-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Adds a version and OS check for Host Isolation #103026
[Security Solution] Adds a version and OS check for Host Isolation #103026
Conversation
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
@elasticmachine merge upstream |
…restrict-os-and-version-for-host-isolation
632a5f3
to
bf5d968
Compare
@@ -102,7 +102,7 @@ export class BaseDataGenerator<GeneratedDoc extends {} = {}> { | |||
} | |||
|
|||
protected randomVersion(): string { | |||
return [6, ...this.randomNGenerator(10, 2)].map((x) => x.toString()).join('.'); | |||
return [7, ...this.randomNGenerator(20, 2)].map((x) => x.toString()).join('.'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make the version generator possible to be 7.14.0+ to ensure fake docs will pass the version check.
@@ -51,7 +51,7 @@ export const ANCESTRY_LIMIT: number = 2; | |||
|
|||
const Windows: OSFields[] = [ | |||
{ | |||
name: 'windows 10.0', | |||
name: 'Windows', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update the name
field for OS in the generator to reflect reality from the Endpoint: https://github.com/elastic/endpoint-dev/blob/d233f42dde60a05fbfbd194695236c0c09341aa7/Elastic/Libraries/ECS/Lib/Constants.cpp#L192-L201
@elasticmachine merge upstream |
@@ -62,7 +67,7 @@ export const useEndpointActionItems = ( | |||
|
|||
const isolationActions = []; | |||
|
|||
if (isIsolated) { | |||
if (isIsolated && isolationSupported) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What are the (rather odd) chances that someone "isolated" an unsupported host via other means and now they can't release it through the UI?
Is this check necessary? if a host can't be isolated, certainly they should never reach the first part of the condition
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case, if Isolation isn't supported, the Endpoint would never be able to actually isolate, even if we sent it an action. The Endpoint would ignore it because it doesn't recognize the action request. This will be true for old Endpoints and for Linux Endpoints in 7.14
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking that regardless if it is supported or not, if we know the host is isolated, then we should allow unisolate
. Hopefully this will never happen, but to be safe, I would revert this change here
<EuiSpacer size="l" /> | ||
</EuiFlyoutFooter> | ||
)} | ||
{isIsolationAllowed && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a concern about hiding the TakeActionDropdown in its entirety. Are we planning to use this dropdown to add more actions later other than isolate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@academo we will add new actions in the future, but currently there is just the one. We would revisit this check when the time comes
|
||
import { isVersionSupported, isOsSupported, isIsolationSupported } from './utils'; | ||
|
||
describe('Host Isolation utils isVersionSupported', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not necessary to take action:
Jest support table tests which makes these kind of repetitive tests easier to read and write.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Example:
test.each`
a | b | expected
${'8.14.9'} | ${'7.13.0'} | ${true}
${'8.14.9'} | ${'9.14.0'} | ${false}
`('should validate that version $a is equal($expected) to $b', ({ a, b, expected }) => {
expect(
isVersionSupported({
currentVersion: a,
minVersionRequired: b,
})
).toEqual(expected);
});
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the tip, I didn't know that! I've refactored my tests to reflect it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments. Let me know if you have any questions
minVersionRequired: string; | ||
}) => { | ||
const parsedCurrentVersion = currentVersion.includes('-SNAPSHOT') | ||
? currentVersion.substring(0, currentVersion.length - 9) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe ok for now, but semver can actually have other suffixes like -beta
, -alpha
, -build
, etc. (reference).
My suggestion here is to instead take everything before the dash:
? currentVersion.substring(0, currentVersion.length - 9) | |
? currentVersion.substring(0, currentVersion.indexOf('-')) |
Another alternative - use the semver
package that is already available in kibana's node_modules
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -62,7 +67,7 @@ export const useEndpointActionItems = ( | |||
|
|||
const isolationActions = []; | |||
|
|||
if (isIsolated) { | |||
if (isIsolated && isolationSupported) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking that regardless if it is supported or not, if we know the host is isolated, then we should allow unisolate
. Hopefully this will never happen, but to be safe, I would revert this change here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢
👍
…restrict-os-and-version-for-host-isolation
💚 Build SucceededMetrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: |
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
Summary
This PR restricts Host Isolation access in the UI based on Agent version and OS.
We need to drop Linux support for the first release. In addition, we should disallow Host Isolation actions if the Agent/Endpoint is under
7.14.0
.I have the functions set up so that we should also be able to restrict based on this via the API
7.14.0 Endpoint with Windows:
Under 7.14.0 Endpoint:
Checklist
Delete any items that are not applicable to this PR.