Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Endpoint] Add API checks to Endpoint Policy create/update for checking endpointPolicyProtections is enabled #163429

Merged
merged 27 commits into from
Aug 11, 2023
Merged

[Security Solution][Endpoint] Add API checks to Endpoint Policy create/update for checking endpointPolicyProtections is enabled #163429

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
eb66569
changes for default policy
paul-tavares Aug 3, 2023
6b199d2
add `appFeatures` to endpoint server side services and pass it down t…
paul-tavares Aug 3, 2023
cb8b985
add `disableAllPolicyProtections()` and use it in policy create
paul-tavares Aug 3, 2023
de9151c
refactor: use existing helpers to turn off protections
paul-tavares Aug 3, 2023
b397446
add test for `setPolicyToEventCollectionOnly()`
paul-tavares Aug 3, 2023
ae96184
fix test
paul-tavares Aug 3, 2023
b6f6e62
add call to `setPolicyToEventCollectionOnly()` to the policy update a…
paul-tavares Aug 3, 2023
d1e50cb
implementation of `isPolicySetToEventCollectionOnly()` + tests (not p…
paul-tavares Aug 4, 2023
96996b6
Fix logic for `isPolicySetToEventCollectionOnly()` + add tests
paul-tavares Aug 4, 2023
aeeaa16
use `AppFeatureSecurityKey` enum
paul-tavares Aug 4, 2023
3eabe35
utility to create internal SO client
paul-tavares Aug 4, 2023
f0cbc1c
Add migration step to the Plugin that will check if protections shoul…
paul-tavares Aug 4, 2023
5867b74
Logic to update policies that have protections enabled
paul-tavares Aug 7, 2023
26700a1
Fix endpoint context mock + tests for fleet integrations
paul-tavares Aug 7, 2023
e11b7ef
Centralized mock for AppFeatures
paul-tavares Aug 7, 2023
117bc6b
Tests for `createDefaultPolicy()` and use of appFeatures to adjust po…
paul-tavares Aug 7, 2023
784764d
Tests for Update integration policy fleet api extension
paul-tavares Aug 7, 2023
213d13e
Added utility type: `PromiseResolvedValue<>`
paul-tavares Aug 8, 2023
9c7b859
initial test for `turnOffPolicyProtections()`
paul-tavares Aug 8, 2023
d263339
tests for `turnOffPolicyProtections()`
paul-tavares Aug 8, 2023
ba7a4c8
fix AppFeatures mock
paul-tavares Aug 8, 2023
717054b
Merge branch 'main' into task/olm-7232-api-policy-watcher-for-serverl…
paul-tavares Aug 10, 2023
eff88cf
Merge branch 'main' into task/olm-7232-api-policy-watcher-for-serverl…
paul-tavares Aug 10, 2023
8fa8ec4
code review updates
paul-tavares Aug 10, 2023
8658745
Merge remote-tracking branch 'origin/task/olm-7232-api-policy-watcher…
paul-tavares Aug 10, 2023
f08dbb6
Adjust looping logic for adjust policies
paul-tavares Aug 11, 2023
abc633e
Merge remote-tracking branch 'upstream/main' into task/olm-7232-api-p…
paul-tavares Aug 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 80 additions & 13 deletions x-pack/plugins/security_solution/common/endpoint/models/policy_config_helpers.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,19 @@
*/

import type { PolicyConfig } from '../types';
import { ProtectionModes } from '../types';
import { PolicyOperatingSystem, ProtectionModes } from '../types';
import { policyFactory } from './policy_config';
import { disableProtections } from './policy_config_helpers';
import {
disableProtections,
isPolicySetToEventCollectionOnly,
ensureOnlyEventCollectionIsAllowed,
} from './policy_config_helpers';
import { set } from 'lodash';

describe('Policy Config helpers', () => {
describe('disableProtections', () => {
it('disables all the protections in the default policy', () => {
expect(disableProtections(policyFactory())).toEqual<PolicyConfig>(eventsOnlyPolicy);
expect(disableProtections(policyFactory())).toEqual<PolicyConfig>(eventsOnlyPolicy());
});

it('does not enable supported fields', () => {
Expand Down Expand Up @@ -51,20 +56,20 @@ describe('Policy Config helpers', () => {
};

