-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] [Detections] Add "read index" privilege check on rule execution #83134
[Security Solution] [Detections] Add "read index" privilege check on rule execution #83134
Conversation
e3bd9d6
to
efa3efc
Compare
…se lines into a util function to be used in create rules and use that check on the UI too
efa3efc
to
b79dd8a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - super minor comments that can all be addressed as follow up if need be. Am curious to chat about how we define "success" in rule runs.
...plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.test.ts
Outdated
Show resolved
Hide resolved
await ruleStatusService.goingToRun(); | ||
|
||
// check if rule has permissions to access given index pattern |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a TO DO? Would definitely be great to move out for testing too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had written a function in the old multiple timestamps PR (which was closed) that would have been the home for this privilege check as well. Maybe in 7.12 I can bring that function back. I think once we add more types of pre-execution checks we can merge them into a single function to be executed at the top of the rule executor like this privilege check is now.
@@ -600,7 +625,7 @@ export const signalRulesAlertType = ({ | |||
`[+] Finished indexing ${result.createdSignalsCount} signals into ${outputIndex}` | |||
) | |||
); | |||
if (!hasError) { | |||
if (!hasError && !wroteStatus) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll only be reporting success if it checked all indices? Wondering if we should start better documenting/defining what "successful" rule run means. Like in this case if we successfully searched the indices we could, I might expect a success with a warning?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, my thinking was if the rule can't search every index pattern provided because it's missing read privileges we would want to say "this partially failed" because we couldn't do everything the rule was written to accomplish https://github.com/elastic/kibana/pull/83134/files/b79dd8abf743a5451c3346f7dd004735b7beb732#diff-bd205efcb13acaf5f9552bd573f21422d37d60c6f2aa03ae7f98d18b95fbc6e4R194. We could re-work the partial failure status to just be a "warning" status maybe? Maybe that would clear things up. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea, that makes sense too, if we weren't able to fulfill what the rule is asking. No need to change anything, maybe just an interesting convo to have at a team meeting about how to qualify different states.
…to ANY of the index patterns provided
💚 Build SucceededMetrics [docs]Distributable file count
History
To update your PR or re-run it, just comment with: |
…rule execution (elastic#83134) * adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too * fixes tests * cleanup code, adds a unit test * set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
…rule execution (elastic#83134) * adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too * fixes tests * cleanup code, adds a unit test * set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
…ck on rule execution (#83134) (#86849) * adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too * fixes tests * cleanup code, adds a unit test * set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
…eck on rule execution (#83134) (#86850) * adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too * fixes tests * cleanup code, adds a unit test * set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
Summary
Adds a privilege check on each rule execution to ensure the user who's api key is associated with the rule has read privileges on the index.
Indices for testing
*:*
on index patternsmyfa*
andsome*
. Ensure the rule starts to run successfully. This rule will be using the api key of the superuser you logged in with and will have read privileges to the above index patterns.t1_analyst
user herex-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json
to haveread
privileges for the index pattern"myfa*"
. Save and execute the following within thedetection_engine/scripts/roles_users/t1_analyst
directory:t1_analyst
and re-enable the rule (the rule is now running with thet1_analyst
privileges). Once the rule completes running it should have the following partial error message on the rule details page.Checklist
Delete any items that are not applicable to this PR.
For maintainers