: PolicyConfig) => {
return merge(DEFAULT_ADVANCED_POLICY_CONFIG_SETTINGS, policyConfig);
};

7
x-pack/plugins/security_solution/server/lib/telemetry/tasks/endpoint.ts
View file

@ -20,6 +20,7 @@ import type {
import type { ITelemetryReceiver } from '../receiver';
import type { TaskExecutionPeriod } from '../task';
import {
addDefaultAdvancedPolicyConfigSettings,
batchTelemetryRecords,
createUsageCounterLabel,
extractEndpointPolicyConfig,
@ -271,7 +272,11 @@ export function createTelemetryEndpointTaskConfig(maxTelemetryBatch: number) {
event_filter: eventFilter,
} = endpoint.endpoint_metrics.Endpoint.metrics;
const endpointPolicyDetail = extractEndpointPolicyConfig(policyConfig);
if (endpointPolicyDetail) {
endpointPolicyDetail.value = addDefaultAdvancedPolicyConfigSettings(
endpointPolicyDetail.value
);
}
return {
'@timestamp': taskExecutionPeriod.current,
cluster_uuid: clusterInfo.cluster_uuid,