const expectedPolicyWithoutSupportedProtections: PolicyConfig = {
...eventsOnlyPolicy,
...eventsOnlyPolicy(),
windows: {
...eventsOnlyPolicy.windows,
...eventsOnlyPolicy().windows,
memory_protection: notSupported,
behavior_protection: notSupportedBehaviorProtection,
ransomware: notSupported,
},
mac: {
...eventsOnlyPolicy.mac,
...eventsOnlyPolicy().mac,
memory_protection: notSupported,
behavior_protection: notSupportedBehaviorProtection,
},
linux: {
...eventsOnlyPolicy.linux,
...eventsOnlyPolicy().linux,
memory_protection: notSupported,
behavior_protection: notSupportedBehaviorProtection,
},
Expand Down Expand Up @@ -104,10 +109,10 @@ describe('Policy Config helpers', () => {
};

const expectedPolicy: PolicyConfig = {
...eventsOnlyPolicy,
windows: { ...eventsOnlyPolicy.windows, events: { ...windowsEvents } },
mac: { ...eventsOnlyPolicy.mac, events: { ...macEvents } },
linux: { ...eventsOnlyPolicy.linux, events: { ...linuxEvents } },
...eventsOnlyPolicy(),
windows: { ...eventsOnlyPolicy().windows, events: { ...windowsEvents } },
mac: { ...eventsOnlyPolicy().mac, events: { ...macEvents } },
linux: { ...eventsOnlyPolicy().linux, events: { ...linuxEvents } },
};

const inputPolicy = {
Expand All @@ -120,11 +125,73 @@ describe('Policy Config helpers', () => {
expect(disableProtections(inputPolicy)).toEqual<PolicyConfig>(expectedPolicy);
});
});

describe('setPolicyToEventCollectionOnly()', () => {
it('should set the policy to event collection only', () => {
expect(ensureOnlyEventCollectionIsAllowed(policyFactory())).toEqual(eventsOnlyPolicy());
});
});

describe('isPolicySetToEventCollectionOnly', () => {
let policy: PolicyConfig;

beforeEach(() => {
policy = ensureOnlyEventCollectionIsAllowed(policyFactory());
});

it.each([
{
keyPath: `${PolicyOperatingSystem.windows}.malware.mode`,
keyValue: ProtectionModes.prevent,
expectedResult: false,
},
{
keyPath: `${PolicyOperatingSystem.mac}.malware.mode`,
keyValue: ProtectionModes.off,
expectedResult: true,
},
{
keyPath: `${PolicyOperatingSystem.windows}.ransomware.mode`,
keyValue: ProtectionModes.prevent,
expectedResult: false,
},
{
keyPath: `${PolicyOperatingSystem.linux}.memory_protection.mode`,
keyValue: ProtectionModes.off,
expectedResult: true,
},
{
keyPath: `${PolicyOperatingSystem.mac}.behavior_protection.mode`,
keyValue: ProtectionModes.detect,
expectedResult: false,
},
{
keyPath: `${PolicyOperatingSystem.windows}.attack_surface_reduction.credential_hardening.enabled`,
keyValue: true,
expectedResult: false,
},
{
keyPath: `${PolicyOperatingSystem.windows}.antivirus_registration.enabled`,
keyValue: true,
expectedResult: false,
},
])(
'should return `$expectedResult` if `$keyPath` is set to `$keyValue`',
({ keyPath, keyValue, expectedResult }) => {
set(policy, keyPath, keyValue);

expect(isPolicySetToEventCollectionOnly(policy)).toEqual({
isOnlyCollectingEvents: expectedResult,
message: expectedResult ? undefined : `property [${keyPath}] is set to [${keyValue}]`,
});
}
);
});
});

// This constant makes sure that if the type `PolicyConfig` is ever modified,
// the logic for disabling protections is also modified due to type check.
export const eventsOnlyPolicy: PolicyConfig = {
export const eventsOnlyPolicy = (): PolicyConfig => ({
meta: { license: '', cloud: false, license_uid: '', cluster_name: '', cluster_uuid: '' },
windows: {
events: {
Expand Down Expand Up @@ -187,4 +254,4 @@ export const eventsOnlyPolicy: PolicyConfig = {
capture_env_vars: 'LD_PRELOAD,LD_LIBRARY_PATH',
},
},
};
});
100 changes: 99 additions & 1 deletion x-pack/plugins/security_solution/common/endpoint/models/policy_config_helpers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,63 @@
* 2.0.
*/

import { get, set } from 'lodash';
import type { PolicyConfig } from '../types';
import { ProtectionModes } from '../types';
import { PolicyOperatingSystem, ProtectionModes } from '../types';

interface PolicyProtectionReference {
keyPath: string;
osList: PolicyOperatingSystem[];
enableValue: unknown;
disableValue: unknown;
}

