ROX-33000: Support for process details in detection node#19586
ROX-33000: Support for process details in detection node#19586JoukoVirtanen wants to merge 4 commits intomasterfrom
Conversation
|
Skipping CI for Draft Pull Request. |
|
Images are ready for the commit at 9f121cd. To use with deploy scripts, first |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19586 +/- ##
==========================================
+ Coverage 49.26% 49.28% +0.02%
==========================================
Files 2735 2735
Lines 206138 206220 +82
==========================================
+ Hits 101550 101645 +95
+ Misses 97041 97036 -5
+ Partials 7547 7539 -8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Stringy
left a comment
There was a problem hiding this comment.
One minor non-blocking comment but overall LGTM
central/policy/service/validator.go
Outdated
| return errors.New("Node event policies must contain only node fields") | ||
| } | ||
|
|
||
| if booleanpolicy.ContainsOneOf(policy, booleanpolicy.Process) { |
There was a problem hiding this comment.
I think this check is a little redundant - we can just go straight into the loop
Description
change me!
User-facing documentation
Testing and quality
Automated testing
How I validated my change
Manual testing.
The following script was used to test the changes here.
The following policy was used as an input. This is a valid node policy with Process and FileAccess fields. The policy is successfully created in this branch.
{ "id": "", "name": "Node with process", "description": "", "severity": "LOW_SEVERITY", "disabled": false, "lifecycleStages": [ "RUNTIME" ], "notifiers": [], "lastUpdated": null, "eventSource": "NODE_EVENT", "isDefault": false, "rationale": "", "remediation": "", "categories": [ "Anomalous Activity" ], "exclusions": [], "scope": [], "enforcementActions": [], "SORTName": "", "SORTLifecycleStage": "", "SORTEnforcement": false, "policyVersion": "", "policySections": [ { "sectionName": "Rule 1", "policyGroups": [ { "fieldName": "Process Name", "booleanOperator": "OR", "values": [ { "value": "bash" } ], "negate": false, "fieldKey": { "name": "Process Name", "shortName": "Process name", "longName": "Process name is", "negatedName": "Process name doesn’t match", "category": "Process activity", "type": "text", "placeholder": "apt-get", "canBooleanLogic": true, "lifecycleStages": [ "RUNTIME" ] } }, { "fieldName": "File Path", "booleanOperator": "OR", "values": [ { "value": "/etc/sudoers" } ], "negate": false, "fieldKey": { "label": "File path", "name": "File Path", "shortName": "File path", "category": "File activity", "type": "text", "placeholder": "/home/**/.ssh/id_*", "helperText": "Enter an absolute file path. Supports glob patterns.", "canBooleanLogic": false, "lifecycleStages": [ "RUNTIME" ] } } ] } ], "mitreAttackVectors": [], "criteriaLocked": false, "mitreVectorsLocked": false, "source": "IMPERATIVE" }In master it results in an error.
{ "code": 3, "message": "policy invalid errors: [error validating lifecycle stage error: Node event policies must contain only node fields, Node event policies must contain only node fields]: invalid arguments", "details": [], "error": "policy invalid errors: [error validating lifecycle stage error: Node event policies must contain only node fields, Node event policies must contain only node fields]: invalid arguments" }An invalid policy with only a Process field was tested.
{ "id": "", "name": "Node with process only", "description": "", "severity": "LOW_SEVERITY", "disabled": false, "lifecycleStages": [ "RUNTIME" ], "notifiers": [], "lastUpdated": null, "eventSource": "NODE_EVENT", "isDefault": false, "rationale": "", "remediation": "", "categories": [ "Anomalous Activity" ], "exclusions": [], "scope": [], "enforcementActions": [], "SORTName": "", "SORTLifecycleStage": "", "SORTEnforcement": false, "policyVersion": "", "policySections": [ { "sectionName": "Rule 1", "policyGroups": [ { "fieldName": "Process Name", "booleanOperator": "OR", "values": [ { "value": "bash" } ], "negate": false, "fieldKey": { "name": "Process Name", "shortName": "Process name", "longName": "Process name is", "negatedName": "Process name doesn’t match", "category": "Process activity", "type": "text", "placeholder": "apt-get", "canBooleanLogic": true, "lifecycleStages": [ "RUNTIME" ] } } ] } ], "mitreAttackVectors": [], "criteriaLocked": false, "mitreVectorsLocked": false, "source": "IMPERATIVE" }This resulted in the following error
It failed in master with the following error:
{ "code": 3, "message": "policy invalid errors: [error validating lifecycle stage error: Node event policies must contain only node fields, Node event policies must contain only node fields]: invalid arguments", "details": [], "error": "policy invalid errors: [error validating lifecycle stage error: Node event policies must contain only node fields, Node event policies must contain only node fields]: invalid arguments" }A policy with only a FileAccess field was tested and worked in this branch and in master.
{ "id": "", "name": "Node with file access only", "description": "", "severity": "LOW_SEVERITY", "disabled": false, "lifecycleStages": [ "RUNTIME" ], "notifiers": [], "lastUpdated": null, "eventSource": "NODE_EVENT", "isDefault": false, "rationale": "", "remediation": "", "categories": [ "Anomalous Activity" ], "exclusions": [], "scope": [], "enforcementActions": [], "SORTName": "", "SORTLifecycleStage": "", "SORTEnforcement": false, "policyVersion": "", "policySections": [ { "sectionName": "Rule 1", "policyGroups": [ { "fieldName": "File Path", "booleanOperator": "OR", "values": [ { "value": "/etc/sudoers" } ], "negate": false, "fieldKey": { "label": "File path", "name": "File Path", "shortName": "File path", "category": "File activity", "type": "text", "placeholder": "/home/**/.ssh/id_*", "helperText": "Enter an absolute file path. Supports glob patterns.", "canBooleanLogic": false, "lifecycleStages": [ "RUNTIME" ] } } ] } ], "mitreAttackVectors": [], "criteriaLocked": false, "mitreVectorsLocked": false, "source": "IMPERATIVE" }