From 7bac3e2697803bb4198dd20684562e9b7461feaa Mon Sep 17 00:00:00 2001 From: Dzmitry Lemechko Date: Thu, 21 Nov 2024 16:39:37 +0100 Subject: [PATCH 1/3] use roles.yml from kbn/es for security solution tests --- .../lib/security/kibana_roles/kibana_roles.ts | 4 +- .../project_controller_security_roles.yml | 790 ------------------ 2 files changed, 2 insertions(+), 792 deletions(-) delete mode 100644 x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml diff --git a/x-pack/test_serverless/shared/lib/security/kibana_roles/kibana_roles.ts b/x-pack/test_serverless/shared/lib/security/kibana_roles/kibana_roles.ts index 47969d1643eff..cecc4b97abce7 100644 --- a/x-pack/test_serverless/shared/lib/security/kibana_roles/kibana_roles.ts +++ b/x-pack/test_serverless/shared/lib/security/kibana_roles/kibana_roles.ts @@ -10,10 +10,10 @@ import { readFileSync } from 'fs'; import * as path from 'path'; import { cloneDeep, merge } from 'lodash'; import { FeaturesPrivileges, Role, RoleIndexPrivilege } from '@kbn/security-plugin/common'; +import { SERVERLESS_ROLES_ROOT_PATH } from '@kbn/es'; import { ServerlessRoleName } from '../types'; -const ROLES_YAML_FILE_PATH = path.join(__dirname, 'project_controller_security_roles.yml'); - +const ROLES_YAML_FILE_PATH = path.join(SERVERLESS_ROLES_ROOT_PATH, 'security', 'roles.yml'); const ROLE_NAMES = Object.values(ServerlessRoleName); interface IApplication { diff --git a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml deleted file mode 100644 index 61d3378de4c68..0000000000000 --- a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml +++ /dev/null @@ -1,790 +0,0 @@ -# ----- -# Source: https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml - -# modeled after the t1_analyst minus osquery run saved queries privilege -viewer: - cluster: [] - indices: - - names: - - ".siem-signals*" - - ".lists-*" - - ".items-*" - privileges: - - "read" - - "view_index_metadata" - allow_restricted_indices: false - - names: - - ".alerts*" - - ".preview.alerts*" - privileges: - - "read" - - "view_index_metadata" - allow_restricted_indices: false - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - metrics-endpoint.metadata_current_* - - ".fleet-agents*" - - ".fleet-actions*" - - "risk-score.risk-score-*" - - ".asset-criticality.asset-criticality-*" - - ".entities.v1.latest.security_*" - - ".ml-anomalies-*" - privileges: - - read - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.read - - feature_siem.read - - feature_siem.read_alerts - - feature_siem.endpoint_list_read - - feature_securitySolutionCases.read - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.read - - feature_builtInAlerts.read - - feature_osquery.read - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - run_as: [] - -# modeled after t3_analyst -editor: - cluster: [] - indices: - - names: - - ".siem-signals*" - - ".lists-*" - - ".items-*" - privileges: - - "read" - - "view_index_metadata" - - "write" - - "maintenance" - allow_restricted_indices: false - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - privileges: - - read - - write - - names: - - ".internal.alerts*" - - ".alerts*" - - ".internal.preview.alerts*" - - ".preview.alerts*" - - "risk-score.risk-score-*" - privileges: - - "read" - - "view_index_metadata" - - "write" - - "maintenance" - - names: - - ".asset-criticality.asset-criticality-*" - - ".entities.v1.latest.security_*" - privileges: - - "read" - - "write" - allow_restricted_indices: false - - names: - - ".ml-anomalies-*" - privileges: - - read - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.read - - feature_siem.all - - feature_siem.read_alerts - - feature_siem.crud_alerts - - feature_siem.endpoint_list_all - - feature_siem.trusted_applications_all - - feature_siem.event_filters_all - - feature_siem.host_isolation_exceptions_all - - feature_siem.blocklist_all - - feature_siem.policy_management_read # Elastic Defend Policy Management - - feature_siem.host_isolation_all - - feature_siem.process_operations_all - - feature_siem.actions_log_management_all # Response actions history - - feature_siem.file_operations_all - - feature_securitySolutionCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.read - - feature_builtInAlerts.all - - feature_osquery.all - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - run_as: [] - -t1_analyst: - cluster: - indices: - - names: - - ".alerts-security*" - - ".siem-signals-*" - privileges: - - read - - write - - maintenance - - names: - - .lists* - - .items* - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - metrics-endpoint.metadata_current_* - - ".fleet-agents*" - - ".fleet-actions*" - - risk-score.risk-score-* - - .asset-criticality.asset-criticality-* - - .entities.v1.latest.security_* - - ".ml-anomalies-*" - privileges: - - read - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.read - - feature_siem.read - - feature_siem.read_alerts - - feature_siem.endpoint_list_read - - feature_securitySolutionCases.read - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.read - - feature_builtInAlerts.read - - feature_osquery.read - - feature_osquery.run_saved_queries - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - -t2_analyst: - cluster: - indices: - - names: - - .alerts-security* - - .siem-signals-* - privileges: - - read - - write - - maintenance - - names: - - .lists* - - .items* - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - metrics-endpoint.metadata_current_* - - .fleet-agents* - - .fleet-actions* - - risk-score.risk-score-* - - .entities.v1.latest.security_* - - ".ml-anomalies-*" - privileges: - - read - - names: - - .asset-criticality.asset-criticality-* - privileges: - - read - - write - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.read - - feature_siem.read - - feature_siem.read_alerts - - feature_siem.endpoint_list_read - - feature_securitySolutionCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.read - - feature_builtInAlerts.read - - feature_osquery.read - - feature_osquery.run_saved_queries - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - -t3_analyst: - cluster: - indices: - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - .asset-criticality.asset-criticality-* - privileges: - - read - - write - - names: - - .alerts-security* - - .siem-signals-* - privileges: - - read - - write - - maintenance - - names: - - .lists* - - .items* - privileges: - - read - - write - - view_index_metadata - - names: - - metrics-endpoint.metadata_current_* - - .fleet-agents* - - .fleet-actions* - - risk-score.risk-score-* - - .entities.v1.latest.security_* - - ".ml-anomalies-*" - privileges: - - read - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.read - - feature_siem.all - - feature_siem.read_alerts - - feature_siem.crud_alerts - - feature_siem.endpoint_list_all - - feature_siem.trusted_applications_all - - feature_siem.event_filters_all - - feature_siem.host_isolation_exceptions_all - - feature_siem.blocklist_all - - feature_siem.policy_management_read # Elastic Defend Policy Management - - feature_siem.host_isolation_all - - feature_siem.process_operations_all - - feature_siem.actions_log_management_all # Response actions history - - feature_siem.file_operations_all - - feature_siem.scan_operations_all - - feature_securitySolutionCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.read - - feature_builtInAlerts.all - - feature_osquery.all - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - -threat_intelligence_analyst: - cluster: - indices: - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - privileges: - - read - - names: - - .lists* - - .items* - - .asset-criticality.asset-criticality-* - privileges: - - read - - write - - names: - - .alerts-security* - - .siem-signals-* - privileges: - - read - - write - - maintenance - - names: - - metrics-endpoint.metadata_current_* - - .fleet-agents* - - .fleet-actions* - - risk-score.risk-score-* - - .entities.v1.latest.security_* - - ".ml-anomalies-*" - privileges: - - read - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.read - - feature_siem.all - - feature_siem.endpoint_list_read - - feature_siem.blocklist_all - - feature_securitySolutionCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.read - - feature_builtInAlerts.read - - feature_osquery.all - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - -rule_author: - cluster: - indices: - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - .asset-criticality.asset-criticality-* - privileges: - - read - - write - - names: - - .alerts-security* - - .siem-signals-* - - .internal.preview.alerts-security* - - .preview.alerts-security* - privileges: - - read - - write - - maintenance - - view_index_metadata - - names: - - .lists* - - .items* - privileges: - - read - - write - - view_index_metadata - - names: - - metrics-endpoint.metadata_current_* - - .fleet-agents* - - .fleet-actions* - - risk-score.risk-score-* - - .entities.v1.latest.security_* - - ".ml-anomalies-*" - privileges: - - read - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.read - - feature_siem.all - - feature_siem.read_alerts - - feature_siem.crud_alerts - - feature_siem.policy_management_all - - feature_siem.endpoint_list_all - - feature_siem.trusted_applications_all - - feature_siem.event_filters_all - - feature_siem.host_isolation_exceptions_read - - feature_siem.blocklist_all # Elastic Defend Policy Management - - feature_siem.actions_log_management_read - - feature_securitySolutionCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.read - - feature_builtInAlerts.all - - feature_osquery.all - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - -soc_manager: - cluster: - indices: - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - .asset-criticality.asset-criticality-* - - .entities.v1.latest.security_* - privileges: - - read - - write - - names: - - .alerts-security* - - .siem-signals-* - - .preview.alerts-security* - - .internal.preview.alerts-security* - privileges: - - read - - write - - manage - - names: - - .lists* - - .items* - privileges: - - read - - write - - view_index_metadata - - names: - - metrics-endpoint.metadata_current_* - - .fleet-agents* - - .fleet-actions* - - risk-score.risk-score-* - - .asset-criticality.asset-criticality-* - - ".ml-anomalies-*" - privileges: - - read - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.read - - feature_generalCases.all - - feature_siem.all - - feature_siem.read_alerts - - feature_siem.crud_alerts - - feature_siem.policy_management_all - - feature_siem.endpoint_list_all - - feature_siem.trusted_applications_all - - feature_siem.event_filters_all - - feature_siem.host_isolation_exceptions_all - - feature_siem.blocklist_all - - feature_siem.host_isolation_all - - feature_siem.process_operations_all - - feature_siem.actions_log_management_all - - feature_siem.file_operations_all - - feature_siem.execute_operations_all - - feature_siem.scan_operations_all - - feature_securitySolutionCases.all - - feature_observabilityCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.all - - feature_builtInAlerts.all - - feature_osquery.all - - feature_indexPatterns.all - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - -detections_admin: - cluster: ["manage_index_templates", "manage_transform"] - indices: - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - .lists* - - .items* - - .alerts-security* - - .siem-signals-* - - .preview.alerts-security* - - .internal.preview.alerts-security* - privileges: - - read - - write - - manage - - names: - - metrics-endpoint.metadata_current_* - - .fleet-agents* - - .fleet-actions* - - ".ml-anomalies-*" - privileges: - - read - - names: - - risk-score.risk-score-* - privileges: - - all - - names: - - .asset-criticality.asset-criticality-* - - .entities.v1.latest.security_* - privileges: - - read - - write - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.all - - feature_siem.all - - feature_siem.read_alerts - - feature_siem.crud_alerts - - feature_securitySolutionCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.all - - feature_builtInAlerts.all - - feature_dev_tools.all - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - -platform_engineer: - cluster: - - manage - indices: - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - .lists* - - .items* - - .alerts-security* - - .siem-signals-* - - .preview.alerts-security* - - .internal.preview.alerts-security* - - risk-score.risk-score-* - privileges: - - all - - names: - - .asset-criticality.asset-criticality-* - - .entities.v1.latest.security_* - privileges: - - read - - write - - names: - - ".ml-anomalies-*" - privileges: - - read - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.all - - feature_siem.all - - feature_siem.read_alerts - - feature_siem.crud_alerts - - feature_siem.policy_management_all - - feature_siem.endpoint_list_all - - feature_siem.trusted_applications_all - - feature_siem.event_filters_all - - feature_siem.host_isolation_exceptions_all - - feature_siem.blocklist_all # Elastic Defend Policy Management - - feature_siem.actions_log_management_read - - feature_securitySolutionCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.all - - feature_builtInAlerts.all - - feature_fleet.all - - feature_fleetv2.all - - feature_osquery.all - - feature_indexPatterns.all - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - -endpoint_operations_analyst: - cluster: - indices: - - names: - - metrics-endpoint.metadata_current_* - - .fleet-agents* - - .fleet-actions* - privileges: - - read - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - .lists* - - .items* - - risk-score.risk-score-* - - .entities.v1.latest.security_* - - ".ml-anomalies-*" - privileges: - - read - - names: - - .alerts-security* - - .siem-signals-* - - .preview.alerts-security* - - .internal.preview.alerts-security* - privileges: - - read - - write - - maintenance - - names: - - .asset-criticality.asset-criticality-* - privileges: - - read - - write - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.read - - feature_siem.all - - feature_siem.read_alerts - - feature_siem.policy_management_all - - feature_siem.endpoint_list_all - - feature_siem.trusted_applications_all - - feature_siem.event_filters_all - - feature_siem.host_isolation_exceptions_all - - feature_siem.blocklist_all - - feature_siem.host_isolation_all - - feature_siem.process_operations_all - - feature_siem.actions_log_management_all # Response History - - feature_siem.file_operations_all - - feature_siem.execute_operations_all # Execute - - feature_siem.scan_operations_all - - feature_securitySolutionCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.all - - feature_builtInAlerts.all - - feature_osquery.all - - feature_fleet.all - - feature_fleetv2.all - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" - -endpoint_policy_manager: - cluster: - indices: - - names: - - metrics-endpoint.metadata_current_* - - .fleet-agents* - - .fleet-actions* - privileges: - - read - - names: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - risk-score.risk-score-* - - .entities.v1.latest.security_* - - ".ml-anomalies-*" - privileges: - - read - - names: - - .lists* - - .items* - - .asset-criticality.asset-criticality-* - privileges: - - read - - write - - names: - - .alerts-security* - - .siem-signals-* - - .preview.alerts-security* - - .internal.preview.alerts-security* - privileges: - - read - - write - - manage - applications: - - application: "kibana-.kibana" - privileges: - - feature_ml.all - - feature_siem.all - - feature_siem.read_alerts - - feature_siem.crud_alerts - - feature_siem.policy_management_all - - feature_siem.endpoint_list_all - - feature_siem.trusted_applications_all - - feature_siem.event_filters_all - - feature_siem.host_isolation_exceptions_all - - feature_siem.blocklist_all # Elastic Defend Policy Management - - feature_securitySolutionCases.all - - feature_securitySolutionAssistant.all - - feature_securitySolutionAttackDiscovery.all - - feature_actions.all - - feature_builtInAlerts.all - - feature_osquery.all - - feature_fleet.all - - feature_fleetv2.all - - feature_discover.all - - feature_dashboard.all - - feature_canvas.all - - feature_graph.all - - feature_maps.all - - feature_visualize.all - resources: "*" From ef82544eb1d6ce502813f26f477883b9a965dafe Mon Sep 17 00:00:00 2001 From: Dzmitry Lemechko Date: Thu, 5 Dec 2024 14:36:18 +0100 Subject: [PATCH 2/3] change to trigger tests --- .../plugins/osquery/cypress/e2e/roles/t1_and_t2_analyst.cy.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/osquery/cypress/e2e/roles/t1_and_t2_analyst.cy.ts b/x-pack/plugins/osquery/cypress/e2e/roles/t1_and_t2_analyst.cy.ts index afa0482c90a26..2a8435fe67a8b 100644 --- a/x-pack/plugins/osquery/cypress/e2e/roles/t1_and_t2_analyst.cy.ts +++ b/x-pack/plugins/osquery/cypress/e2e/roles/t1_and_t2_analyst.cy.ts @@ -22,7 +22,7 @@ import { } from '../../tasks/api_fixtures'; import type { ServerlessRoleName } from '../../support/roles'; -describe(`T1 and T2 analysts`, { tags: ['@ess', '@serverless'] }, () => { +describe(`test T1 and T2 analysts`, { tags: ['@ess', '@serverless'] }, () => { ['t1_analyst', 't2_analyst'].forEach((role: string) => { describe(`${role}- READ + runSavedQueries `, () => { let savedQueryName: string; From b98cad442dff51e631c19e571233a309b1c05405 Mon Sep 17 00:00:00 2001 From: Dzmitry Lemechko Date: Fri, 6 Dec 2024 15:52:32 +0100 Subject: [PATCH 3/3] add missing roles --- x-pack/test_serverless/shared/lib/security/types.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/x-pack/test_serverless/shared/lib/security/types.ts b/x-pack/test_serverless/shared/lib/security/types.ts index 933685f81a955..fce1f3acad454 100644 --- a/x-pack/test_serverless/shared/lib/security/types.ts +++ b/x-pack/test_serverless/shared/lib/security/types.ts @@ -19,4 +19,7 @@ export enum ServerlessRoleName { ENDPOINT_OPERATIONS_ANALYST = 'endpoint_operations_analyst', ENDPOINT_POLICY_MANAGER = 'endpoint_policy_manager', READER = 'reader', // custom role to test lack of permissions + ADMIN = 'admin', // default Cloud role + SUPERUSER = 'system_indices_superuser', // this role is used to clean up the environment only and should + // not be used in any tests }