[EDR Workflows][API] Gate Agent Tamper Protection setting on Agent Policy Settings

x-pack/packages/security-solution/features/src/app_features_keys.ts

@@ -44,6 +44,11 @@ export enum AppFeatureSecurityKey {
    */
   osqueryAutomatedResponseActions = 'osquery_automated_response_actions',
 
+  /**
+   * Enables Agent Tamper Protection
+   */
+  endpointAgentTamperProtection = 'endpoint_agent_tamper_protection',
+
   /**
    * Enables managing endpoint exceptions on rules and alerts
    */

x-pack/packages/security-solution/features/src/security/app_feature_config.ts

@@ -106,6 +106,6 @@ export const securityDefaultAppFeaturesConfig: DefaultSecurityAppFeaturesConfig
   },
 
   [AppFeatureSecurityKey.osqueryAutomatedResponseActions]: {},
-
+  [AppFeatureSecurityKey.endpointAgentTamperProtection]: {},
   [AppFeatureSecurityKey.externalRuleActions]: {},
 };

x-pack/plugins/cloud_defend/server/plugin.test.ts

@@ -25,11 +25,7 @@ import { CloudDefendPlugin } from './plugin';
 import { CloudDefendPluginStartDeps } from './types';
 import { createFleetAuthzMock } from '@kbn/fleet-plugin/common/mocks';
 import { PackagePolicy, UpdatePackagePolicy } from '@kbn/fleet-plugin/common';
-import {
-  ExternalCallback,
-  FleetStartContract,
-  PostPackagePolicyPostCreateCallback,
-} from '@kbn/fleet-plugin/server';
+import { FleetStartContract, PostPackagePolicyPostCreateCallback } from '@kbn/fleet-plugin/server';
 import { INTEGRATION_PACKAGE_NAME } from '../common/constants';
 import Chance from 'chance';
 import type { AwaitedProperties } from '@kbn/utility-types';
@@ -42,6 +38,7 @@ import {
 import { securityMock } from '@kbn/security-plugin/server/mocks';
 import { licensingMock } from '@kbn/licensing-plugin/server/mocks';
 import * as onPackagePolicyPostCreateCallback from './lib/fleet_util';
+import { ExternalCallbackType } from '@kbn/fleet-plugin/server/types';
 
 const chance = new Chance();
 
@@ -63,7 +60,7 @@ const createMockFleetStartContract = (): DeeplyMockedKeys<FleetStartContract> =>
     // @ts-expect-error 2322
     packageService: createMockPackageService(),
     agentPolicyService: createMockAgentPolicyService(),
-    registerExternalCallback: jest.fn((..._: ExternalCallback) => {}),
+    registerExternalCallback: jest.fn((..._: ExternalCallbackType) => {}),
     packagePolicyService: createPackagePolicyServiceMock(),
     createArtifactsClient: jest.fn().mockReturnValue(createArtifactsClientMock()),
   };

x-pack/plugins/cloud_security_posture/server/plugin.test.ts

@@ -32,7 +32,6 @@ import {
   UpdatePackagePolicy,
 } from '@kbn/fleet-plugin/common';
 import {
-  ExternalCallback,
   FleetStartContract,
   PostPackagePolicyPostDeleteCallback,
   PostPackagePolicyPostCreateCallback,
@@ -49,6 +48,7 @@ import {
 import { securityMock } from '@kbn/security-plugin/server/mocks';
 import { licensingMock } from '@kbn/licensing-plugin/server/mocks';
 import * as onPackagePolicyPostCreateCallback from './fleet_integration/fleet_integration';
+import { ExternalCallbackType } from '@kbn/fleet-plugin/server/types';
 
 const chance = new Chance();
 
