Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Endpoint] Add API checks to Endpoint Policy create/update for checking endpointPolicyProtections is enabled #163429

Merged
merged 27 commits into from
Aug 11, 2023
Merged

[Security Solution][Endpoint] Add API checks to Endpoint Policy create/update for checking endpointPolicyProtections is enabled #163429

Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
eb66569
changes for default policy
paul-tavares Aug 3, 2023
6b199d2
add `appFeatures` to endpoint server side services and pass it down t…
paul-tavares Aug 3, 2023
cb8b985
add `disableAllPolicyProtections()` and use it in policy create
paul-tavares Aug 3, 2023
de9151c
refactor: use existing helpers to turn off protections
paul-tavares Aug 3, 2023
b397446
add test for `setPolicyToEventCollectionOnly()`
paul-tavares Aug 3, 2023
ae96184
fix test
paul-tavares Aug 3, 2023
b6f6e62
add call to `setPolicyToEventCollectionOnly()` to the policy update a…
paul-tavares Aug 3, 2023
d1e50cb
implementation of `isPolicySetToEventCollectionOnly()` + tests (not p…
paul-tavares Aug 4, 2023
96996b6
Fix logic for `isPolicySetToEventCollectionOnly()` + add tests
paul-tavares Aug 4, 2023
aeeaa16
use `AppFeatureSecurityKey` enum
paul-tavares Aug 4, 2023
3eabe35
utility to create internal SO client
paul-tavares Aug 4, 2023
f0cbc1c
Add migration step to the Plugin that will check if protections shoul…
paul-tavares Aug 4, 2023
5867b74
Logic to update policies that have protections enabled
paul-tavares Aug 7, 2023
26700a1
Fix endpoint context mock + tests for fleet integrations
paul-tavares Aug 7, 2023
e11b7ef
Centralized mock for AppFeatures
paul-tavares Aug 7, 2023
117bc6b
Tests for `createDefaultPolicy()` and use of appFeatures to adjust po…
paul-tavares Aug 7, 2023
784764d
Tests for Update integration policy fleet api extension
paul-tavares Aug 7, 2023
213d13e
Added utility type: `PromiseResolvedValue<>`
paul-tavares Aug 8, 2023
9c7b859
initial test for `turnOffPolicyProtections()`
paul-tavares Aug 8, 2023
d263339
tests for `turnOffPolicyProtections()`
paul-tavares Aug 8, 2023
ba7a4c8
fix AppFeatures mock
paul-tavares Aug 8, 2023
717054b
Merge branch 'main' into task/olm-7232-api-policy-watcher-for-serverl…
paul-tavares Aug 10, 2023
eff88cf
Merge branch 'main' into task/olm-7232-api-policy-watcher-for-serverl…
paul-tavares Aug 10, 2023
8fa8ec4
code review updates
paul-tavares Aug 10, 2023
8658745
Merge remote-tracking branch 'origin/task/olm-7232-api-policy-watcher…
paul-tavares Aug 10, 2023
f08dbb6
Adjust looping logic for adjust policies
paul-tavares Aug 11, 2023
abc633e
Merge remote-tracking branch 'upstream/main' into task/olm-7232-api-p…
paul-tavares Aug 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
242 changes: 229 additions & 13 deletions x-pack/plugins/security_solution/common/endpoint/models/policy_config_helpers.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,19 @@
*/

import type { PolicyConfig } from '../types';
import { ProtectionModes } from '../types';
import { PolicyOperatingSystem, ProtectionModes } from '../types';
import { policyFactory } from './policy_config';
import { disableProtections } from './policy_config_helpers';
import {
disableProtections,
isPolicySetToEventCollectionOnly,
setPolicyToEventCollectionOnly,
} from './policy_config_helpers';
import { set } from 'lodash';

describe('Policy Config helpers', () => {
describe('disableProtections', () => {
it('disables all the protections in the default policy', () => {
expect(disableProtections(policyFactory())).toEqual<PolicyConfig>(eventsOnlyPolicy);
expect(disableProtections(policyFactory())).toEqual<PolicyConfig>(eventsOnlyPolicy());
});

it('does not enable supported fields', () => {
Expand Down Expand Up @@ -51,20 +56,20 @@ describe('Policy Config helpers', () => {
};

const expectedPolicyWithoutSupportedProtections: PolicyConfig = {
...eventsOnlyPolicy,
...eventsOnlyPolicy(),
windows: {
...eventsOnlyPolicy.windows,
...eventsOnlyPolicy().windows,
memory_protection: notSupported,
behavior_protection: notSupportedBehaviorProtection,
ransomware: notSupported,
},
mac: {
...eventsOnlyPolicy.mac,
...eventsOnlyPolicy().mac,
memory_protection: notSupported,
behavior_protection: notSupportedBehaviorProtection,
},
linux: {
...eventsOnlyPolicy.linux,
...eventsOnlyPolicy().linux,
memory_protection: notSupported,
behavior_protection: notSupportedBehaviorProtection,
},
Expand Down Expand Up @@ -104,10 +109,10 @@ describe('Policy Config helpers', () => {
};

const expectedPolicy: PolicyConfig = {
...eventsOnlyPolicy,
windows: { ...eventsOnlyPolicy.windows, events: { ...windowsEvents } },
mac: { ...eventsOnlyPolicy.mac, events: { ...macEvents } },
linux: { ...eventsOnlyPolicy.linux, events: { ...linuxEvents } },
...eventsOnlyPolicy(),
windows: { ...eventsOnlyPolicy().windows, events: { ...windowsEvents } },
mac: { ...eventsOnlyPolicy().mac, events: { ...macEvents } },
linux: { ...eventsOnlyPolicy().linux, events: { ...linuxEvents } },
};

const inputPolicy = {
Expand All @@ -120,11 +125,222 @@ describe('Policy Config helpers', () => {
expect(disableProtections(inputPolicy)).toEqual<PolicyConfig>(expectedPolicy);
});
});

describe('setPolicyToEventCollectionOnly()', () => {
it('should set the policy to event collection only', () => {
expect(setPolicyToEventCollectionOnly(policyFactory())).toEqual({
linux: {
advanced: {
capture_env_vars: 'LD_PRELOAD,LD_LIBRARY_PATH',
},
behavior_protection: {
mode: 'off',
reputation_service: false,
supported: true,
},
events: {
file: true,
network: true,
process: true,
session_data: false,
tty_io: false,
},
logging: {
file: 'info',
},
malware: {
blocklist: false,
mode: 'off',
},
memory_protection: {
mode: 'off',
supported: true,
},
popup: {
behavior_protection: {
enabled: false,
message: '',
},
malware: {
enabled: false,
message: '',
},
memory_protection: {
enabled: false,
message: '',
},
},
},
mac: {
advanced: {
capture_env_vars:
'DYLD_INSERT_LIBRARIES,DYLD_FRAMEWORK_PATH,DYLD_LIBRARY_PATH,LD_PRELOAD',
},
behavior_protection: {
mode: 'off',
reputation_service: false,
supported: true,
},
events: {
file: true,
network: true,
process: true,
},
logging: {
file: 'info',
},
malware: {
blocklist: false,
mode: 'off',
},
memory_protection: {
mode: 'off',
supported: true,
},
popup: {
behavior_protection: {
enabled: false,
message: '',
},
malware: {
enabled: false,
message: '',
},
memory_protection: {
enabled: false,
message: '',
},
},
},
meta: {
cloud: false,
cluster_name: '',
cluster_uuid: '',
license: '',
license_uid: '',
},
windows: {
antivirus_registration: {
enabled: false,
},
attack_surface_reduction: {
credential_hardening: {
enabled: false,
},
},
behavior_protection: {
mode: 'off',
reputation_service: false,
supported: true,
},
malware: {
blocklist: false,
mode: 'off',
},
memory_protection: {
mode: 'off',
supported: true,
},
ransomware: {
mode: 'off',
supported: true,
},
events: {
credential_access: true,
dll_and_driver_load: true,
dns: true,
file: true,
network: true,
process: true,
registry: true,
security: true,
},
logging: {
file: 'info',
},
popup: {
behavior_protection: {
enabled: false,
message: '',
},
malware: {
enabled: false,
message: '',
},
memory_protection: {
enabled: false,
message: '',
},
ransomware: {
enabled: false,
message: '',
},
},
},
gergoabraham marked this conversation as resolved.
Show resolved Hide resolved
});
});
});

describe('isPolicySetToEventCollectionOnly', () => {
let policy: PolicyConfig;

beforeEach(() => {
policy = setPolicyToEventCollectionOnly(policyFactory());
});

it.each([
{
keyPath: `${PolicyOperatingSystem.windows}.malware.mode`,
keyValue: ProtectionModes.prevent,
expectedResult: false,
},
{
keyPath: `${PolicyOperatingSystem.mac}.malware.mode`,
keyValue: ProtectionModes.off,
expectedResult: true,
},
{
keyPath: `${PolicyOperatingSystem.windows}.ransomware.mode`,
keyValue: ProtectionModes.prevent,
expectedResult: false,
},
{
keyPath: `${PolicyOperatingSystem.linux}.memory_protection.mode`,
keyValue: ProtectionModes.off,
expectedResult: true,
},
{
keyPath: `${PolicyOperatingSystem.mac}.behavior_protection.mode`,
keyValue: ProtectionModes.detect,
expectedResult: false,
},
{
keyPath: `${PolicyOperatingSystem.windows}.attack_surface_reduction.credential_hardening.enabled`,
keyValue: true,
expectedResult: false,
},
{
keyPath: `${PolicyOperatingSystem.windows}.antivirus_registration.enabled`,
keyValue: true,
expectedResult: false,
},
])(
'should return `$expectedResult` if `$keyPath` is set to `$keyValue`',
({ keyPath, keyValue, expectedResult }) => {
set(policy, keyPath, keyValue);

expect(isPolicySetToEventCollectionOnly(policy)).toEqual({
isOnlyCollectingEvents: expectedResult,
message: expectedResult ? undefined : `property [${keyPath}] is set to [${keyValue}]`,
});
}
);
});
});

// This constant makes sure that if the type `PolicyConfig` is ever modified,
// the logic for disabling protections is also modified due to type check.
export const eventsOnlyPolicy: PolicyConfig = {
export const eventsOnlyPolicy = (): PolicyConfig => ({
meta: { license: '', cloud: false, license_uid: '', cluster_name: '', cluster_uuid: '' },
windows: {
events: {
Expand Down Expand Up @@ -187,4 +403,4 @@ export const eventsOnlyPolicy: PolicyConfig = {
capture_env_vars: 'LD_PRELOAD,LD_LIBRARY_PATH',
},
},
};
});
Loading