Skip to content

Commit

Permalink
[EDR Workflows] Add possibility to disable malware filescan on write (#…
Browse files Browse the repository at this point in the history
…179176)

## Summary

- adds new field to Package Policy: `on_write_scan` for `malware`
protections for every OS
- adds new switch to Malware card to enable/disable this feature, but
this is hidden behind FF called `malwareOnWriteScanOptionAvailable`
- adds hint in order to indicate to the user, that disabling on-write
scan is only effective on Agent versions 8.13 and older
- adds new migration to backfill this property with default `true`
values, as it has been always enabled on previous agents. note: after
migration, policies are not re-deployed, so Endpoint must assume that
on-write scan is enabled when property is missing

<img width="400" alt="image"
src="https://github.com/elastic/kibana/assets/39014407/0616f48b-4eed-4acb-bff4-ef358250ab88">

<img width="400" alt="image"
src="https://github.com/elastic/kibana/assets/39014407/659fa72e-3245-4d2f-97e9-46563b8c0427">

<img width="400" alt="image"
src="https://github.com/elastic/kibana/assets/39014407/f32463ab-a30c-4537-8abd-675db408542f">

<img width="400" alt="image"
src="https://github.com/elastic/kibana/assets/39014407/277a35f6-489c-4b02-8311-6f2a45ec51b6">

<img width="400" alt="image"
src="https://github.com/elastic/kibana/assets/39014407/9df007ac-2889-4d84-8d4b-e10fc9b63acd">

<img width="400" alt="image"
src="https://github.com/elastic/kibana/assets/39014407/3857850f-6f34-4d58-b13d-5652776f8e0f">


### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [x] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [x] This renders correctly on smaller devices using a responsive
layout. (You can test this [in your
browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))

---------

Co-authored-by: kibanamachine <[email protected]>
  • Loading branch information
gergoabraham and kibanamachine authored Apr 2, 2024
1 parent 961df45 commit 6ecbe53
Show file tree
Hide file tree
Showing 16 changed files with 429 additions and 108 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
"ingest-agent-policies": "7633e578f60c074f8267bc50ec4763845e431437",
"ingest-download-sources": "279a68147e62e4d8858c09ad1cf03bd5551ce58d",
"ingest-outputs": "daafff49255ab700e07491376fe89f04fc998b91",
"ingest-package-policies": "f4c2767e852b700a8b82678925b86bac08958b43",
"ingest-package-policies": "8a99e165aab00c6c365540427a3abeb7bea03f31",
"ingest_manager_settings": "91445219e7115ff0c45d1dabd5d614a80b421797",
"inventory-view": "b8683c8e352a286b4aca1ab21003115a4800af83",
"kql-telemetry": "93c1d16c1a0dfca9c8842062cf5ef8f62ae401ad",
Expand Down
9 changes: 9 additions & 0 deletions x-pack/plugins/fleet/server/saved_objects/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ import {
} from './migrations/to_v8_6_0';
import {
migratePackagePolicyToV8100,
migratePackagePolicyToV8140,
migratePackagePolicyToV870,
} from './migrations/security_solution';
import { migratePackagePolicyToV880 } from './migrations/to_v8_8_0';
Expand Down Expand Up @@ -473,6 +474,14 @@ export const getSavedObjectTypes = (): { [key: string]: SavedObjectsType } => ({
},
],
},
'6': {
changes: [
{
type: 'data_backfill',
backfillFn: migratePackagePolicyToV8140,
},
],
},
},
migrations: {
'7.10.0': migratePackagePolicyToV7100,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ export { migratePackagePolicyToV860 } from './to_v8_6_0';
export { migratePackagePolicyToV870 } from './to_v8_7_0';
export { migratePackagePolicyToV880 } from './to_v8_8_0';
export { migratePackagePolicyToV8100 } from './to_v8_10_0';
export { migratePackagePolicyToV8140 } from './to_v8_14_0';
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import {
createModelVersionTestMigrator,
type ModelVersionTestMigrator,
} from '@kbn/core-test-helpers-model-versions';

import { cloneDeep } from 'lodash';

import type { SavedObject } from '@kbn/core-saved-objects-server';

