Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[EDR Workflows] Set Agent Tamper Protection to false on policy unassignment #193017

Merged
merged 6 commits into from
Sep 23, 2024

Conversation

szwarckonrad
Copy link
Contributor

@szwarckonrad szwarckonrad commented Sep 16, 2024

This PR fixes an issue where Agent Tamper Protection remained enabled even after a Defend policy was unassigned from the agent policy.

There is no issue with removing the integration; it still causes agent tamper protections to be disabled.

Screen.Recording.2024-09-16.at.15.51.26.mov

@szwarckonrad szwarckonrad added release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.16.0 labels Sep 16, 2024
@szwarckonrad szwarckonrad self-assigned this Sep 16, 2024
@szwarckonrad szwarckonrad requested a review from a team as a code owner September 16, 2024 14:03
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

Copy link
Member

@nchaulet nchaulet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code LGTM 🚀

const [endpointPackagePolicyUpdatesIds, endpointOldPackagePoliciesIds] = [
packagePolicyUpdates,
oldPackagePolicies,
].map((packagePolicies) =>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sets instead of arrays could be built here, so the checks in lines 1231 and 1232 will have constant time complexity

Copy link
Contributor Author

@szwarckonrad szwarckonrad Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

const [endpointPackagePolicyUpdatesIds, endpointOldPackagePoliciesIds] = [
  packagePolicyUpdates,
  oldPackagePolicies,
].map((packagePolicies) =>
  new Set(
    packagePolicies
      .filter((p) => p.package?.name === 'endpoint')
      .map((p) => p.policy_ids)
      .flat()
  )
);

Like this, right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

like that : )

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May I also add that instead of iterating twice using filter and map you could use reduce to iterate only once. 😅

Copy link
Contributor

@gergoabraham gergoabraham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

works well when unassigning a Defend integration!

what do you think about initializing the is_protected field when a Defend integration is assigned to an agent policy? it should be false, but we could make sure

@szwarckonrad
Copy link
Contributor Author

@gergoabraham

Hm, so you propose to add another check that will make sure (both on create and update) that if id is to be found in the "new" array and not in the "old" one, we should explicitly set is_protected to false as well? Can we think of any scenario where is_protected could not be false?

@szwarckonrad szwarckonrad added the backport:skip This commit does not require backporting label Sep 19, 2024
@gergoabraham
Copy link
Contributor

@gergoabraham

Hm, so you propose to add another check that will make sure (both on create and update) that if id is to be found in the "new" array and not in the "old" one, we should explicitly set is_protected to false as well? Can we think of any scenario where is_protected could not be false?

@szwarckonrad, i don't actually know any scenario where it could be a problem, i'm just thinking on some weird possible SDHs where users added Defend integration and all of a sudden cannot uninstall agents, because some months prior to that somehow the is_protected field was changed to true. it most probably cannot happen (e.g. api call won't allow it, SO write in dev console requires tons of privileges), still, it just seems clearer to initialize the variable at the moment when we start using it.

so yeah, probably we don't need this, so if it would be a big change, we can definitely let it go, but if it's only a small one, i'd say let's go for it

what are your thoughts?

Copy link
Contributor

@gergoabraham gergoabraham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome, thanks for the changes! 🚀

Copy link
Member

@nchaulet nchaulet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@szwarckonrad szwarckonrad added v9.0.0 backport:version Backport to applied version labels and removed backport:skip This commit does not require backporting labels Sep 20, 2024
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @szwarckonrad

@szwarckonrad szwarckonrad merged commit 39fe0ae into elastic:main Sep 23, 2024
23 checks passed
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Sep 23, 2024
…gnment (elastic#193017)

This PR fixes an issue where Agent Tamper Protection remained enabled
even after a Defend policy was unassigned from the agent policy.

There is no issue with removing the integration; it still causes agent
tamper protections to be disabled.

https://github.com/user-attachments/assets/ee105e60-3db2-4249-a33b-44a2f2f7aac9
(cherry picked from commit 39fe0ae)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Sep 23, 2024
…unassignment (#193017) (#193713)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[EDR Workflows] Set Agent Tamper Protection to false on policy
unassignment (#193017)](#193017)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-23T12:02:16Z","message":"[EDR
Workflows] Set Agent Tamper Protection to false on policy unassignment
(#193017)\n\nThis PR fixes an issue where Agent Tamper Protection
remained enabled\r\neven after a Defend policy was unassigned from the
agent policy.\r\n\r\nThere is no issue with removing the integration; it
still causes agent\r\ntamper protections to be
disabled.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ee105e60-3db2-4249-a33b-44a2f2f7aac9","sha":"39fe0aee76d0383258be8f68bed2865575ec20d2","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","Team:Defend
Workflows","v8.16.0","backport:version"],"title":"[EDR Workflows] Set
Agent Tamper Protection to false on policy
unassignment","number":193017,"url":"https://github.com/elastic/kibana/pull/193017","mergeCommit":{"message":"[EDR
Workflows] Set Agent Tamper Protection to false on policy unassignment
(#193017)\n\nThis PR fixes an issue where Agent Tamper Protection
remained enabled\r\neven after a Defend policy was unassigned from the
agent policy.\r\n\r\nThere is no issue with removing the integration; it
still causes agent\r\ntamper protections to be
disabled.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ee105e60-3db2-4249-a33b-44a2f2f7aac9","sha":"39fe0aee76d0383258be8f68bed2865575ec20d2"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193017","number":193017,"mergeCommit":{"message":"[EDR
Workflows] Set Agent Tamper Protection to false on policy unassignment
(#193017)\n\nThis PR fixes an issue where Agent Tamper Protection
remained enabled\r\neven after a Defend policy was unassigned from the
agent policy.\r\n\r\nThere is no issue with removing the integration; it
still causes agent\r\ntamper protections to be
disabled.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ee105e60-3db2-4249-a33b-44a2f2f7aac9","sha":"39fe0aee76d0383258be8f68bed2865575ec20d2"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Konrad Szwarc <[email protected]>
weizijun added a commit to weizijun/kibana that referenced this pull request Sep 23, 2024
* main: (176 commits)
  [ML][Rules] Fixes deletion in Check interval input for anomaly detection rule (elastic#193420)
  Bump maximum supported package spec version to 3.2 (elastic#193574)
  [ES|QL] new pattern for `SORT` autocomplete (elastic#193595)
  [Inventory][ECO] Entities page search bar (elastic#193546)
  [Synthetics] Remove extra overview route (elastic#192449)
  [Obs Alerts table] Fix error on clicking alert reason message (elastic#193693)
  [Migrations] Remove tests that are not applicable in 9.x (elastic#193699)
  [EDR Workflows] Set Agent Tamper Protection to false on policy unassignment (elastic#193017)
  [Inventory][ECO] Enable elastic entity model from inventory (elastic#193557)
  [EDR Workflows] The host isolation exception tab is hidden on the basic license if no artifacts (elastic#192562)
  [Entity Analytics] Ensuring definition transforms are managed (elastic#193408)
  [Automatic Import] Do not remove message field for unstructured logs (elastic#193678)
  [Fleet] Add missing permissions for connector package (elastic#193573)
  [Fleet] using @kbn/config-schema part 2 (outputs and other apis)  (elastic#193326)
  [Migrations] Provide testing archives + tooling for migrations integration tests (elastic#193328)
  [ES|QL] Renames the textbased editor to esql editor (elastic#193521)
  [ES|QL] Update function metadata (elastic#193662)
  [Security Solution][Entity Analytics] Scoping the entity store to spaces (elastic#193303)
  [Docs] Update Sharing docs (elastic#190318)
  [ML] AIOps: Move Log Rate Analysis results callout to help popover. (elastic#192243)
  ...

# Conflicts:
#	x-pack/plugins/search_inference_endpoints/public/components/all_inference_endpoints/render_table_columns/render_endpoint/endpoint_info.test.tsx
#	x-pack/plugins/search_inference_endpoints/public/components/all_inference_endpoints/render_table_columns/render_endpoint/endpoint_info.tsx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:version Backport to applied version labels release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution Team:Fleet Team label for Observability Data Collection Fleet team v8.16.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants