[SECURITY_SOLUTION] 145: Advanced Policy UI#80390
[SECURITY_SOLUTION] 145: Advanced Policy UI#80390jmiller263 merged 54 commits intoelastic:masterfrom
Conversation
…ps://github.com/paul-tavares/kibana into task/145_advanced_policy_poc
...ck/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
Show resolved
Hide resolved
| */ | ||
| export interface PolicyConfig { | ||
| windows: { | ||
| advanced?: AdvancedFields; // will be introduced in 7.11+ |
There was a problem hiding this comment.
For the type failure - you can actually keep this, but have it accept any object since the advanced section can dynamically accept a set of integrations.
Something like this should work:
...
windows {
advanced?: {};
...
}
...@paul-tavares @parkiino let me know your thoughts
There was a problem hiding this comment.
yeah that makes sense to me
| }; | ||
| } | ||
|
|
||
| export interface AdvancedFields { |
| /** | ||
| * Windows-specific policy configuration that is supported via the UI | ||
| */ | ||
| windows: Pick<PolicyConfig['windows'], 'events' | 'malware' | 'popup' | 'advanced'>; |
There was a problem hiding this comment.
and then add these sections back in
|
@jmiller263 - apologies, I miscommunicated on deleting the See my comments here: 8bd1ef6 |
There was a problem hiding this comment.
@jmiller263 awsome job on this. I provided some feedback through the code and have the following additional comments:
- For the Advanced section items - will the "description" be shown once we know what that is? if so, where? (I assume you will use the "helpText" from the
FormRow, just checking) - For the layout design I wonder if using the "Described Form Groups" would work best - it would display the option label + description to the left and the input field on the right. ref: https://elastic.github.io/eui/#/forms/form-layouts#described-form-groups
- I think this one might be the more critical one - once I add an advanced option value and save it, the actual
advancedsection and associated leafKey will never be removed from the policy, even when the user comes later and remove the value from the input field. I guess the question really is: what does the endpoint do in this case?
My quick test was:- pull up a policy for edit - ensure that the advanced section does not exist in the API data.
- in the policy UI, add value to one of the fields and save. This created the advanced section in the policy API data and sets the value (all good)
- bring up the policy again for edit, and remove the value from the option (no other option had values) and save. This does set the value to an empty string, but the advanced section along with the leafKey remains there.
Also,
Can we write up some tests for the work done on this PR? (can be a separate issue for tracking)
...ck/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/policy/models/policy_details_config.ts
Show resolved
Hide resolved
| if (policyDetailsConfig) { | ||
| const newPayload = cloneDeep(policyDetailsConfig); | ||
| setValue( | ||
| (newPayload as unknown) as Record<string, unknown>, |
There was a problem hiding this comment.
We should open a tech debt issue to see if we can remove all of these type castings, as they essentially turn off the benefits of the type system
| newPolicyConfig[path[path.length - 1]] = value; | ||
| } | ||
|
|
||
| function getValue(obj: Record<string, unknown>, path: string[]) { |
There was a problem hiding this comment.
you shoudl add a return type to this function (string right?)
There was a problem hiding this comment.
yes for the return in L37 it'll be a string. is it still ok to return undefined in L34 if the return type is string?
There was a problem hiding this comment.
you can add both types to the function's return signature:
| function getValue(obj: Record<string, unknown>, path: string[]) { | |
| function getValue(obj: Record<string, unknown>, path: string[]): string | undefined { |
There was a problem hiding this comment.
actually since currentPolicyConfig is type Record<string, unknown>, L37 is returning type unknown; should i be casting to a string? how does the return type help here?
| </EuiText> | ||
| } | ||
| > | ||
| <EuiFieldText fullWidth value={value as string} onChange={onChange} /> |
There was a problem hiding this comment.
I think this casting can be avoiced if you change value above to:
const value = policyDetailsConfig ? getValue((policyDetailsConfig as unknown) as Record<string, unknown>, configPath) : '';
x-pack/plugins/security_solution/public/management/pages/policy/view/policy_details.tsx
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/policy/view/policy_advanced.tsx
Show resolved
Hide resolved
paul-tavares
left a comment
There was a problem hiding this comment.
Awesome job 🤩
👍 🚢 🚀
| newPolicyConfig[path[path.length - 1]] = value; | ||
| } | ||
|
|
||
| function getValue(obj: Record<string, unknown>, path: string[]) { |
There was a problem hiding this comment.
you can add both types to the function's return signature:
| function getValue(obj: Record<string, unknown>, path: string[]) { | |
| function getValue(obj: Record<string, unknown>, path: string[]): string | undefined { |
💚 Build SucceededMetrics [docs]@kbn/optimizer bundle module count
async chunks size
History
To update your PR or re-run it, just comment with: |
ferullo
left a comment
There was a problem hiding this comment.
Options LGTM. Endpoint will have to full audit them again and add/remove things before this ships, as we'll always have to do.
| key: 'mac.advanced.kernel.harden', | ||
| first_supported_version: '7.11', | ||
| documentation: '', | ||
| }, |
There was a problem hiding this comment.
