[Security Solution][Endpoint] Add API checks to Endpoint Policy create/update for checking endpointPolicyProtections is enabled
#163429
Conversation
…o policy creation logic
…pi extension (logic not yet implemented)
…d be disabled (logic in migration not done yet)
paul-tavares
added
release_note:skip
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
…ess-policy-protections
…ess-policy-protections
| export const setPolicyToEventCollectionOnly = (policy: PolicyConfig): PolicyConfig => { | ||
| const updatedPolicy = disableProtections(policy); | ||
|
|
||
| set(updatedPolicy, 'windows.antivirus_registration.enabled', false); | ||
|
|
||
| return updatedPolicy; | ||
| }; |
There was a problem hiding this comment.
I'm wondering, if disableProtections() should have disabled windows.antivirus_registration.enabled in the first place. Its original goal was to prepare a policy for 'data collection only', see https://github.com/paul-tavares/kibana/blob/eff88cf671eaa498d2d894784e71ab0c795627cc/x-pack/plugins/security_solution/server/fleet_integration/handlers/create_default_policy.ts#L134
I tested it, just created a 'Data collection only' policy, and it has antivirus registration disabled, so I think I accidentally left it out from disableProtections().
what do you think? if you agree, could you add it there? and then there is no need for this function.
otherwise, I suggest another name for this function, because it does not set a policy to event collection only as it doesn't enable any event collection, just disabled protections and antivirus registration
There was a problem hiding this comment.
yeah, I was not sure about that - thus why I created this one to set it explicitly. I am not familiar with what hte requirement might have been for your other PR, but I would check with Caitlyn and if in fact it should have been disabled in the first place, then we can just add it to disableProtections()
can we maybe follow up on this in a subsequent PR?
Re: name
Yeah you are right. The only reason I named it this way because the Antivirus entry is not a protection. I can change it to ensureOnlyEventCollectionIsAllowed()?? what do you think?
There was a problem hiding this comment.
thanks for the rename, sounds good!
I've created a follow-up issue for this: https://github.com/elastic/security-team/issues/7323, so we can discuss it during grooming
x-pack/plugins/security_solution/common/endpoint/models/policy_config_helpers.test.ts
Outdated
Show resolved
Hide resolved
| const isEnabled = currentValue !== disableValue; | ||
|
|
||
| if (isEnabled) { | ||
| message = `property [${fullKeyPathForOs}] is set to [${currentValue}]`; |
There was a problem hiding this comment.
q: do we want to maybe return all protections that are enabled, instead of the first one?
There was a problem hiding this comment.
We could, but I was trying to just exit the function as soon as possible rather than to loop through all of them.
| }); | ||
|
|
||
| total = totalPolicies; | ||
| hasMoreData = items.length > 0; |
There was a problem hiding this comment.
this causes one additional call for packagePolicy.list() returning zero items. to avoid this, total could be used
update: I see you even have mocks prepared in the tests for the additional call. is it maybe intended?
There was a problem hiding this comment.
Its just another way to ensure all policies are covered case policies are added as this function is running. I think I might have picked up this approach from code I saw in fleet.
There was a problem hiding this comment.
sorry for nitpicking, but a small optimisation for keeping the startup time a bit lower is still an optimisation. I still don't think the extra fetch is needed, because if a new policy added at this point, it will go through the checks that ensure that no protections are enabled.
(what I don't know: is it even possible for policies to be added during Plugin.start()?)
in case it is possible and the checks are not in place when adding: I think the extra fetch still wouldn't help, only maybe for every N-thousand-and-first-some policies, while still possibly skipping the previous N-thousand minus-some policies (e.g. if the 3992...4016th policies were added after fetching the 4th page, 3992...4000th policies are skipped)
///
independently of the extra fetch, sortOrder: 'asc' and sortField: 'createdAt' should be added to the options for packagePolicy.list() as the default is descending by updated_at.
There was a problem hiding this comment.
Good point. I'll make the change to ensure we don't make the additional API call
👍
x-pack/plugins/security_solution/server/fleet_integration/handlers/create_default_policy.ts
Outdated
Show resolved
Hide resolved
from Gergo
…-for-serverless-policy-protections' into task/olm-7232-api-policy-watcher-for-serverless-policy-protections
…olicy-watcher-for-serverless-policy-protections
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Unknown metric groupsESLint disabled in files
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
paul-tavares
deleted the
task/olm-7232-api-policy-watcher-for-serverless-policy-protections
branch
* main: (64 commits) [ML] Transforms: Fix privileges check. (elastic#163687) [Log Explorer] Add test suite for Dataset Selector (elastic#163079) [Security Solution][Endpoint] Add API checks to Endpoint Policy create/update for checking `endpointPolicyProtections` is enabled (elastic#163429) [Security Solution] Fix flaky test: x-pack/test/detection_engine_api_integration/security_and_spaces/update_prebuilt_rules_package/update_prebuilt_rules_package·ts - update_prebuilt_rules_package should allow user to install prebuilt rules from scratch, then install new rules and upgrade existing rules from the new package (elastic#163241) [Security Solution] expandable flyout - replace feature flag with advanced settings toggle (elastic#161614) [DOCS] Adds the release notes for the 8.9.1 release. (elastic#163578) [FTR] Implement browser network condition utils (elastic#163633) [Security Solution] Unskip rules table auto-refresh Cypress tests (elastic#163451) [Security Solution] Re-enable fixed rule snoozing Cypress test (elastic#160037) [Flaky Test elastic#111821] Mock `moment` to avoid midnight TZ issues (elastic#163157) Document interactive setup (elastic#163619) [Lens] Align decoration color with text color for layer actions (elastic#163630) [Lens] Relax counter field checks for saved visualizations with unsupported operations (elastic#163515) [Security Solution][Endpoint] Removes pMap and uses a for loop instead (elastic#163509) [Enterprise Search] Update Workplace Search connectors doclink (elastic#163676) Update APM (main) (elastic#163623) [Serverless] Partially fix lens/maps/visualize breadcrumbs missing title (elastic#163476) [Flaky elastic#118272] Unskip tests (elastic#163319) [APM] Make service group saved objects exportable (elastic#163569) [Observability AI Assistant] Action menu item (elastic#163463) ...
Summary
endpointPolicyProtectionsappFeature is disabledstart()that will check ifendpointPolicyProtectionsis disabled and updates all existing policies (if necessary) to disable protections.Checklist