[Security Solution] Adds a version and OS check for Host Isolation #103026
Conversation
kevinlog
added
v7.14.0
v8.0.0
release_note:feature
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
|
@elasticmachine merge upstream |
…restrict-os-and-version-for-host-isolation
kevinlog
force-pushed
the
task/restrict-os-and-version-for-host-isolation
branch
from
632a5f3
to
bf5d968
Compare
| @@ -102,7 +102,7 @@ export class BaseDataGenerator<GeneratedDoc extends {} = {}> { | |||
| } | |||
|
|
|||
| protected randomVersion(): string { | |||
| return [6, ...this.randomNGenerator(10, 2)].map((x) => x.toString()).join('.'); | |||
| return [7, ...this.randomNGenerator(20, 2)].map((x) => x.toString()).join('.'); | |||
There was a problem hiding this comment.
Make the version generator possible to be 7.14.0+ to ensure fake docs will pass the version check.
| @@ -51,7 +51,7 @@ export const ANCESTRY_LIMIT: number = 2; | |||
|
|
|||
| const Windows: OSFields[] = [ | |||
| { | |||
| name: 'windows 10.0', | |||
| name: 'Windows', | |||
There was a problem hiding this comment.
Update the name field for OS in the generator to reflect reality from the Endpoint: https://github.com/elastic/endpoint-dev/blob/d233f42dde60a05fbfbd194695236c0c09341aa7/Elastic/Libraries/ECS/Lib/Constants.cpp#L192-L201
|
@elasticmachine merge upstream |
| @@ -62,7 +67,7 @@ export const useEndpointActionItems = ( | |||
|
|
|||
| const isolationActions = []; | |||
|
|
|||
| if (isIsolated) { | |||
| if (isIsolated && isolationSupported) { | |||
There was a problem hiding this comment.
What are the (rather odd) chances that someone "isolated" an unsupported host via other means and now they can't release it through the UI?
Is this check necessary? if a host can't be isolated, certainly they should never reach the first part of the condition
There was a problem hiding this comment.
In this case, if Isolation isn't supported, the Endpoint would never be able to actually isolate, even if we sent it an action. The Endpoint would ignore it because it doesn't recognize the action request. This will be true for old Endpoints and for Linux Endpoints in 7.14.
There was a problem hiding this comment.
I'm thinking that regardless if it is supported or not, if we know the host is isolated, then we should allow unisolate. Hopefully this will never happen, but to be safe, I would revert this change here
| <EuiSpacer size="l" /> | ||
| </EuiFlyoutFooter> | ||
| )} | ||
| {isIsolationAllowed && |
There was a problem hiding this comment.
I have a concern about hiding the TakeActionDropdown in its entirety. Are we planning to use this dropdown to add more actions later other than isolate?
There was a problem hiding this comment.
@academo we will add new actions in the future, but currently there is just the one. We would revisit this check when the time comes
|
|
||
| import { isVersionSupported, isOsSupported, isIsolationSupported } from './utils'; | ||
|
|
||
| describe('Host Isolation utils isVersionSupported', () => { |
There was a problem hiding this comment.
not necessary to take action:
Jest support table tests which makes these kind of repetitive tests easier to read and write.
There was a problem hiding this comment.
Example:
test.each`
a | b | expected
${'8.14.9'} | ${'7.13.0'} | ${true}
${'8.14.9'} | ${'9.14.0'} | ${false}
`('should validate that version $a is equal($expected) to $b', ({ a, b, expected }) => {
expect(
isVersionSupported({
currentVersion: a,
minVersionRequired: b,
})
).toEqual(expected);
});
There was a problem hiding this comment.
thanks for the tip, I didn't know that! I've refactored my tests to reflect it.
| minVersionRequired: string; | ||
| }) => { | ||
| const parsedCurrentVersion = currentVersion.includes('-SNAPSHOT') | ||
| ? currentVersion.substring(0, currentVersion.length - 9) |
There was a problem hiding this comment.
Maybe ok for now, but semver can actually have other suffixes like -beta, -alpha, -build, etc. (reference).
My suggestion here is to instead take everything before the dash:
| ? currentVersion.substring(0, currentVersion.length - 9) | |
| ? currentVersion.substring(0, currentVersion.indexOf('-')) |
Another alternative - use the semver package that is already available in kibana's node_modules
| @@ -62,7 +67,7 @@ export const useEndpointActionItems = ( | |||
|
|
|||
| const isolationActions = []; | |||
|
|
|||
| if (isIsolated) { | |||
| if (isIsolated && isolationSupported) { | |||
There was a problem hiding this comment.
I'm thinking that regardless if it is supported or not, if we know the host is isolated, then we should allow unisolate. Hopefully this will never happen, but to be safe, I would revert this change here
…restrict-os-and-version-for-host-isolation
💚 Build SucceededMetrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: |
kevinlog
added
the
auto-backport
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
Summary
This PR restricts Host Isolation access in the UI based on Agent version and OS.
We need to drop Linux support for the first release. In addition, we should disallow Host Isolation actions if the Agent/Endpoint is under
7.14.0.I have the functions set up so that we should also be able to restrict based on this via the API
7.14.0 Endpoint with Windows:
Under 7.14.0 Endpoint:
Checklist
Delete any items that are not applicable to this PR.