import type { PackagePolicy } from '../../../../common';
import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../../common';
import { getSavedObjectTypes } from '../..';

const policyDoc: SavedObject<PackagePolicy> = {
id: 'mock-saved-object-id',
attributes: {
name: 'Some Policy Name',
package: {
name: 'endpoint',
title: '',
version: '',
},
id: 'endpoint',
policy_id: '',
enabled: true,
namespace: '',
revision: 0,
updated_at: '',
updated_by: '',
created_at: '',
created_by: '',
inputs: [
{
type: 'endpoint',
enabled: true,
streams: [],
config: {
policy: {
value: {
windows: {
malware: {
mode: 'detect',
blocklist: true,
},
},
mac: {
malware: {
mode: 'detect',
blocklist: true,
},
},
linux: {
malware: {
mode: 'detect',
blocklist: true,
},
},
},
},
},
},
],
},
type: PACKAGE_POLICY_SAVED_OBJECT_TYPE,
references: [],
};

describe('8.14.0 Endpoint Package Policy migration', () => {
let migrator: ModelVersionTestMigrator;

beforeEach(() => {
migrator = createModelVersionTestMigrator({
type: getSavedObjectTypes()[PACKAGE_POLICY_SAVED_OBJECT_TYPE],
});
});

it('should backfill `on_write_scan` field to malware protections on Kibana update', () => {
const originalPolicyConfigSO = cloneDeep(policyDoc);

const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({
document: originalPolicyConfigSO,
fromVersion: 5,
toVersion: 6,
});

const migratedPolicyConfig = migratedPolicyConfigSO.attributes.inputs[0].config?.policy.value;
expect(migratedPolicyConfig.windows.malware.on_write_scan).toBe(true);
expect(migratedPolicyConfig.mac.malware.on_write_scan).toBe(true);
expect(migratedPolicyConfig.linux.malware.on_write_scan).toBe(true);
});

it('should not backfill `on_write_scan` field if already present due to user edit before migration is performed on serverless', () => {
const originalPolicyConfigSO = cloneDeep(policyDoc);
const originalPolicyConfig = originalPolicyConfigSO.attributes.inputs[0].config?.policy.value;
originalPolicyConfig.windows.malware.on_write_scan = false;
originalPolicyConfig.mac.malware.on_write_scan = true;
originalPolicyConfig.linux.malware.on_write_scan = false;

const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({
document: originalPolicyConfigSO,
fromVersion: 5,
toVersion: 6,
});

const migratedPolicyConfig = migratedPolicyConfigSO.attributes.inputs[0].config?.policy.value;
expect(migratedPolicyConfig.windows.malware.on_write_scan).toBe(false);
expect(migratedPolicyConfig.mac.malware.on_write_scan).toBe(true);
expect(migratedPolicyConfig.linux.malware.on_write_scan).toBe(false);
});

// no reason for removing `on_write_scan` for a lower version Kibana - the field will just sit silently in the package config
it('should not strip `on_write_scan` in regards of forward compatibility', () => {
const originalPolicyConfigSO = cloneDeep(policyDoc);
const originalPolicyConfig = originalPolicyConfigSO.attributes.inputs[0].config?.policy.value;
originalPolicyConfig.windows.malware.on_write_scan = false;
originalPolicyConfig.mac.malware.on_write_scan = true;
originalPolicyConfig.linux.malware.on_write_scan = false;

const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({
document: originalPolicyConfigSO,
fromVersion: 6,
toVersion: 5,
});

const migratedPolicyConfig = migratedPolicyConfigSO.attributes.inputs[0].config?.policy.value;
expect(migratedPolicyConfig.windows.malware.on_write_scan).toBe(false);
expect(migratedPolicyConfig.mac.malware.on_write_scan).toBe(true);
expect(migratedPolicyConfig.linux.malware.on_write_scan).toBe(false);
});
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import type { SavedObjectUnsanitizedDoc } from '@kbn/core/server';

import type { SavedObjectModelDataBackfillFn } from '@kbn/core-saved-objects-server';

import type { PackagePolicy } from '../../../../common';

const ON_WRITE_SCAN_DEFAULT_VALUE = true;

