-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Endpoint lacks permissions on cloud to write to .logs-endpoint.action.responses-*
on cloud instances
#116715
Comments
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
I can reproduce this as well. I get a similar notice when looking into logs. Formatted log message: Client.cpp: 537 Failed to create in index (.logs-endpoint.action.responses-default) json ({
"@timestamp": "2021-10-29T12:53:01.0Z",
"EndpointActions": {
"action_id": "acd97fa0-d06c-4920-84e2-e604b45a1891",
"completed_at": "2021-10-29T12:53:01.0Z",
"data": {
"command": "isolate",
"comment": "Action completed with errors"
},
"input_type": "endpoint",
"started_at": "2021-10-29T12:52:59.0Z"
},
"agent": {
"id": "1f3be6ea-c680-4231-ba15-c861248c9184"
},
"data_stream": {
"dataset": "endpoint.action.responses",
"namespace": "default",
"type": ".logs"
},
"error": {
"message": "Failed to apply action; check Endpoint logs for details"
}
}) reason (
action [indices:admin/auto_create] is unauthorized for API key id [segGzHwBhUBC71UIhf2y] of user [elastic/fleet-server] on indices [.logs-endpoint.action.responses-default],
this action is granted by the index privileges [auto_configure,create_index,manage,all])
status (403) |
Let me start with some definitions to make sure we talk about the same thing:
In general, there should be no difference between the two. The permissions are policy specific. Is it correct that the data stream you get an error writing is listed in the policy under the permissions but you still get an error? This makes me wonder if the API permissions were refreshed? Were both installation fresh setup of the cluster and Elastic Agent or was one of these migrated from previous versions? In the above the conversation is about an index? I assume we are talking about data streams with backing indices? |
Thanks, @ruflin for listing out the setup accurately. Indeed the indices are listed under policy permissions and have identical privileges ( cloud agent policy:id: 31b5f290-38b0-11ec-b319-8989c71efd64
revision: 2
outputs:
default:
type: elasticsearch
hosts:
- 'https://b36be9ee308d44a988d80412efb26dce.us-central1.gcp.foundit.no:443'
output_permissions:
default:
_elastic_agent_monitoring:
indices:
- names:
- logs-elastic_agent.apm_server-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.apm_server-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.auditbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.auditbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.elastic_agent-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.endpoint_security-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.endpoint_security-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.filebeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.filebeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.fleet_server-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.fleet_server-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.heartbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.heartbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.metricbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.metricbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.osquerybeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.osquerybeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.packetbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.packetbeat-default
privileges:
- auto_configure
- create_doc
_elastic_agent_checks:
cluster:
- monitor
7.16-test-integration:
indices:
- names:
- .logs-endpoint.action.responses-default
privileges:
- auto_configure
- create_doc
- names:
- .logs-endpoint.actions-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.alerts-default
privileges:
- auto_configure
- create_doc
- names:
- .logs-endpoint.diagnostic.collection-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.file-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.library-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-endpoint.metadata-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-endpoint.metrics-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.network-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-endpoint.policy-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.process-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.registry-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.security-default
privileges:
- auto_configure
- create_doc
agent:
monitoring:
enabled: true
use_output: default
namespace: default
logs: true
metrics: true
inputs:
- id: 277c5dc0-1569-4c4a-afdb-cbfa4723cd7e
name: 7.16-test-integration
revision: 1
type: endpoint
use_output: default
meta:
package:
name: endpoint
version: 1.2.1
data_stream:
namespace: default
artifact_manifest:
manifest_version: 1.0.0
schema_version: v1
artifacts:
endpoint-exceptionlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-exceptionlist-windows-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-exceptionlist-linux-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-trustlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-trustlist-windows-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-trustlist-linux-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-eventfilterlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-eventfilterlist-windows-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-eventfilterlist-linux-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-hostisolationexceptionlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-hostisolationexceptionlist-windows-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-hostisolationexceptionlist-linux-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
policy:
windows:
events:
dll_and_driver_load: true
dns: true
file: true
network: true
process: true
registry: true
security: true
malware:
mode: prevent
ransomware:
mode: prevent
supported: true
memory_protection:
mode: prevent
supported: true
behavior_protection:
mode: prevent
supported: true
popup:
malware:
enabled: true
message: ''
ransomware:
enabled: true
message: ''
memory_protection:
enabled: true
message: ''
behavior_protection:
enabled: true
message: ''
logging:
file: info
antivirus_registration:
enabled: false
mac:
events:
process: true
file: true
network: true
malware:
mode: prevent
behavior_protection:
mode: prevent
supported: true
memory_protection:
mode: prevent
supported: true
popup:
malware:
enabled: true
message: ''
behavior_protection:
enabled: true
message: ''
memory_protection:
enabled: true
message: ''
logging:
file: info
linux:
events:
process: true
file: true
network: true
malware:
mode: prevent
behavior_protection:
mode: prevent
supported: true
memory_protection:
mode: prevent
supported: true
popup:
malware:
enabled: true
message: ''
behavior_protection:
enabled: true
message: ''
memory_protection:
enabled: true
message: ''
logging:
file: info
fleet:
hosts:
- >-
https://22090f8741f7411680822760938113f8.fleet.us-central1.gcp.foundit.no:443 standalone agent policyid: 1b521a70-3b2f-11ec-9cca-1f2753288199
revision: 2
outputs:
default:
type: elasticsearch
hosts:
- 'http://localhost:9200'
output_permissions:
default:
_elastic_agent_monitoring:
indices:
- names:
- logs-elastic_agent.apm_server-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.apm_server-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.auditbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.auditbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.elastic_agent-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.endpoint_security-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.endpoint_security-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.filebeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.filebeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.fleet_server-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.fleet_server-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.heartbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.heartbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.metricbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.metricbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.osquerybeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.osquerybeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.packetbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.packetbeat-default
privileges:
- auto_configure
- create_doc
_elastic_agent_checks:
cluster:
- monitor
7.16-test-integration:
indices:
- names:
- .logs-endpoint.action.responses-default
privileges:
- auto_configure
- create_doc
- names:
- .logs-endpoint.actions-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.alerts-default
privileges:
- auto_configure
- create_doc
- names:
- .logs-endpoint.diagnostic.collection-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.file-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.library-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-endpoint.metadata-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-endpoint.metrics-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.network-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-endpoint.policy-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.process-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.registry-default
privileges:
- auto_configure
- create_doc
- names:
- logs-endpoint.events.security-default
privileges:
- auto_configure
- create_doc
agent:
monitoring:
enabled: true
use_output: default
namespace: default
logs: true
metrics: true
inputs:
- id: 1da68b16-f9e4-443e-8569-2bb352d48fad
name: 7.16-test-integration
revision: 1
type: endpoint
use_output: default
meta:
package:
name: endpoint
version: 1.2.1
data_stream:
namespace: default
artifact_manifest:
manifest_version: 1.0.0
schema_version: v1
artifacts:
endpoint-exceptionlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-exceptionlist-windows-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-exceptionlist-linux-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-trustlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-trustlist-windows-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-trustlist-linux-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-eventfilterlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-eventfilterlist-windows-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-eventfilterlist-linux-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-hostisolationexceptionlist-macos-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-hostisolationexceptionlist-windows-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
endpoint-hostisolationexceptionlist-linux-v1:
encryption_algorithm: none
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
decoded_size: 14
