Skip to content

Commit

Permalink
[8.x] [EDR Workflows] Add Signer option to Mac trusted apps (#197821) (
Browse files Browse the repository at this point in the history
…#200566)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[EDR Workflows] Add Signer option to Mac trusted apps
(#197821)](#197821)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-18T13:20:54Z","message":"[EDR
Workflows] Add Signer option to Mac trusted apps (#197821)\n\nThis PR
adds a Signer condition for trusted apps on macOS. Previously,\r\nusers
could only build conditions using hash, path, and signer options\r\non
Windows. With these changes, macOS also supports the Signer
option,\r\nleaving only Linux limited to Path and Hash
options.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ea8fb734-7884-451d-8873-e3a29861876b","sha":"55134abbedaf64dba41455b8f8fb6f97f162a0d6","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","Team:Defend
Workflows","release_note:feature","ci:cloud-deploy","ci:cloud-redeploy","backport:version","v8.17.0"],"title":"[EDR
Workflows] Add Signer option to Mac trusted
apps","number":197821,"url":"https://github.com/elastic/kibana/pull/197821","mergeCommit":{"message":"[EDR
Workflows] Add Signer option to Mac trusted apps (#197821)\n\nThis PR
adds a Signer condition for trusted apps on macOS. Previously,\r\nusers
could only build conditions using hash, path, and signer options\r\non
Windows. With these changes, macOS also supports the Signer
option,\r\nleaving only Linux limited to Path and Hash
options.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ea8fb734-7884-451d-8873-e3a29861876b","sha":"55134abbedaf64dba41455b8f8fb6f97f162a0d6"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197821","number":197821,"mergeCommit":{"message":"[EDR
Workflows] Add Signer option to Mac trusted apps (#197821)\n\nThis PR
adds a Signer condition for trusted apps on macOS. Previously,\r\nusers
could only build conditions using hash, path, and signer options\r\non
Windows. With these changes, macOS also supports the Signer
option,\r\nleaving only Linux limited to Path and Hash
options.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ea8fb734-7884-451d-8873-e3a29861876b","sha":"55134abbedaf64dba41455b8f8fb6f97f162a0d6"}},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Konrad Szwarc <[email protected]>
  • Loading branch information
kibanamachine and szwarckonrad authored Nov 18, 2024
1 parent a813573 commit 3cb4e1e
Show file tree
Hide file tree
Showing 14 changed files with 586 additions and 105 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,22 @@ export enum ConditionEntryField {
HASH = 'process.hash.*',
PATH = 'process.executable.caseless',
SIGNER = 'process.Ext.code_signature',
SIGNER_MAC = 'process.code_signature',
}

export enum EntryFieldType {
HASH = '.hash.',
EXECUTABLE = '.executable.caseless',
PATH = '.path',
SIGNER = '.Ext.code_signature',
SIGNER = '.code_signature',
}

export type TrustedAppConditionEntryField =
| 'process.hash.*'
| 'process.executable.caseless'
| 'process.Ext.code_signature';
| 'process.Ext.code_signature'
| 'process.code_signature';

export type BlocklistConditionEntryField =
| 'file.hash.*'
| 'file.path'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,9 @@ import type {
ExceptionListItemSchema,
CreateExceptionListItemSchema,
UpdateExceptionListItemSchema,
EntriesArray,
} from '@kbn/securitysolution-io-ts-list-types';
import {
ENDPOINT_EVENT_FILTERS_LIST_ID,
ENDPOINT_TRUSTED_APPS_LIST_ID,
ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID,
ENDPOINT_BLOCKLISTS_LIST_ID,
} from '@kbn/securitysolution-list-constants';
import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants';
import { ConditionEntryField } from '@kbn/securitysolution-utils';
import { BaseDataGenerator } from './base_data_generator';
import { BY_POLICY_ARTIFACT_TAG_PREFIX, GLOBAL_ARTIFACT_TAG } from '../service/artifacts/constants';
Expand Down Expand Up @@ -150,7 +146,7 @@ export class ExceptionsListItemGenerator extends BaseDataGenerator<ExceptionList
generateTrustedApp(overrides: Partial<ExceptionListItemSchema> = {}): ExceptionListItemSchema {
return this.generate({
name: `Trusted app (${this.randomString(5)})`,
list_id: ENDPOINT_TRUSTED_APPS_LIST_ID,
list_id: ENDPOINT_ARTIFACT_LISTS.trustedApps.id,
...overrides,
});
}
Expand All @@ -173,10 +169,33 @@ export class ExceptionsListItemGenerator extends BaseDataGenerator<ExceptionList
};
}

generateTrustedAppSignerEntry(os = 'windows'): EntriesArray {
return [
{
field: os === 'windows' ? 'process.Ext.code_signature' : 'process.code_signature',
entries: [
{
field: 'trusted',
value: 'true',
type: 'match',
operator: 'included',
},
{
field: 'subject_name',
value: 'foo',
type: 'match',
operator: 'included',
},
],
type: 'nested',
},
];
}