export const migratePackagePolicyToV8140: SavedObjectModelDataBackfillFn<
PackagePolicy,
PackagePolicy
> = (packagePolicyDoc) => {
if (packagePolicyDoc.attributes.package?.name !== 'endpoint') {
return { attributes: packagePolicyDoc.attributes };
}

const updatedPackagePolicyDoc: SavedObjectUnsanitizedDoc<PackagePolicy> = packagePolicyDoc;

const input = updatedPackagePolicyDoc.attributes.inputs[0];

if (input && input.config) {
const policy = input.config.policy.value;

policy.windows.malware.on_write_scan ??= ON_WRITE_SCAN_DEFAULT_VALUE;
policy.mac.malware.on_write_scan ??= ON_WRITE_SCAN_DEFAULT_VALUE;
policy.linux.malware.on_write_scan ??= ON_WRITE_SCAN_DEFAULT_VALUE;
}

return { attributes: updatedPackagePolicyDoc.attributes };
};
1 change: 1 addition & 0 deletions x-pack/plugins/fleet/tsconfig.json
Original file line number Diff line number Diff line change
Expand Up @@ -104,5 +104,6 @@
"@kbn/config",
"@kbn/core-http-server-mocks",
"@kbn/code-editor",
"@kbn/core-test-helpers-model-versions",
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ export const policyFactory = (
malware: {
mode: ProtectionModes.prevent,
blocklist: true,
on_write_scan: true,
},
ransomware: {
mode: ProtectionModes.prevent,
Expand Down Expand Up @@ -96,6 +97,7 @@ export const policyFactory = (
malware: {
mode: ProtectionModes.prevent,
blocklist: true,
on_write_scan: true,
},
behavior_protection: {
mode: ProtectionModes.prevent,
Expand Down Expand Up @@ -138,6 +140,7 @@ export const policyFactory = (
malware: {
mode: ProtectionModes.prevent,
blocklist: true,
on_write_scan: true,
},
behavior_protection: {
mode: ProtectionModes.prevent,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -212,7 +212,7 @@ export const eventsOnlyPolicy = (): PolicyConfig => ({
registry: true,
security: true,
},
malware: { mode: ProtectionModes.off, blocklist: false },
malware: { mode: ProtectionModes.off, blocklist: false, on_write_scan: false },
ransomware: { mode: ProtectionModes.off, supported: true },
memory_protection: { mode: ProtectionModes.off, supported: true },
behavior_protection: { mode: ProtectionModes.off, supported: true, reputation_service: false },
Expand All @@ -228,7 +228,7 @@ export const eventsOnlyPolicy = (): PolicyConfig => ({
},
mac: {
events: { process: true, file: true, network: true },
malware: { mode: ProtectionModes.off, blocklist: false },
malware: { mode: ProtectionModes.off, blocklist: false, on_write_scan: false },
behavior_protection: { mode: ProtectionModes.off, supported: true, reputation_service: false },
memory_protection: { mode: ProtectionModes.off, supported: true },
popup: {
Expand All @@ -249,7 +249,7 @@ export const eventsOnlyPolicy = (): PolicyConfig => ({
session_data: false,
tty_io: false,
},
malware: { mode: ProtectionModes.off, blocklist: false },
malware: { mode: ProtectionModes.off, blocklist: false, on_write_scan: false },
behavior_protection: { mode: ProtectionModes.off, supported: true, reputation_service: false },
memory_protection: { mode: ProtectionModes.off, supported: true },
popup: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,10 @@ const disableCommonProtections = (policy: PolicyConfig) => {
}, policy);
};

