From de80e69b272cfd45e4b0afa1d9467d497481dd08 Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 19 Oct 2021 09:56:00 -0400 Subject: [PATCH] [Security Solution] Generate host isolation exceptions artifact (#115160) (#115512) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Esteban Beltran --- .../server/endpoint/lib/artifacts/common.ts | 3 + .../server/endpoint/lib/artifacts/lists.ts | 20 +++ .../manifest_manager/manifest_manager.test.ts | 137 ++++++++++-------- .../manifest_manager/manifest_manager.ts | 42 ++++++ 4 files changed, 140 insertions(+), 62 deletions(-) diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/common.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/common.ts index af5e386464305..60f91330d4558 100644 --- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/common.ts +++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/common.ts @@ -25,6 +25,9 @@ export const ArtifactConstants = { SUPPORTED_EVENT_FILTERS_OPERATING_SYSTEMS: ['macos', 'windows', 'linux'], GLOBAL_EVENT_FILTERS_NAME: 'endpoint-eventfilterlist', + + SUPPORTED_HOST_ISOLATION_EXCEPTIONS_OPERATING_SYSTEMS: ['macos', 'windows', 'linux'], + GLOBAL_HOST_ISOLATION_EXCEPTIONS_NAME: 'endpoint-hostisolationexceptionlist', }; export const ManifestConstants = { diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts index e27a09efd9710..e26a2c7f4b4bc 100644 --- a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts +++ b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts @@ -15,6 +15,7 @@ import { validate } from '@kbn/securitysolution-io-ts-utils'; import { ENDPOINT_EVENT_FILTERS_LIST_ID, + ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID, ENDPOINT_LIST_ID, ENDPOINT_TRUSTED_APPS_LIST_ID, } from '@kbn/securitysolution-list-constants'; @@ -65,6 +66,7 @@ export async function getFilteredEndpointExceptionList( | typeof ENDPOINT_LIST_ID | typeof ENDPOINT_TRUSTED_APPS_LIST_ID | typeof ENDPOINT_EVENT_FILTERS_LIST_ID + | typeof ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID ): Promise { const exceptions: WrappedTranslatedExceptionList = { entries: [] }; let page = 1; @@ -148,6 +150,24 @@ export async function getEndpointEventFiltersList( ); } +export async function getHostIsolationExceptionsList( + eClient: ExceptionListClient, + schemaVersion: string, + os: string, + policyId?: string +): Promise { + const osFilter = `exception-list-agnostic.attributes.os_types:\"${os}\"`; + const policyFilter = `(exception-list-agnostic.attributes.tags:\"policy:all\"${ + policyId ? ` or exception-list-agnostic.attributes.tags:\"policy:${policyId}\"` : '' + })`; + + return getFilteredEndpointExceptionList( + eClient, + schemaVersion, + `${osFilter} and ${policyFilter}`, + ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID + ); +} /** * Translates Exception list items to Exceptions the endpoint can understand * @param exceptions diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts index d75e347b86bd5..0ef2abd5f50aa 100644 --- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts @@ -7,6 +7,7 @@ import { savedObjectsClientMock } from 'src/core/server/mocks'; import { + ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID, ENDPOINT_LIST_ID, ENDPOINT_TRUSTED_APPS_LIST_ID, } from '@kbn/securitysolution-list-constants'; @@ -66,6 +67,12 @@ describe('ManifestManager', () => { const ARTIFACT_NAME_EVENT_FILTERS_MACOS = 'endpoint-eventfilterlist-macos-v1'; const ARTIFACT_NAME_EVENT_FILTERS_WINDOWS = 'endpoint-eventfilterlist-windows-v1'; const ARTIFACT_NAME_EVENT_FILTERS_LINUX = 'endpoint-eventfilterlist-linux-v1'; + const ARTIFACT_NAME_HOST_ISOLATION_EXCEPTIONS_MACOS = + 'endpoint-hostisolationexceptionlist-macos-v1'; + const ARTIFACT_NAME_HOST_ISOLATION_EXCEPTIONS_WINDOWS = + 'endpoint-hostisolationexceptionlist-windows-v1'; + const ARTIFACT_NAME_HOST_ISOLATION_EXCEPTIONS_LINUX = + 'endpoint-hostisolationexceptionlist-linux-v1'; let ARTIFACTS: InternalArtifactCompleteSchema[] = []; let