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda
encoded_size: 22
relative_url: >-
/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
compression_algorithm: zlib
policy:
windows:
events:
dll_and_driver_load: true
dns: true
file: true
network: true
process: true
registry: true
security: true
malware:
mode: prevent
ransomware:
mode: prevent
supported: true
memory_protection:
mode: prevent
supported: true
behavior_protection:
mode: prevent
supported: true
popup:
malware:
enabled: true
message: ''
ransomware:
enabled: true
message: ''
memory_protection:
enabled: true
message: ''
behavior_protection:
enabled: true
message: ''
logging:
file: info
antivirus_registration:
enabled: false
mac:
events:
process: true
file: true
network: true
malware:
mode: prevent
behavior_protection:
mode: prevent
supported: true
memory_protection:
mode: prevent
supported: true
popup:
malware:
enabled: true
message: ''
behavior_protection:
enabled: true
message: ''
memory_protection:
enabled: true
message: ''
logging:
file: info
linux:
events:
process: true
file: true
network: true
malware:
mode: prevent
behavior_protection:
mode: prevent
supported: true
memory_protection:
mode: prevent
supported: true
popup:
malware:
enabled: true
message: ''
behavior_protection:
enabled: true
message: ''
memory_protection:
enabled: true
message: ''
logging:
file: info You assume right about data streams with backing indices. How do we verify that API permissions were not refreshed? Also here's another ticket that involves the same indices #116396 but about upgrading from ES v1.1.1 to ES v1.2.0 |
@ruflin @ashokaditya thanks for the context. Some observations: Remove permission for
|
@kevinlog I took a look at your PR on Kibana but I do not think it will solve the problem the default permission. Actually I think Fleet server is not able to give the permission to the agent as it does not have any permissions related to |
@nchaulet thanks for taking a look! I wasn't aware that there were additional permissions required in ES. Any idea why running locally using |
@kevinlog Are you running your fleet server locally with |
…nt response index (#80238) This PR adds the proper permissions for fleet server to create and write documents to the .logs-endpoint.action.responses-* index. The Security Endpoint, run by the Agent, streams action responses to this index which is used by the Security app to determine if actions are complete, etc. This was initially missed during testing because of using locally running fleet servers that were given superuser permissions, hence bypassing the fleet server user. This PR adds the index to fleet server so that the Endpoint gets the key that it needs to write to the index properly. For more information, see this ticket: elastic/kibana#116715
…nt response index (elastic#80238) This PR adds the proper permissions for fleet server to create and write documents to the .logs-endpoint.action.responses-* index. The Security Endpoint, run by the Agent, streams action responses to this index which is used by the Security app to determine if actions are complete, etc. This was initially missed during testing because of using locally running fleet servers that were given superuser permissions, hence bypassing the fleet server user. This PR adds the index to fleet server so that the Endpoint gets the key that it needs to write to the index properly. For more information, see this ticket: elastic/kibana#116715
…nt response index (elastic#80238) This PR adds the proper permissions for fleet server to create and write documents to the .logs-endpoint.action.responses-* index. The Security Endpoint, run by the Agent, streams action responses to this index which is used by the Security app to determine if actions are complete, etc. This was initially missed during testing because of using locally running fleet servers that were given superuser permissions, hence bypassing the fleet server user. This PR adds the index to fleet server so that the Endpoint gets the key that it needs to write to the index properly. For more information, see this ticket: elastic/kibana#116715
…nt response index (#80238) (#80241) This PR adds the proper permissions for fleet server to create and write documents to the .logs-endpoint.action.responses-* index. The Security Endpoint, run by the Agent, streams action responses to this index which is used by the Security app to determine if actions are complete, etc. This was initially missed during testing because of using locally running fleet servers that were given superuser permissions, hence bypassing the fleet server user. This PR adds the index to fleet server so that the Endpoint gets the key that it needs to write to the index properly. For more information, see this ticket: elastic/kibana#116715 Co-authored-by: Kevin Logan <[email protected]>
…nt response index (#80238) (#80242) This PR adds the proper permissions for fleet server to create and write documents to the .logs-endpoint.action.responses-* index. The Security Endpoint, run by the Agent, streams action responses to this index which is used by the Security app to determine if actions are complete, etc. This was initially missed during testing because of using locally running fleet servers that were given superuser permissions, hence bypassing the fleet server user. This PR adds the index to fleet server so that the Endpoint gets the key that it needs to write to the index properly. For more information, see this ticket: elastic/kibana#116715 Co-authored-by: Kevin Logan <[email protected]>