const getDisabledCommonProtectionsForOS = (policy: PolicyConfig, os: PolicyOperatingSystem) => ({
const getDisabledCommonProtectionsForOS = (
policy: PolicyConfig,
os: PolicyOperatingSystem
): Partial<PolicyConfig['windows']> => ({
behavior_protection: {
...policy[os].behavior_protection,
mode: ProtectionModes.off,
Expand All @@ -115,6 +118,7 @@ const getDisabledCommonProtectionsForOS = (policy: PolicyConfig, os: PolicyOpera
malware: {
...policy[os].malware,
blocklist: false,
on_write_scan: false,
mode: ProtectionModes.off,
},
});
Expand Down
10 changes: 7 additions & 3 deletions x-pack/plugins/security_solution/common/endpoint/types/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -973,7 +973,7 @@ export interface PolicyConfig {
registry: boolean;
security: boolean;
};
malware: ProtectionFields & BlocklistFields;
malware: ProtectionFields & BlocklistFields & OnWriteScanFields;
memory_protection: ProtectionFields & SupportedFields;
behavior_protection: BehaviorProtectionFields & SupportedFields;
ransomware: ProtectionFields & SupportedFields;
Expand Down Expand Up @@ -1014,7 +1014,7 @@ export interface PolicyConfig {
process: boolean;
network: boolean;
};
malware: ProtectionFields & BlocklistFields;
malware: ProtectionFields & BlocklistFields & OnWriteScanFields;
behavior_protection: BehaviorProtectionFields & SupportedFields;
memory_protection: ProtectionFields & SupportedFields;
popup: {
Expand Down Expand Up @@ -1044,7 +1044,7 @@ export interface PolicyConfig {
session_data: boolean;
tty_io: boolean;
};
malware: ProtectionFields & BlocklistFields;
malware: ProtectionFields & BlocklistFields & OnWriteScanFields;
behavior_protection: BehaviorProtectionFields & SupportedFields;
memory_protection: ProtectionFields & SupportedFields;
popup: {
Expand Down Expand Up @@ -1120,6 +1120,10 @@ export interface BlocklistFields {
blocklist: boolean;
}

export interface OnWriteScanFields {
on_write_scan?: boolean;
}

/** Policy protection mode options */
export enum ProtectionModes {
detect = 'detect',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,11 @@ export const allowedExperimentalValues = Object.freeze({
* Expires: on Apr 23, 2024
*/
perFieldPrebuiltRulesDiffingEnabled: true,

/**
* Makes Elastic Defend integration's Malware On-Write Scan option available to edit.
*/
malwareOnWriteScanOptionAvailable: false,
});

type ExperimentalConfigKeys = Array<keyof ExperimentalFeatures>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import type { PolicyDetailsAction } from '.';
import { policyDetailsReducer, policyDetailsMiddlewareFactory } from '.';
import { policyConfig } from './selectors';
import { policyFactory } from '../../../../../../common/endpoint/models/policy_config';
import type { PolicyData } from '../../../../../../common/endpoint/types';
import type { PolicyConfig, PolicyData } from '../../../../../../common/endpoint/types';
import type { MiddlewareActionSpyHelper } from '../../../../../common/store/test_utils';
import { createSpyMiddleware } from '../../../../../common/store/test_utils';
import type { AppContextTestRender } from '../../../../../common/mock/endpoint';
Expand Down Expand Up @@ -289,7 +289,7 @@ describe('policy details: ', () => {
registry: true,
security: true,
},
malware: { mode: 'prevent', blocklist: true },
malware: { mode: 'prevent', blocklist: true, on_write_scan: true },
memory_protection: { mode: 'off', supported: false },
behavior_protection: {
mode: 'off',
Expand Down Expand Up @@ -327,7 +327,7 @@ describe('policy details: ', () => {
},
mac: {
events: { process: true, file: true, network: true },
malware: { mode: 'prevent', blocklist: true },
malware: { mode: 'prevent', blocklist: true, on_write_scan: true },
behavior_protection: {
mode: 'off',
supported: false,
Expand Down Expand Up @@ -363,7 +363,7 @@ describe('policy details: ', () => {
tty_io: false,
},
logging: { file: 'info' },
malware: { mode: 'prevent', blocklist: true },
malware: { mode: 'prevent', blocklist: true, on_write_scan: true },
behavior_protection: {
mode: 'off',
supported: false,
Expand All @@ -388,7 +388,7 @@ describe('policy details: ', () => {
capture_env_vars: 'LD_PRELOAD,LD_LIBRARY_PATH',
},
},
},
} as PolicyConfig,
},
},
},
Expand Down
Loading

0 comments on commit 6ecbe53

Please sign in to comment.