-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[EDR Workflows] Add possibility to disable malware filescan on write (#…
…179176) ## Summary - adds new field to Package Policy: `on_write_scan` for `malware` protections for every OS - adds new switch to Malware card to enable/disable this feature, but this is hidden behind FF called `malwareOnWriteScanOptionAvailable` - adds hint in order to indicate to the user, that disabling on-write scan is only effective on Agent versions 8.13 and older - adds new migration to backfill this property with default `true` values, as it has been always enabled on previous agents. note: after migration, policies are not re-deployed, so Endpoint must assume that on-write scan is enabled when property is missing <img width="400" alt="image" src="https://github.com/elastic/kibana/assets/39014407/0616f48b-4eed-4acb-bff4-ef358250ab88"> <img width="400" alt="image" src="https://github.com/elastic/kibana/assets/39014407/659fa72e-3245-4d2f-97e9-46563b8c0427"> <img width="400" alt="image" src="https://github.com/elastic/kibana/assets/39014407/f32463ab-a30c-4537-8abd-675db408542f"> <img width="400" alt="image" src="https://github.com/elastic/kibana/assets/39014407/277a35f6-489c-4b02-8311-6f2a45ec51b6"> <img width="400" alt="image" src="https://github.com/elastic/kibana/assets/39014407/9df007ac-2889-4d84-8d4b-e10fc9b63acd"> <img width="400" alt="image" src="https://github.com/elastic/kibana/assets/39014407/3857850f-6f34-4d58-b13d-5652776f8e0f"> ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [x] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [x] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) --------- Co-authored-by: kibanamachine <[email protected]>
- Loading branch information
1 parent
961df45
commit 6ecbe53
Showing
16 changed files
with
429 additions
and
108 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
137 changes: 137 additions & 0 deletions
137
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/to_v8_14_0.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { | ||
createModelVersionTestMigrator, | ||
type ModelVersionTestMigrator, | ||
} from '@kbn/core-test-helpers-model-versions'; | ||
|
||
import { cloneDeep } from 'lodash'; | ||
|
||
import type { SavedObject } from '@kbn/core-saved-objects-server'; | ||
|
||
import type { PackagePolicy } from '../../../../common'; | ||
import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../../common'; | ||
import { getSavedObjectTypes } from '../..'; | ||
|
||
const policyDoc: SavedObject<PackagePolicy> = { | ||
id: 'mock-saved-object-id', | ||
attributes: { | ||
name: 'Some Policy Name', | ||
package: { | ||
name: 'endpoint', | ||
title: '', | ||
version: '', | ||
}, | ||
id: 'endpoint', | ||
policy_id: '', | ||
enabled: true, | ||
namespace: '', | ||
revision: 0, | ||
updated_at: '', | ||
updated_by: '', | ||
created_at: '', | ||
created_by: '', | ||
inputs: [ | ||
{ | ||
type: 'endpoint', | ||
enabled: true, | ||
streams: [], | ||
config: { | ||
policy: { | ||
value: { | ||
windows: { | ||
malware: { | ||
mode: 'detect', | ||
blocklist: true, | ||
}, | ||
}, | ||
mac: { | ||
malware: { | ||
mode: 'detect', | ||
blocklist: true, | ||
}, | ||
}, | ||
linux: { | ||
malware: { | ||
mode: 'detect', | ||
blocklist: true, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
], | ||
}, | ||
type: PACKAGE_POLICY_SAVED_OBJECT_TYPE, | ||
references: [], | ||
}; | ||
|
||
describe('8.14.0 Endpoint Package Policy migration', () => { | ||
let migrator: ModelVersionTestMigrator; | ||
|
||
beforeEach(() => { | ||
migrator = createModelVersionTestMigrator({ | ||
type: getSavedObjectTypes()[PACKAGE_POLICY_SAVED_OBJECT_TYPE], | ||
}); | ||
}); | ||
|
||
it('should backfill `on_write_scan` field to malware protections on Kibana update', () => { | ||
const originalPolicyConfigSO = cloneDeep(policyDoc); | ||
|
||
const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({ | ||
document: originalPolicyConfigSO, | ||
fromVersion: 5, | ||
toVersion: 6, | ||
}); | ||
|
||
const migratedPolicyConfig = migratedPolicyConfigSO.attributes.inputs[0].config?.policy.value; | ||
expect(migratedPolicyConfig.windows.malware.on_write_scan).toBe(true); | ||
expect(migratedPolicyConfig.mac.malware.on_write_scan).toBe(true); | ||
expect(migratedPolicyConfig.linux.malware.on_write_scan).toBe(true); | ||
}); | ||
|
||
it('should not backfill `on_write_scan` field if already present due to user edit before migration is performed on serverless', () => { | ||
const originalPolicyConfigSO = cloneDeep(policyDoc); | ||
const originalPolicyConfig = originalPolicyConfigSO.attributes.inputs[0].config?.policy.value; | ||
originalPolicyConfig.windows.malware.on_write_scan = false; | ||
originalPolicyConfig.mac.malware.on_write_scan = true; | ||
originalPolicyConfig.linux.malware.on_write_scan = false; | ||
|
||
const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({ | ||
document: originalPolicyConfigSO, | ||
fromVersion: 5, | ||
toVersion: 6, | ||
}); | ||
|
||
const migratedPolicyConfig = migratedPolicyConfigSO.attributes.inputs[0].config?.policy.value; | ||
expect(migratedPolicyConfig.windows.malware.on_write_scan).toBe(false); | ||
expect(migratedPolicyConfig.mac.malware.on_write_scan).toBe(true); | ||
expect(migratedPolicyConfig.linux.malware.on_write_scan).toBe(false); | ||
}); | ||
|
||
// no reason for removing `on_write_scan` for a lower version Kibana - the field will just sit silently in the package config | ||
it('should not strip `on_write_scan` in regards of forward compatibility', () => { | ||
const originalPolicyConfigSO = cloneDeep(policyDoc); | ||
const originalPolicyConfig = originalPolicyConfigSO.attributes.inputs[0].config?.policy.value; | ||
originalPolicyConfig.windows.malware.on_write_scan = false; | ||
originalPolicyConfig.mac.malware.on_write_scan = true; | ||
originalPolicyConfig.linux.malware.on_write_scan = false; | ||
|
||
const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({ | ||
document: originalPolicyConfigSO, | ||
fromVersion: 6, | ||
toVersion: 5, | ||
}); | ||
|
||
const migratedPolicyConfig = migratedPolicyConfigSO.attributes.inputs[0].config?.policy.value; | ||
expect(migratedPolicyConfig.windows.malware.on_write_scan).toBe(false); | ||
expect(migratedPolicyConfig.mac.malware.on_write_scan).toBe(true); | ||
expect(migratedPolicyConfig.linux.malware.on_write_scan).toBe(false); | ||
}); | ||
}); |
37 changes: 37 additions & 0 deletions
37
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/to_v8_14_0.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { SavedObjectUnsanitizedDoc } from '@kbn/core/server'; | ||
|
||
import type { SavedObjectModelDataBackfillFn } from '@kbn/core-saved-objects-server'; | ||
|
||
import type { PackagePolicy } from '../../../../common'; | ||
|
||
const ON_WRITE_SCAN_DEFAULT_VALUE = true; | ||
|
||
export const migratePackagePolicyToV8140: SavedObjectModelDataBackfillFn< | ||
PackagePolicy, | ||
PackagePolicy | ||
> = (packagePolicyDoc) => { | ||
if (packagePolicyDoc.attributes.package?.name !== 'endpoint') { | ||
return { attributes: packagePolicyDoc.attributes }; | ||
} | ||
|
||
const updatedPackagePolicyDoc: SavedObjectUnsanitizedDoc<PackagePolicy> = packagePolicyDoc; | ||
|
||
const input = updatedPackagePolicyDoc.attributes.inputs[0]; | ||
|
||
if (input && input.config) { | ||
const policy = input.config.policy.value; | ||
|
||
policy.windows.malware.on_write_scan ??= ON_WRITE_SCAN_DEFAULT_VALUE; | ||
policy.mac.malware.on_write_scan ??= ON_WRITE_SCAN_DEFAULT_VALUE; | ||
policy.linux.malware.on_write_scan ??= ON_WRITE_SCAN_DEFAULT_VALUE; | ||
} | ||
|
||
return { attributes: updatedPackagePolicyDoc.attributes }; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.