generateEventFilter(overrides: Partial<ExceptionListItemSchema> = {}): ExceptionListItemSchema {
return this.generate({
name: `Event filter (${this.randomString(5)})`,
list_id: ENDPOINT_EVENT_FILTERS_LIST_ID,
list_id: ENDPOINT_ARTIFACT_LISTS.eventFilters.id,
entries: [
{
field: 'process.pe.company',
Expand Down Expand Up @@ -224,7 +243,7 @@ export class ExceptionsListItemGenerator extends BaseDataGenerator<ExceptionList
): ExceptionListItemSchema {
return this.generate({
name: `Host Isolation (${this.randomString(5)})`,
list_id: ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID,
list_id: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id,
os_types: ['macos', 'linux', 'windows'],
entries: [
{
Expand Down Expand Up @@ -308,7 +327,7 @@ export class ExceptionsListItemGenerator extends BaseDataGenerator<ExceptionList

return this.generate({
name: `Blocklist ${this.randomString(5)}`,
list_id: ENDPOINT_BLOCKLISTS_LIST_ID,
list_id: ENDPOINT_ARTIFACT_LISTS.blocklists.id,
item_id: `generator_endpoint_blocklist_${this.seededUUIDv4()}`,
tags: [this.randomChoice([BY_POLICY_ARTIFACT_TAG_PREFIX, GLOBAL_ARTIFACT_TAG])],
os_types: [os],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ import {
import { ConditionEntryField, OperatingSystem } from '@kbn/securitysolution-utils';
import type {
TrustedAppConditionEntry,
NewTrustedApp,
PutTrustedAppsRequestParams,
NewTrustedApp,
} from '../types';

describe('When invoking Trusted Apps Schema', () => {
Expand Down Expand Up @@ -105,14 +105,15 @@ describe('When invoking Trusted Apps Schema', () => {
value: 'c:/programs files/Anti-Virus',
...(data || {}),
});
const createNewTrustedApp = <T>(data?: T): NewTrustedApp => ({
name: 'Some Anti-Virus App',
description: 'this one is ok',
os: OperatingSystem.WINDOWS,
effectScope: { type: 'global' },
entries: [createConditionEntry()],
...(data || {}),
});
const createNewTrustedApp = <T>(data?: T): NewTrustedApp =>
({
name: 'Some Anti-Virus App',
description: 'this one is ok',
os: OperatingSystem.WINDOWS,
effectScope: { type: 'global' },
entries: [createConditionEntry()],
...(data || {}),
} as NewTrustedApp);
const body = PostTrustedAppCreateRequestSchema.body;

it('should not error on a valid message', () => {
Expand Down Expand Up @@ -389,14 +390,15 @@ describe('When invoking Trusted Apps Schema', () => {
value: 'c:/programs files/Anti-Virus',
...(data || {}),
});
const createNewTrustedApp = <T>(data?: T): NewTrustedApp => ({
name: 'Some Anti-Virus App',
description: 'this one is ok',
os: OperatingSystem.WINDOWS,
effectScope: { type: 'global' },
entries: [createConditionEntry()],
...(data || {}),
});
const createNewTrustedApp = <T>(data?: T): NewTrustedApp =>
({
name: 'Some Anti-Virus App',
description: 'this one is ok',
os: OperatingSystem.WINDOWS,
effectScope: { type: 'global' },
entries: [createConditionEntry()],
...(data || {}),
} as NewTrustedApp);

const updateParams = <T>(data?: T): PutTrustedAppsRequestParams => ({
id: 'validId',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,15 @@ const LinuxEntrySchema = schema.object({

const MacEntrySchema = schema.object({
...CommonEntrySchema,
field: schema.oneOf([
schema.literal(ConditionEntryField.HASH),
schema.literal(ConditionEntryField.PATH),
schema.literal(ConditionEntryField.SIGNER_MAC),
]),
value: schema.string({
validate: (field: string) =>
field.length > 0 ? undefined : `invalidField.${ConditionEntryField.SIGNER_MAC}`,
}),
});

const entriesSchemaOptions = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,23 +36,32 @@ export interface TrustedAppConditionEntry<T extends ConditionEntryField = Condit
value: string;
}

export type MacosLinuxConditionEntry = TrustedAppConditionEntry<
export type LinuxConditionEntry = TrustedAppConditionEntry<
ConditionEntryField.HASH | ConditionEntryField.PATH
>;
export type WindowsConditionEntry = TrustedAppConditionEntry<
ConditionEntryField.HASH | ConditionEntryField.PATH | ConditionEntryField.SIGNER
>;

export interface MacosLinuxConditionEntries {
os: OperatingSystem.LINUX | OperatingSystem.MAC;
entries: MacosLinuxConditionEntry[];
export type MacosConditionEntry = TrustedAppConditionEntry<
ConditionEntryField.HASH | ConditionEntryField.PATH | ConditionEntryField.SIGNER_MAC
>;

interface LinuxConditionEntries {
os: OperatingSystem.LINUX;
entries: LinuxConditionEntry[];
}

export interface WindowsConditionEntries {
interface WindowsConditionEntries {
os: OperatingSystem.WINDOWS;
entries: WindowsConditionEntry[];
}

interface MacosConditionEntries {
os: OperatingSystem.MAC;
entries: MacosConditionEntry[];
}

export interface GlobalEffectScope {
type: 'global';
}
Expand All @@ -70,7 +79,7 @@ export type NewTrustedApp = {
name: string;
description?: string;
effectScope: EffectScope;
} & (MacosLinuxConditionEntries | WindowsConditionEntries);
} & (LinuxConditionEntries | WindowsConditionEntries | MacosConditionEntries);

/** A trusted app entry */
export type TrustedApp = NewTrustedApp & {
Expand Down
Loading

0 comments on commit 3cb4e1e

Please sign in to comment.