const getPolicyProtectionsReference = (): PolicyProtectionReference[] => {
const allOsValues = [
PolicyOperatingSystem.mac,
PolicyOperatingSystem.linux,
PolicyOperatingSystem.windows,
];

return [
{
keyPath: 'malware.mode',
osList: [...allOsValues],
disableValue: ProtectionModes.off,
enableValue: ProtectionModes.prevent,
},
{
keyPath: 'ransomware.mode',
osList: [PolicyOperatingSystem.windows],
disableValue: ProtectionModes.off,
enableValue: ProtectionModes.prevent,
},
{
keyPath: 'memory_protection.mode',
osList: [...allOsValues],
disableValue: ProtectionModes.off,
enableValue: ProtectionModes.prevent,
},
{
keyPath: 'behavior_protection.mode',
osList: [...allOsValues],
disableValue: ProtectionModes.off,
enableValue: ProtectionModes.prevent,
},
{
keyPath: 'attack_surface_reduction.credential_hardening.enabled',
osList: [PolicyOperatingSystem.windows],
disableValue: false,
enableValue: true,
},
{
keyPath: 'antivirus_registration.enabled',
osList: [PolicyOperatingSystem.windows],
disableValue: false,
enableValue: true,
},
];
};

/**
* Returns a copy of the passed `PolicyConfig` with all protections set to disabled.
Expand Down Expand Up @@ -106,3 +161,46 @@ const getDisabledWindowsSpecificPopups = (policy: PolicyConfig) => ({
enabled: false,
},
});

/**
* Returns the provided with only event collection turned enabled
* @param policy
*/
export const ensureOnlyEventCollectionIsAllowed = (policy: PolicyConfig): PolicyConfig => {
const updatedPolicy = disableProtections(policy);

set(updatedPolicy, 'windows.antivirus_registration.enabled', false);

return updatedPolicy;
};

/**
* Checks to see if the provided policy is set to Event Collection only
*/
export const isPolicySetToEventCollectionOnly = (
policy: PolicyConfig
): { isOnlyCollectingEvents: boolean; message?: string } => {
const protectionsRef = getPolicyProtectionsReference();
let message: string | undefined;

const hasEnabledProtection = protectionsRef.some(({ keyPath, osList, disableValue }) => {
const hasOsPropertyEnabled = osList.some((osValue) => {
const fullKeyPathForOs = `${osValue}.${keyPath}`;
const currentValue = get(policy, fullKeyPathForOs);
const isEnabled = currentValue !== disableValue;

if (isEnabled) {
message = `property [${fullKeyPathForOs}] is set to [${currentValue}]`;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

q: do we want to maybe return all protections that are enabled, instead of the first one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could, but I was trying to just exit the function as soon as possible rather than to loop through all of them.

}

return isEnabled;
});

return hasOsPropertyEnabled;
});

return {
isOnlyCollectingEvents: !hasEnabledProtection,
message,
};
};
12 changes: 12 additions & 0 deletions x-pack/plugins/security_solution/common/endpoint/types/utility_types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

/* eslint-disable @typescript-eslint/no-explicit-any */

export type PromiseResolvedValue<T extends Promise<any>> = T extends Promise<infer Value>
? Value
: never;
9 changes: 7 additions & 2 deletions x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import type {
import type { PluginStartContract as AlertsPluginStartContract } from '@kbn/alerting-plugin/server';
import type { CloudSetup } from '@kbn/cloud-plugin/server';
import type { FleetActionsClientInterface } from '@kbn/fleet-plugin/server/services/actions/types';
import type { AppFeatures } from '../lib/app_features';
import {
getPackagePolicyCreateCallback,
getPackagePolicyUpdateCallback,
Expand Down Expand Up @@ -69,6 +70,7 @@ export interface EndpointAppContextServiceStartContract {
actionCreateService: ActionCreateService | undefined;
cloud: CloudSetup;
esClient: ElasticsearchClient;
appFeatures: AppFeatures;
}

/**
Expand Down Expand Up @@ -106,6 +108,7 @@ export class EndpointAppContextService {
featureUsageService,
endpointMetadataService,
esClient,
appFeatures,
} = dependencies;

registerIngestCallback(
Expand All @@ -117,7 +120,8 @@ export class EndpointAppContextService {
alerting,
licenseService,
exceptionListsClient,
cloud
cloud,
appFeatures
)
);

Expand All @@ -134,7 +138,8 @@ export class EndpointAppContextService {
featureUsageService,
endpointMetadataService,
cloud,
esClient
esClient,
appFeatures
)
);

Expand Down
Loading