ARTIFACTS_BY_ID: { [K: string]: InternalArtifactCompleteSchema } = {}; @@ -157,31 +164,29 @@ describe('ManifestManager', () => { const manifestManagerContext = buildManifestManagerContextMock({ savedObjectsClient }); const manifestManager = new ManifestManager(manifestManagerContext); - savedObjectsClient.get = jest - .fn() - .mockImplementation(async (objectType: string, id: string) => { - if (objectType === ManifestConstants.SAVED_OBJECT_TYPE) { - return { - attributes: { - created: '20-01-2020 10:00:00.000Z', - schemaVersion: 'v2', - semanticVersion: '1.0.0', - artifacts: [ - { artifactId: ARTIFACT_ID_EXCEPTIONS_MACOS, policyId: undefined }, - { artifactId: ARTIFACT_ID_EXCEPTIONS_WINDOWS, policyId: undefined }, - { artifactId: ARTIFACT_ID_EXCEPTIONS_LINUX, policyId: undefined }, - { artifactId: ARTIFACT_ID_EXCEPTIONS_WINDOWS, policyId: TEST_POLICY_ID_1 }, - { artifactId: ARTIFACT_ID_TRUSTED_APPS_MACOS, policyId: TEST_POLICY_ID_1 }, - { artifactId: ARTIFACT_ID_TRUSTED_APPS_WINDOWS, policyId: TEST_POLICY_ID_1 }, - { artifactId: ARTIFACT_ID_TRUSTED_APPS_WINDOWS, policyId: TEST_POLICY_ID_2 }, - ], - }, - version: '2.0.0', - }; - } else { - return null; - } - }); + savedObjectsClient.get = jest.fn().mockImplementation(async (objectType: string) => { + if (objectType === ManifestConstants.SAVED_OBJECT_TYPE) { + return { + attributes: { + created: '20-01-2020 10:00:00.000Z', + schemaVersion: 'v2', + semanticVersion: '1.0.0', + artifacts: [ + { artifactId: ARTIFACT_ID_EXCEPTIONS_MACOS, policyId: undefined }, + { artifactId: ARTIFACT_ID_EXCEPTIONS_WINDOWS, policyId: undefined }, + { artifactId: ARTIFACT_ID_EXCEPTIONS_LINUX, policyId: undefined }, + { artifactId: ARTIFACT_ID_EXCEPTIONS_WINDOWS, policyId: TEST_POLICY_ID_1 }, + { artifactId: ARTIFACT_ID_TRUSTED_APPS_MACOS, policyId: TEST_POLICY_ID_1 }, + { artifactId: ARTIFACT_ID_TRUSTED_APPS_WINDOWS, policyId: TEST_POLICY_ID_1 }, + { artifactId: ARTIFACT_ID_TRUSTED_APPS_WINDOWS, policyId: TEST_POLICY_ID_2 }, + ], + }, + version: '2.0.0', + }; + } else { + return null; + } + }); ( manifestManagerContext.artifactClient as jest.Mocked @@ -218,31 +223,29 @@ describe('ManifestManager', () => { const manifestManagerContext = buildManifestManagerContextMock({ savedObjectsClient }); const manifestManager = new ManifestManager(manifestManagerContext); - savedObjectsClient.get = jest - .fn() - .mockImplementation(async (objectType: string, id: string) => { - if (objectType === ManifestConstants.SAVED_OBJECT_TYPE) { - return { - attributes: { - created: '20-01-2020 10:00:00.000Z', - schemaVersion: 'v2', - semanticVersion: '1.0.0', - artifacts: [ - { artifactId: ARTIFACT_ID_EXCEPTIONS_MACOS, policyId: undefined }, - { artifactId: ARTIFACT_ID_EXCEPTIONS_WINDOWS, policyId: undefined }, - { artifactId: ARTIFACT_ID_EXCEPTIONS_LINUX, policyId: undefined }, - { artifactId: ARTIFACT_ID_EXCEPTIONS_WINDOWS, policyId: TEST_POLICY_ID_1 }, - { artifactId: ARTIFACT_ID_TRUSTED_APPS_MACOS, policyId: TEST_POLICY_ID_1 }, - { artifactId: ARTIFACT_ID_TRUSTED_APPS_WINDOWS, policyId: TEST_POLICY_ID_1 }, - { artifactId: ARTIFACT_ID_TRUSTED_APPS_WINDOWS, policyId: TEST_POLICY_ID_2 }, - ], - }, - version: '2.0.0', - }; - } else { - return null; - } - }); + savedObjectsClient.get = jest.fn().mockImplementation(async (objectType: string) => { + if (objectType === ManifestConstants.SAVED_OBJECT_TYPE) { + return { + attributes: { + created: '20-01-2020 10:00:00.000Z', + schemaVersion: 'v2', + semanticVersion: '1.0.0', + artifacts: [ + { artifactId: ARTIFACT_ID_EXCEPTIONS_MACOS, policyId: undefined }, + { artifactId: ARTIFACT_ID_EXCEPTIONS_WINDOWS, policyId: undefined }, + { artifactId: ARTIFACT_ID_EXCEPTIONS_LINUX, policyId: undefined }, + { artifactId: ARTIFACT_ID_EXCEPTIONS_WINDOWS, policyId: TEST_POLICY_ID_1 }, + { artifactId: ARTIFACT_ID_TRUSTED_APPS_MACOS, policyId: TEST_POLICY_ID_1 }, + { artifactId: ARTIFACT_ID_TRUSTED_APPS_WINDOWS, policyId: TEST_POLICY_ID_1 }, + { artifactId: ARTIFACT_ID_TRUSTED_APPS_WINDOWS, policyId: TEST_POLICY_ID_2 }, + ], + }, + version: '2.0.0', + }; + } else { + return null; + } + }); ( manifestManagerContext.artifactClient as jest.Mocked @@ -278,6 +281,9 @@ describe('ManifestManager', () => { ARTIFACT_NAME_EVENT_FILTERS_MACOS, ARTIFACT_NAME_EVENT_FILTERS_WINDOWS, ARTIFACT_NAME_EVENT_FILTERS_LINUX, + ARTIFACT_NAME_HOST_ISOLATION_EXCEPTIONS_MACOS, + ARTIFACT_NAME_HOST_ISOLATION_EXCEPTIONS_WINDOWS, + ARTIFACT_NAME_HOST_ISOLATION_EXCEPTIONS_LINUX, ]; const getArtifactIds = (artifacts: InternalArtifactSchema[]) => [ @@ -310,7 +316,7 @@ describe('ManifestManager', () => { context.savedObjectsClient.create = jest .fn() - .mockImplementation((type: string, object: InternalManifestSchema) => ({ + .mockImplementation((_type: string, object: InternalManifestSchema) => ({ attributes: object, })); const manifest = await manifestManager.buildNewManifest(); @@ -321,7 +327,7 @@ describe('ManifestManager', () => { const artifacts = manifest.getAllArtifacts(); - expect(artifacts.length).toBe(9); + expect(artifacts.length).toBe(12); expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES); for (const artifact of artifacts) { @@ -336,16 +342,18 @@ describe('ManifestManager', () => { test('Builds fully new manifest if no baseline parameter passed and present exception list items', async () => { const exceptionListItem = getExceptionListItemSchemaMock({ os_types: ['macos'] }); const trustedAppListItem = getExceptionListItemSchemaMock({ os_types: ['linux'] }); + const hostIsolationExceptionsItem = getExceptionListItemSchemaMock({ os_types: ['linux'] }); const context = buildManifestManagerContextMock({}); const manifestManager = new ManifestManager(context); context.exceptionListClient.findExceptionListItem = mockFindExceptionListItemResponses({ [ENDPOINT_LIST_ID]: { macos: [exceptionListItem] }, [ENDPOINT_TRUSTED_APPS_LIST_ID]: { linux: [trustedAppListItem] }, + [ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID]: { linux: [hostIsolationExceptionsItem] }, }); context.savedObjectsClient.create = jest .fn() - .mockImplementation((type: string, object: InternalManifestSchema) => ({ + .mockImplementation((_type: string, object: InternalManifestSchema) => ({ attributes: object, })); context.packagePolicyService.listIds = mockPolicyListIdsResponse([TEST_POLICY_ID_1]); @@ -358,7 +366,7 @@ describe('ManifestManager', () => { const artifacts = manifest.getAllArtifacts(); - expect(artifacts.length).toBe(9); + expect(artifacts.length).toBe(12); expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES); expect(getArtifactObject(artifacts[0])).toStrictEqual({ @@ -374,6 +382,11 @@ describe('ManifestManager', () => { expect(getArtifactObject(artifacts[6])).toStrictEqual({ entries: [] }); expect(getArtifactObject(artifacts[7])).toStrictEqual({ entries: [] }); expect(getArtifactObject(artifacts[8])).toStrictEqual({ entries: [] }); + expect(getArtifactObject(artifacts[9])).toStrictEqual({ entries: [] }); + expect(getArtifactObject(artifacts[10])).toStrictEqual({ entries: [] }); + expect(getArtifactObject(artifacts[11])).toStrictEqual({ + entries: translateToEndpointExceptions([hostIsolationExceptionsItem], 'v1'), + }); for (const artifact of artifacts) { expect(manifest.isDefaultArtifact(artifact)).toBe(true); @@ -395,7 +408,7 @@ describe('ManifestManager', () => { context.packagePolicyService.listIds = mockPolicyListIdsResponse([TEST_POLICY_ID_1]); context.savedObjectsClient.create = jest .fn() - .mockImplementation((type: string, object: InternalManifestSchema) => ({ + .mockImplementation((_type: string, object: InternalManifestSchema) => ({ attributes: object, })); const oldManifest = await manifestManager.buildNewManifest(); @@ -413,7 +426,7 @@ describe('ManifestManager', () => { const artifacts = manifest.getAllArtifacts(); - expect(artifacts.length).toBe(9); + expect(artifacts.length).toBe(12); expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES); expect(artifacts[0]).toStrictEqual(oldManifest.getAllArtifacts()[0]); @@ -462,7 +475,7 @@ describe('ManifestManager', () => { context.savedObjectsClient.create = jest .fn() - .mockImplementation((type: string, object: InternalManifestSchema) => ({ + .mockImplementation((_type: string, object: InternalManifestSchema) => ({ attributes: object, })); @@ -474,7 +487,7 @@ describe('ManifestManager', () => { const artifacts = manifest.getAllArtifacts(); - expect(artifacts.length).toBe(10); + expect(artifacts.length).toBe(13); expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES); expect(getArtifactObject(artifacts[0])).toStrictEqual({ @@ -653,7 +666,7 @@ describe('ManifestManager', () => { context.savedObjectsClient.create = jest .fn() - .mockImplementation((type: string, object: InternalManifestSchema) => object); + .mockImplementation((_type: string, object: InternalManifestSchema) => object); await expect(manifestManager.commit(manifest)).resolves.toBeUndefined(); @@ -690,7 +703,7 @@ describe('ManifestManager', () => { context.savedObjectsClient.update = jest .fn() - .mockImplementation((type: string, id: string, object: InternalManifestSchema) => object); + .mockImplementation((_type: string, _id: string, object: InternalManifestSchema) => object); await expect(manifestManager.commit(manifest)).resolves.toBeUndefined(); @@ -1023,7 +1036,7 @@ describe('ManifestManager', () => { context.savedObjectsClient.create = jest .fn() - .mockImplementation((type: string, object: InternalManifestSchema) => ({ + .mockImplementation((_type: string, object: InternalManifestSchema) => ({ attributes: object, })); const manifest = await manifestManager.buildNewManifest(); @@ -1046,7 +1059,7 @@ describe('ManifestManager', () => { context.savedObjectsClient.create = jest .fn() - .mockImplementation((type: string, object: InternalManifestSchema) => ({ + .mockImplementation((_type: string, object: InternalManifestSchema) => ({ attributes: object, })); diff --git a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts index 5c1d327b1b892..736bf1c58cb90 100644 --- a/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts +++ b/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts @@ -26,6 +26,7 @@ import { getEndpointEventFiltersList, getEndpointExceptionList, getEndpointTrustedAppsList, + getHostIsolationExceptionsList, Manifest, } from '../../../lib/artifacts'; import { @@ -237,6 +238,46 @@ export class ManifestManager { ); } + protected async buildHostIsolationExceptionsArtifacts(): Promise { + const defaultArtifacts: InternalArtifactCompleteSchema[] = []; + const policySpecificArtifacts: Record = {}; + + for (const os of ArtifactConstants.SUPPORTED_HOST_ISOLATION_EXCEPTIONS_OPERATING_SYSTEMS) { + defaultArtifacts.push(await this.buildHostIsolationExceptionForOs(os)); + } + + await iterateAllListItems( + (page) => this.listEndpointPolicyIds(page), + async (policyId) => { + for (const os of ArtifactConstants.SUPPORTED_HOST_ISOLATION_EXCEPTIONS_OPERATING_SYSTEMS) { + policySpecificArtifacts[policyId] = policySpecificArtifacts[policyId] || []; + policySpecificArtifacts[policyId].push( + await this.buildHostIsolationExceptionForOs(os, policyId) + ); + } + } + ); + + return { defaultArtifacts, policySpecificArtifacts }; + } + + protected async buildHostIsolationExceptionForOs( + os: string, + policyId?: string + ): Promise { + return buildArtifact( + await getHostIsolationExceptionsList( + this.exceptionListClient, + this.schemaVersion, + os, + policyId + ), + this.schemaVersion, + os, + ArtifactConstants.GLOBAL_HOST_ISOLATION_EXCEPTIONS_NAME + ); + } + /** * Writes new artifact SO. * @@ -381,6 +422,7 @@ export class ManifestManager { this.buildExceptionListArtifacts(), this.buildTrustedAppsArtifacts(), this.buildEventFiltersArtifacts(), + this.buildHostIsolationExceptionsArtifacts(), ]); const manifest = new Manifest({