Allow security_rule objects to have rule IDs different from the objec…

…t IDs (#463)
elastic · Jan 18, 2023 · 6056037 · 6056037
1 parent c7b54ab
commit 6056037
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 5 deletions.
diff --git a/code/go/internal/validator/semantic/validate_kibana_matching_object_ids.go b/code/go/internal/validator/semantic/validate_kibana_matching_object_ids.go
@@ -47,8 +47,21 @@ func ValidateKibanaObjectIDs(fsys fspath.FS) ve.ValidationErrors {
 				continue
 			}
 
-			if ruleID != objectID {
-				errs = append(errs, errors.New("rule ID is different from the object ID"))
+			objectIDValue, ok := objectID.(string)
+			if !ok {
+				errs = append(errs, errors.Wrap(err, "expect object ID to be a string"))
+				continue
+			}
+
+			ruleIDValue, ok := ruleID.(string)
+			if !ok {
+				errs = append(errs, errors.Wrap(err, "expect rule ID to be a string"))
+				continue
+			}
+
+			if !strings.HasPrefix(objectIDValue, ruleIDValue) {
+				err := fmt.Errorf("kibana object ID [%s] should start with rule ID [%s]", objectIDValue, ruleIDValue)
+				errs = append(errs, err)
 				continue
 			}
 		}

diff --git a/code/go/pkg/validator/validator_test.go b/code/go/pkg/validator/validator_test.go
@@ -245,6 +245,27 @@ func TestValidateBadKibanaIDs(t *testing.T) {
 	}
 }
 
+func TestValidateBadRuleIDs(t *testing.T) {
+	tests := map[string]string{
+		"bad_rule_ids": "kibana object ID [saved_object_id] should start with rule ID [rule_id]",
+	}
+
+	for pkgName, expectedError := range tests {
+		t.Run(pkgName, func(t *testing.T) {
+			errs := ValidateFromPath(filepath.Join("..", "..", "..", "..", "test", "packages", pkgName))
+			require.Error(t, errs)
+			vErrs, ok := errs.(errors.ValidationErrors)
+			require.True(t, ok)
+
+			var errMessages []string
+			for _, vErr := range vErrs {
+				errMessages = append(errMessages, vErr.Error())
+			}
+			require.Contains(t, errMessages, expectedError)
+		})
+	}
+}
+
 func TestValidateMissingReqiredFields(t *testing.T) {
 	tests := map[string][]string{
 		"good":    {},

diff --git a/spec/changelog.yml b/spec/changelog.yml
@@ -2,11 +2,11 @@
 ## This file documents changes in the package specification. It is NOT a package specification file.
 ## Newer entries go at the bottom of each in-development version.
 ##
-- version: 2.3.1-next
+- version: 2.4.0-next
   changes:
-  - description: Prepare for next version
+  - description: Allow security_rule objects to have rule IDs different from the object IDs.
     type: enhancement
-    link: https://github.com/elastic/package-spec/pull/462
+    link: https://github.com/elastic/package-spec/pull/463
 - version: 2.3.0
   changes:
   - description: Remove the release tag, semantic versioning should be used instead.

diff --git a/test/packages/bad_rule_ids/changelog.yml b/test/packages/bad_rule_ids/changelog.yml
@@ -0,0 +1,5 @@
+- version: 0.1.2
+  changes:
+    - description: initial release
+      type: enhancement
+      link: https://github.com/elastic/package-spec/pull/160
diff --git a/test/packages/bad_rule_ids/docs/README.md b/test/packages/bad_rule_ids/docs/README.md
@@ -0,0 +1 @@
+Main
diff --git a/test/packages/bad_rule_ids/kibana/security_rule/saved_object_id.json b/test/packages/bad_rule_ids/kibana/security_rule/saved_object_id.json
@@ -0,0 +1,6 @@
+{
+  "attributes": {
+    "rule_id": "rule_id"
+  },
+  "id": "saved_object_id"
+}
diff --git a/test/packages/bad_rule_ids/manifest.yml b/test/packages/bad_rule_ids/manifest.yml
@@ -0,0 +1,9 @@
+format_version: 1.0.0
+name: bad_rule_ids
+title: Bad Rule IDs
+description: This package contains detection rules with non-matching object IDs
+version: 0.1.2
+type: integration
+release: beta
+owner:
+  github: elastic/foobar
diff --git a/test/packages/good/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_5.json b/test/packages/good/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_5.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "author": ["Elastic"],
+    "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": ["filebeat-*", "logs-okta*"],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy Rule",
+    "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.update",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_5",
+  "type": "security-rule"
+}