@@ -70,7 +70,7 @@ const createMockFleetStartContract = (): DeeplyMockedKeys<FleetStartContract> =>
     // @ts-expect-error 2322
     packageService: createMockPackageService(),
     agentPolicyService: createMockAgentPolicyService(),
-    registerExternalCallback: jest.fn((..._: ExternalCallback) => {}),
+    registerExternalCallback: jest.fn((..._: ExternalCallbackType) => {}),
     packagePolicyService: createPackagePolicyServiceMock(),
     createArtifactsClient: jest.fn().mockReturnValue(createArtifactsClientMock()),
   };

x-pack/plugins/fleet/server/mocks/index.ts

@@ -157,6 +157,7 @@ export const createMockAgentPolicyService = (): jest.Mocked<AgentPolicyServiceIn
     list: jest.fn(),
     getFullAgentPolicy: jest.fn(),
     getByIds: jest.fn(),
+    bumpRevision: jest.fn(),
   };
 };
 

x-pack/plugins/fleet/server/plugin.ts

@@ -8,33 +8,32 @@
 import { backOff } from 'exponential-backoff';
 import type { Observable } from 'rxjs';
 import { BehaviorSubject } from 'rxjs';
-import { take, filter } from 'rxjs/operators';
+import { filter, take } from 'rxjs/operators';
 import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common';
 import { i18n } from '@kbn/i18n';
 import type {
   CoreSetup,
   CoreStart,
+  ElasticsearchClient,
   ElasticsearchServiceStart,
+  HttpServiceSetup,
+  KibanaRequest,
   Logger,
   Plugin,
   PluginInitializerContext,
+  SavedObjectsClientContract,
   SavedObjectsServiceStart,
-  HttpServiceSetup,
-  KibanaRequest,
   ServiceStatus,
-  ElasticsearchClient,
-  SavedObjectsClientContract,
 } from '@kbn/core/server';
+import { DEFAULT_APP_CATEGORIES, SavedObjectsClient, ServiceStatusLevels } from '@kbn/core/server';
 import type { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server';
 
 import type { TelemetryPluginSetup, TelemetryPluginStart } from '@kbn/telemetry-plugin/server';
-
-import { DEFAULT_APP_CATEGORIES, SavedObjectsClient, ServiceStatusLevels } from '@kbn/core/server';
 import type { PluginStart as DataPluginStart } from '@kbn/data-plugin/server';
 import type { LicensingPluginStart } from '@kbn/licensing-plugin/server';
 import type {
-  EncryptedSavedObjectsPluginStart,
   EncryptedSavedObjectsPluginSetup,
+  EncryptedSavedObjectsPluginStart,
 } from '@kbn/encrypted-saved-objects-plugin/server';
 import type {
   AuditLogger,
@@ -57,61 +56,64 @@ import { SECURITY_EXTENSION_ID } from '@kbn/core-saved-objects-server';
 
 import type { FleetConfigType } from '../common/types';
 import type { FleetAuthz } from '../common';
-import type { ExperimentalFeatures } from '../common/experimental_features';
-
 import {
-  MESSAGE_SIGNING_KEYS_SAVED_OBJECT_TYPE,
   INTEGRATIONS_PLUGIN_ID,
+  MESSAGE_SIGNING_KEYS_SAVED_OBJECT_TYPE,
   UNINSTALL_TOKENS_SAVED_OBJECT_TYPE,
 } from '../common';
+import type { ExperimentalFeatures } from '../common/experimental_features';
 import { parseExperimentalConfigValue } from '../common/experimental_features';
 
 import { getFilesClientFactory } from './services/files/get_files_client_factory';
 
 import type { MessageSigningServiceInterface } from './services/security';
 import {
-  getRouteRequiredAuthz,
-  makeRouterWithFleetAuthz,
   calculateRouteAuthz,
   getAuthzFromRequest,
+  getRouteRequiredAuthz,
+  makeRouterWithFleetAuthz,
   MessageSigningService,
 } from './services/security';
 
 import {
-  PLUGIN_ID,
-  OUTPUT_SAVED_OBJECT_TYPE,
   AGENT_POLICY_SAVED_OBJECT_TYPE,
-  PACKAGE_POLICY_SAVED_OBJECT_TYPE,
-  PACKAGES_SAVED_OBJECT_TYPE,
   ASSETS_SAVED_OBJECT_TYPE,
-  PRECONFIGURATION_DELETION_RECORD_SAVED_OBJECT_TYPE,
   DOWNLOAD_SOURCE_SAVED_OBJECT_TYPE,
   FLEET_SERVER_HOST_SAVED_OBJECT_TYPE,
+  OUTPUT_SAVED_OBJECT_TYPE,
+  PACKAGE_POLICY_SAVED_OBJECT_TYPE,
+  PACKAGES_SAVED_OBJECT_TYPE,
+  PLUGIN_ID,
+  PRECONFIGURATION_DELETION_RECORD_SAVED_OBJECT_TYPE,
 } from './constants';
-import { registerSavedObjects, registerEncryptedSavedObjects } from './saved_objects';
+import { registerEncryptedSavedObjects, registerSavedObjects } from './saved_objects';
 import { registerRoutes } from './routes';
 
-import type { ExternalCallback, FleetRequestHandlerContext } from './types';
 import type {
-  ESIndexPatternService,
-  AgentService,
+  ExternalCallback,
+  ExternalCallbackAgentPolicy,
+  FleetRequestHandlerContext,
+} from './types';
+import type {
   AgentPolicyServiceInterface,
+  AgentService,
+  ESIndexPatternService,
   PackageService,
 } from './services';
-import { FleetUsageSender } from './services';
 import {
+  agentPolicyService,
+  AgentServiceImpl,
   appContextService,
-  licenseService,
   ESIndexPatternSavedObjectService,
-  agentPolicyService,
+  FleetUsageSender,
+  licenseService,
   packagePolicyService,
-  AgentServiceImpl,
   PackageServiceImpl,
 } from './services';
 import {
-  registerFleetUsageCollector,
   fetchAgentsUsage,
   fetchFleetUsage,
+  registerFleetUsageCollector,
 } from './collectors/register';
 import { FleetArtifactsClient } from './services/artifacts';
 import type { FleetRouter } from './types/request_context';
@@ -218,7 +220,7 @@ export interface FleetStartContract {
    * Register callbacks for inclusion in fleet API processing
    * @param args
    */
-  registerExternalCallback: (...args: ExternalCallback) => void;
+  registerExternalCallback: (...args: ExternalCallback | ExternalCallbackAgentPolicy) => void;
 
   /**
    * Create a Fleet Artifact Client instance
@@ -624,9 +626,13 @@ export class FleetPlugin
         list: agentPolicyService.list,
         getFullAgentPolicy: agentPolicyService.getFullAgentPolicy,
         getByIds: agentPolicyService.getByIDs,
+        bumpRevision: agentPolicyService.bumpRevision.bind(agentPolicyService),
       },
       packagePolicyService,
-      registerExternalCallback: (type: ExternalCallback[0], callback: ExternalCallback[1]) => {
+      registerExternalCallback: (
+        type: ExternalCallback[0] | ExternalCallbackAgentPolicy[0],
+        callback: ExternalCallback[1] | ExternalCallbackAgentPolicy[1]
+      ) => {
         return appContextService.addExternalCallback(type, callback);
       },
       createArtifactsClient(packageName: string) {

x-pack/plugins/fleet/server/services/agent_policy.ts

@@ -44,6 +44,9 @@ import type {
   FullAgentPolicy,
   ListWithKuery,
   NewPackagePolicy,
+  ExternalCallbackAgentPolicy,
+  PostAgentPolicyCreateCallback,
+  PostAgentPolicyUpdateCallback,
 } from '../types';
 import {
   getAllowedOutputTypeForPolicy,
@@ -234,6 +237,43 @@ class AgentPolicyService {
     return policyHasSyntheticsIntegration(agentPolicy);
   }
 
+  public async runExternalCallbacks(
+    externalCallbackType: ExternalCallbackAgentPolicy[0],
+    agentPolicy: NewAgentPolicy | Partial<AgentPolicy>
+  ): Promise<NewAgentPolicy | Partial<AgentPolicy>> {
+    const logger = appContextService.getLogger();
+    logger.debug(`Running external callbacks for ${externalCallbackType}`);
+    try {
+      const externalCallbacks = appContextService.getExternalCallbacks(externalCallbackType);
+      let newAgentPolicy = agentPolicy;
+
+      if (externalCallbacks && externalCallbacks.size > 0) {
+        let updatedNewAgentPolicy = newAgentPolicy;
+        for (const callback of externalCallbacks) {
+          let result;
+          if (externalCallbackType === 'agentPolicyCreate') {
+            result = await (callback as PostAgentPolicyCreateCallback)(
+              newAgentPolicy as NewAgentPolicy
+            );
+            updatedNewAgentPolicy = result;
+          }
+          if (externalCallbackType === 'agentPolicyUpdate') {
+            result = await (callback as PostAgentPolicyUpdateCallback)(
+              newAgentPolicy as Partial<AgentPolicy>
+            );
+            updatedNewAgentPolicy = result;
+          }
+        }
+        newAgentPolicy = updatedNewAgentPolicy;
+      }
+      return newAgentPolicy;
+    } catch (error) {
+      logger.error(`Error running external callbacks for ${externalCallbackType}`);
+      logger.error(error);
+      throw error;
+    }
+  }
+
   public async create(
     soClient: SavedObjectsClientContract,
     esClient: ElasticsearchClient,
@@ -254,7 +294,7 @@ class AgentPolicyService {
       id: options.id,
       savedObjectType: AGENT_POLICY_SAVED_OBJECT_TYPE,
     });
-
+    await this.runExternalCallbacks('agentPolicyCreate', agentPolicy);
     this.checkTamperProtectionLicense(agentPolicy);
 
     const logger = appContextService.getLogger();
@@ -520,6 +560,7 @@ class AgentPolicyService {
       throw new AgentPolicyNotFoundError('Agent policy not found');
     }
 
+    await this.runExternalCallbacks('agentPolicyUpdate', agentPolicy);
     this.checkTamperProtectionLicense(agentPolicy);
     await this.checkForValidUninstallToken(agentPolicy, id);
 

x-pack/plugins/fleet/server/services/app_context.ts

@@ -42,6 +42,9 @@ import type {
   PostPackagePolicyPostDeleteCallback,
   PostPackagePolicyPostCreateCallback,
   PutPackagePolicyUpdateCallback,
+  ExternalCallbackAgentPolicy,
+  PostAgentPolicyCreateCallback,
+  PostAgentPolicyUpdateCallback,
 } from '../types';
 import type { FleetAppContext } from '../plugin';
 import type { TelemetryEventsSender } from '../telemetry/sender';
@@ -234,18 +237,25 @@ class AppContextService {
     return this.kibanaInstanceId;
   }
 
-  public addExternalCallback(type: ExternalCallback[0], callback: ExternalCallback[1]) {
+  public addExternalCallback(
+    type: ExternalCallback[0] | ExternalCallbackAgentPolicy[0],
+    callback: ExternalCallback[1] | ExternalCallbackAgentPolicy[1]
+  ) {
     if (!this.externalCallbacks.has(type)) {
       this.externalCallbacks.set(type, new Set());
     }
     this.externalCallbacks.get(type)!.add(callback);
   }
 
-  public getExternalCallbacks<T extends ExternalCallback[0]>(
+  public getExternalCallbacks<T extends ExternalCallback[0] | ExternalCallbackAgentPolicy[0]>(
     type: T
   ):
     | Set<
-        T extends 'packagePolicyCreate'
+        T extends 'agentPolicyCreate'
+          ? PostAgentPolicyCreateCallback
+          : T extends 'agentPolicyUpdate'
+          ? PostAgentPolicyUpdateCallback
+          : T extends 'packagePolicyCreate'
           ? PostPackagePolicyCreateCallback
           : T extends 'packagePolicyDelete'
           ? PostPackagePolicyDeleteCallback
@@ -258,7 +268,11 @@ class AppContextService {
     | undefined {
     if (this.externalCallbacks) {
       return this.externalCallbacks.get(type) as Set<
-        T extends 'packagePolicyCreate'
+        T extends 'agentPolicyCreate'
+          ? PostAgentPolicyCreateCallback
+          : T extends 'agentPolicyUpdate'
+          ? PostAgentPolicyUpdateCallback
+          : T extends 'packagePolicyCreate'
           ? PostPackagePolicyCreateCallback
           : T extends 'packagePolicyDelete'
           ? PostPackagePolicyDeleteCallback

x-pack/plugins/fleet/server/services/index.ts

@@ -33,6 +33,7 @@ export interface AgentPolicyServiceInterface {
   list: typeof agentPolicyService['list'];
   getFullAgentPolicy: typeof agentPolicyService['getFullAgentPolicy'];
   getByIds: typeof agentPolicyService['getByIDs'];
+  bumpRevision: typeof agentPolicyService['bumpRevision'];
 }
 
 // Agent services

x-pack/plugins/fleet/server/services/preconfiguration.test.ts

@@ -283,6 +283,7 @@ jest.mock('./app_context', () => ({
     getUninstallTokenService: () => ({
       generateTokenForPolicyId: jest.fn(),
     }),
+    getExternalCallbacks: jest.fn(),
   },
 }));