Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] [Detections] Add "read index" privilege check on rule execution #83134

Merged
merged 4 commits into from
Dec 22, 2020

Conversation

dhurley14
Copy link
Contributor

@dhurley14 dhurley14 commented Nov 10, 2020

Summary

Adds a privilege check on each rule execution to ensure the user who's api key is associated with the rule has read privileges on the index.

Indices for testing
POST myfakeindex-1/_doc
{
  "message": "hello world fake",
  "@timestamp": "2020-12-14T22:31:01.726Z"
}


POST somefakeindex-1/_doc
{
  "message": "hello world some",
  "@timestamp": "2020-12-14T22:31:01.726Z"
}
  1. Login to detections as a superuser and set up detections.
  2. Write a rule to query *:* on index patterns myfa* and some*. Ensure the rule starts to run successfully. This rule will be using the api key of the superuser you logged in with and will have read privileges to the above index patterns.
  3. Update the role for the t1_analyst user here x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json to have read privileges for the index pattern "myfa*". Save and execute the following within the detection_engine/scripts/roles_users/t1_analyst directory:
$ ./post_detections_role.sh && ./post_detections_user.sh 
  1. Login to detections as the t1_analyst and re-enable the rule (the rule is now running with the t1_analyst privileges). Once the rule completes running it should have the following partial error message on the rule details page.

partial_failure_read_index

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@dhurley14 dhurley14 changed the title adds privilege check in rule execution function, need to abstract the… [Security Solution] [Detections] Add "read index" privilege check on rule execution Nov 10, 2020
@dhurley14 dhurley14 force-pushed the privilege-check-execution branch from e3bd9d6 to efa3efc Compare November 19, 2020 23:16
…se lines into a util function to be used in create rules and use that check on the UI too
@dhurley14 dhurley14 force-pushed the privilege-check-execution branch from efa3efc to b79dd8a Compare December 21, 2020 22:23
@dhurley14 dhurley14 self-assigned this Dec 21, 2020
@dhurley14 dhurley14 marked this pull request as ready for review December 21, 2020 22:28
@dhurley14 dhurley14 requested review from a team as code owners December 21, 2020 22:28
@dhurley14 dhurley14 added release_note:enhancement review Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detections and Resp Security Detection Response Team v7.11.0 v7.12.0 v8.0.0 labels Dec 21, 2020
Copy link
Contributor

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - super minor comments that can all be addressed as follow up if need be. Am curious to chat about how we define "success" in rule runs.

await ruleStatusService.goingToRun();

// check if rule has permissions to access given index pattern
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a TO DO? Would definitely be great to move out for testing too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had written a function in the old multiple timestamps PR (which was closed) that would have been the home for this privilege check as well. Maybe in 7.12 I can bring that function back. I think once we add more types of pre-execution checks we can merge them into a single function to be executed at the top of the rule executor like this privilege check is now.

@@ -600,7 +625,7 @@ export const signalRulesAlertType = ({
`[+] Finished indexing ${result.createdSignalsCount} signals into ${outputIndex}`
)
);
if (!hasError) {
if (!hasError && !wroteStatus) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll only be reporting success if it checked all indices? Wondering if we should start better documenting/defining what "successful" rule run means. Like in this case if we successfully searched the indices we could, I might expect a success with a warning?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, my thinking was if the rule can't search every index pattern provided because it's missing read privileges we would want to say "this partially failed" because we couldn't do everything the rule was written to accomplish https://github.com/elastic/kibana/pull/83134/files/b79dd8abf743a5451c3346f7dd004735b7beb732#diff-bd205efcb13acaf5f9552bd573f21422d37d60c6f2aa03ae7f98d18b95fbc6e4R194. We could re-work the partial failure status to just be a "warning" status maybe? Maybe that would clear things up. What do you think?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, that makes sense too, if we weren't able to fulfill what the rule is asking. No need to change anything, maybe just an interesting convo to have at a team meeting about how to qualify different states.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Distributable file count

id before after diff
default 47143 47903 +760

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@dhurley14 dhurley14 merged commit 59298c5 into elastic:master Dec 22, 2020
@dhurley14 dhurley14 deleted the privilege-check-execution branch December 22, 2020 22:01
dhurley14 added a commit to dhurley14/kibana that referenced this pull request Dec 22, 2020
…rule execution (elastic#83134)

* adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too

* fixes tests

* cleanup code, adds a unit test

* set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
dhurley14 added a commit to dhurley14/kibana that referenced this pull request Dec 22, 2020
…rule execution (elastic#83134)

* adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too

* fixes tests

* cleanup code, adds a unit test

* set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
dhurley14 added a commit that referenced this pull request Dec 23, 2020
…ck on rule execution (#83134) (#86849)

* adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too

* fixes tests

* cleanup code, adds a unit test

* set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
dhurley14 added a commit that referenced this pull request Dec 23, 2020
…eck on rule execution (#83134) (#86850)

* adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too

* fixes tests

* cleanup code, adds a unit test

* set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:enhancement review Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0 v7.12.0 v8.0.0
Projects
None yet
4 participants