@bjmcnic @willyu-elastic do we want this (mac.advanced.kernel.harden) to remain the advanced option or should we make it something like mac.advanced.harden.enabled so we can add other options nested under harden and it's not conceptually nested under "kernel"?
There was a problem hiding this comment.
I would prefer to move it to mac.advanced.harden.enabled
| documentation: '', | ||
| }, | ||
| { | ||
| key: 'windows.advanced.kernel.harden', |
There was a problem hiding this comment.
I agree this should move out of kernel given the direction we're going. My concern with something like windows.advanced.harden.enabled would be that what that really refers to is a a parallel technique for protecting our process that will remain useful on Windows 7 and 8.0 if we wish to use it, and while in some ways redundant, would still function even while PPL'd. Perhaps windows.advanced.harden.selfprotectprocess would resolve the ambiguity of simply enabled? @gabriellandau @ferullo @willyu-elastic
There was a problem hiding this comment.
that really refers to is a a parallel technique for protecting our process that will remain useful on Windows 7 and 8.0 if we wish to use it
I don't want to support this. I would, however, like a way to opt out of PPL for debugging/troubleshooting purposes. Is that feasible?
There was a problem hiding this comment.
I mean, while anything is possible in software, it'd be significant change to have our install/uninstall logic parse and respect the config. Additionally, dynamic reconfigs that toggled PPL would force service restarts. As such, I don't believe having PPL as opt-in/out in the config makes sense. However, it wouldn't be difficult to allow our executable to install without PPL, or to modify an existing PPL install to un-PPL it and restart it.
In regards to this issue though, are you suggesting we remove the current harden option then? And we could add new options (password protected uninstall, etc.) in a later release?
There was a problem hiding this comment.
This is carried forward from Endgame. If we had crashes or hangs before whitelists were applied, we would crash and WER wouldn't be able to dump us. We couldn't attach a debugger. Trusted Apps are applied as part of whitelists, so they're ineffective until whitelists are installed. This feature gave us a kill switch for such situations, though it was cumbersome to enable (modifying files on the SMP and generating new deployment profiles).
bDisableHardening is a parameter we have to pass when handshaking with the driver. When I added it for Elastic, hardening was enabled by default. Rather than hard-coding it to false, I exposed it as an opt-out advanced config option like we did for Endgame. We disabled legacy hardening on Elastic almost immediately thereafter (before that release was made), so it's an unused feature.
are you suggesting we remove the current harden option then
Yes, unless we clearly and conspicuously indicate that it is an untested and unsupported feature. I worry some users will turn it on anyway and contact us when something doesn't work as expected.
I mean, while anything is possible in software, it'd be significant change to have our install/uninstall logic parse and respect the config
Understood. You've put more thought into this than me. I'm just wondering if there's a way to force the Win7 install behavior on Win8.1+ as a troubleshooting mechanism. It doesn't have to be through policy, and doesn't have to be toggle-able. If, for example, we crash on Win8.1 and earlier builds of Win10/Server, WER will encrypt our dumps, making them useless to us. This doesn't have to be in the initial push.
There was a problem hiding this comment.
I shouldn't have pinged on this topic here. Let's move this to an endpoint-dev issue discussion so we don't co-opt Jane's PR. This PR is just mirroring the Endpoint's advanced configuration. We'll revisit what is in this document before it is released to make sure it is in sync with the options Endpoint actually supports.
There was a problem hiding this comment.
thanks all for the feedback. merging this, and we can open a follow-on PR to make sure the schema is exactly right.
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
@kevinlog should i backport this? |
* Create Policies for each generated host * Refactor Ingest setup to also setup Fleet * Rename prop name * Add generic response type to KbnClient.request + support for headers * first attempt at adding fleet agent registration * a little closer with fleet integration * SUCCESS. Able to enroll agent and set it to online * update names to be policy * policy generator has advanced types in endpoint confit * linting * flesh out callback * add submit button for verify_peer * add verify hostname field * 145 generalize cb * 145 fix setAgain and getValue * 145 merge conflict * 145 add verify_hostname back, start loop for form * 145 remove OS trick * 145 make AdvancedPolicyForms its own component * 145 grid partially working * 145 back to basics * 145 back to basics * 145 rolled back grid * 145 flex table working * 145 undo accidental change * 145 remove extra schema file * 145 remove unused variable * 145 kevin's PR feedback * 145 fix type check and jest * 145 EuiFlexGroups * 145 use simple EuiFormRow and add show/hide buttons * 145 move all advanced policy code to advanced file; remove unnec test code * 145 fix IDs * 145 take out unnecessary stuff * 145 removed a couple more lines * 145 add some fields back in * 145 add spacer Co-authored-by: Paul Tavares <paul.tavares@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: kevinlog <kevin.logan@elastic.co> Co-authored-by: Candace Park <candace.park@elastic.co> Co-authored-by: Paul Tavares <paul.tavares@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: kevinlog <kevin.logan@elastic.co> Co-authored-by: Candace Park <candace.park@elastic.co>
Summary
This PR adds a UI for Advanced Policy:
Checklist
Delete any items that are not applicable to this PR.
For maintainers