As @nchaulet pointed out, it is relevant if the Elastic Agent with fleet-server is run with superuser permissions or the fleet-server service token. That could explain the difference. I'm wondering if we should expand the permissions for the fleet-server user account to also include |
+1 on the change from my side. Could you open an issue with Elasticsearch about this to discuss it further? @joshdover This might also impact kibana_system permissions, but not sure. @jlind23 For Elastic Agent, we should deprecate / discourage the usage of the direct Elasticsearch permissions. That is the second issue we have seen related to it in the recent days. In theory it could also be removed but that might break some older deployments. |
Sure I can open the issue. Generally, the security team has been more comfortable granting broad access to dot-prefixed indices since these are well communicated as being managed by the system. For instance, kibana_system has access to
It does, we had to do a similar thing here for kibana_system: elastic/elasticsearch#80140. I'll mention both problems in the issue. |
@ruflin shall we create an issue to add a warning message accordingly? |
@jlind23 Lets open an issue to discuss the details further. I see more then one option. |
…ng actions logic (#117219) * use a feature flag to use the new pending actions logic refs /issues/116715 * switch off pending actions for endpoints when feature flag is disabled review suggestions * update/add tests to use FF * correctly override the FF `parseExperimentalConfigValue` method sets feature flag key values to `true` if passed as arg Co-authored-by: Kibana Machine <[email protected]>
…ng actions logic (elastic#117219) * use a feature flag to use the new pending actions logic refs elastic/issues/116715 * switch off pending actions for endpoints when feature flag is disabled review suggestions * update/add tests to use FF * correctly override the FF `parseExperimentalConfigValue` method sets feature flag key values to `true` if passed as arg Co-authored-by: Kibana Machine <[email protected]>
…ng actions logic (elastic#117219) * use a feature flag to use the new pending actions logic refs elastic/issues/116715 * switch off pending actions for endpoints when feature flag is disabled review suggestions * update/add tests to use FF * correctly override the FF `parseExperimentalConfigValue` method sets feature flag key values to `true` if passed as arg Co-authored-by: Kibana Machine <[email protected]>
…ng actions logic (#117219) (#117497) * use a feature flag to use the new pending actions logic refs /issues/116715 * switch off pending actions for endpoints when feature flag is disabled review suggestions * update/add tests to use FF * correctly override the FF `parseExperimentalConfigValue` method sets feature flag key values to `true` if passed as arg Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Ashokaditya <[email protected]>
…ng actions logic (#117219) (#117498) * use a feature flag to use the new pending actions logic refs /issues/116715 * switch off pending actions for endpoints when feature flag is disabled review suggestions * update/add tests to use FF * correctly override the FF `parseExperimentalConfigValue` method sets feature flag key values to `true` if passed as arg Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Ashokaditya <[email protected]>
Confirmed fixed in the latest BC for 7.16 |
@joshdover Not that I'm aware of. Can you take care of it? |
@ruflin @joshdover I'll do it now - elastic/beats#28973 |
@jlind23 @joshdover @ruflin - thanks for the followup, I'm also tracking the above ticket on our board. |
Kibana version:
7.16, BC2
Elasticsearch version:
7.16, BC2
Describe the bug:
When the Endpoint tries to write to the new
.logs-endpoint.action.responses-*
, it doesn't have proper index permissions to create the data stream. This is seen in the Endpoint logs (see below).The Endpoint tries to write to this datastream when it completes a response action such as Host Isolation.
I have reproduced this in Cloud instances only. Locally, everything seems to work correctly and the Endpoint has permissions to create and write to the appropriate indices.
Steps to reproduce:
Expected behavior:
The Endpoint should exit the "Isolating" state and be able to write and create the correct indices. This means that the Endpoint should be able to create and write to the
.logs-endpoint.action.responses-*
index.Screenshots (if relevant):
Errors in browser console (if relevant):
Provide logs and/or server output (if relevant):
Relavant logs from Endpoint:
Any additional context:
I noticed that the data streams are mentioned in the Agent policy that contains the Endpoint package policy.
Here is a snippet from the Agent Policy:
I also noticed that these privileges differ from what's in the Endpoint log message seen above.
A snippet of the permissions mentioned in the log message.
auto_configure,create_index,manage,all
The permissions look like they're set in this section of the code: https://github.com/elastic/kibana/blob/master/x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.ts#L62
Do we need to set specific permissions for this index in the Endpoint package or otherwise?
Screenshot:
The text was updated successfully, but these errors were encountered: