From 23ad9329525c3e4253aa8da9750899342d0fa8e5 Mon Sep 17 00:00:00 2001 From: Candace Park Date: Mon, 13 Apr 2020 14:04:26 -0400 Subject: [PATCH 1/3] linux events for endpoint policy details --- .../applications/endpoint/models/policy.ts | 11 +- .../store/policy_details/selectors.ts | 20 ++++ .../public/applications/endpoint/types.ts | 18 +-- .../endpoint/view/policy/policy_details.tsx | 4 +- .../view/policy/policy_forms/events/index.tsx | 1 + .../view/policy/policy_forms/events/linux.tsx | 106 ++++++++++++++++++ .../policy/policy_forms/events/windows.tsx | 69 +++++++++++- 7 files changed, 216 insertions(+), 13 deletions(-) create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/linux.tsx diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/models/policy.ts b/x-pack/plugins/endpoint/public/applications/endpoint/models/policy.ts index 30f45e54c20056..668ddd71da38aa 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/models/policy.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/models/policy.ts @@ -15,8 +15,17 @@ export const generatePolicy = (): PolicyConfig => { return { windows: { events: { - process: true, + api: true, + clr: true, + dll_and_driver_load: true, + dns: true, + file: true, network: true, + powershell: true, + process: true, + registry: true, + security: true, + wmi: true, }, malware: { mode: ProtectionModes.prevent, diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/policy_details/selectors.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/policy_details/selectors.ts index 4b4dc9d9bee43d..a37a06bafcf05d 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/policy_details/selectors.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/policy_details/selectors.ts @@ -119,6 +119,26 @@ export const selectedMacEvents = (state: PolicyDetailsState): number => { return 0; }; +/** Returns the total number of possible linux eventing configurations */ +export const totalLinuxEvents = (state: PolicyDetailsState): number => { + const config = policyConfig(state); + if (config) { + return Object.keys(config.linux.events).length; + } + return 0; +}; + +/** Returns the number of selected liinux eventing configurations */ +export const selectedLinuxEvents = (state: PolicyDetailsState): number => { + const config = policyConfig(state); + if (config) { + return Object.values(config.linux.events).reduce((count, event) => { + return event === true ? count + 1 : count; + }, 0); + } + return 0; +}; + /** is there an api call in flight */ export const isLoading = (state: PolicyDetailsState) => state.isLoading; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/types.ts b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts index dda50847169e7f..e8e30a9c50d9a5 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/types.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts @@ -162,8 +162,17 @@ interface PolicyConfigAdvancedOptions { export type UIPolicyConfig = { windows: { events: { - process: boolean; + api: boolean; + clr: boolean; + dll_and_driver_load: boolean; + dns: boolean; + file: boolean; network: boolean; + powershell: boolean; + process: boolean; + registry: boolean; + security: boolean; + wmi: boolean; }; /** malware mode can be off, detect, prevent or prevent and notify user */ malware: MalwareFields; @@ -196,13 +205,6 @@ export enum OS { linux = 'linux', } -/** Used in Policy */ -export enum EventingFields { - process = 'process', - network = 'network', - file = 'file', -} - /** * Returns the keys of an object whose values meet a criteria. * Ex) interface largeNestedObject = { diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_details.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_details.tsx index 1e723e32615eb1..97ac51e66ea2a7 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_details.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_details.tsx @@ -34,7 +34,7 @@ import { AppAction } from '../../types'; import { useKibana } from '../../../../../../../../src/plugins/kibana_react/public'; import { AgentsSummary } from './agents_summary'; import { VerticalDivider } from './vertical_divider'; -import { WindowsEvents, MacEvents } from './policy_forms/events'; +import { WindowsEvents, MacEvents, LinuxEvents } from './policy_forms/events'; import { MalwareProtections } from './policy_forms/protections/malware'; export const PolicyDetails = React.memo(() => { @@ -209,6 +209,8 @@ export const PolicyDetails = React.memo(() => { + + ); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/index.tsx index 44716d81830419..927456fb671d8c 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/index.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/index.tsx @@ -6,3 +6,4 @@ export { WindowsEvents } from './windows'; export { MacEvents } from './mac'; +export { LinuxEvents } from './linux'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/linux.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/linux.tsx new file mode 100644 index 00000000000000..9d2ce03c204626 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/linux.tsx @@ -0,0 +1,106 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import React, { useMemo } from 'react'; +import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n/react'; +import { EuiTitle, EuiText, EuiSpacer } from '@elastic/eui'; +import { EventsCheckbox } from './checkbox'; +import { OS, UIPolicyConfig } from '../../../../types'; +import { usePolicyDetailsSelector } from '../../policy_hooks'; +import { selectedLinuxEvents, totalLinuxEvents } from '../../../../store/policy_details/selectors'; +import { ConfigForm } from '../config_form'; +import { getIn, setIn } from '../../../../models/policy_details_config'; + +export const LinuxEvents = React.memo(() => { + const selected = usePolicyDetailsSelector(selectedLinuxEvents); + const total = usePolicyDetailsSelector(totalLinuxEvents); + + const checkboxes: Array<{ + name: string; + os: 'linux'; + protectionField: keyof UIPolicyConfig['linux']['events']; + }> = useMemo( + () => [ + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.linux.events.file', { + defaultMessage: 'File', + }), + os: OS.linux, + protectionField: 'file', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.linux.events.process', { + defaultMessage: 'Process', + }), + os: OS.linux, + protectionField: 'process', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.linux.events.network', { + defaultMessage: 'Network', + }), + os: OS.linux, + protectionField: 'network', + }, + ], + [] + ); + + const renderCheckboxes = () => { + return ( + <> + +
+ +
+ + + {checkboxes.map((item, index) => { + return ( + + setIn(config)(item.os)('events')(item.protectionField)(checked) + } + getter={config => getIn(config)(item.os)('events')(item.protectionField)} + /> + ); + })} + + ); + }; + + const collectionsEnabled = () => { + return ( + + + + ); + }; + + return ( + + ); +}); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/windows.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/windows.tsx index 63a140912437da..2be2f1dab0bf0a 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/windows.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/windows.tsx @@ -29,11 +29,39 @@ export const WindowsEvents = React.memo(() => { }> = useMemo( () => [ { - name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.process', { - defaultMessage: 'Process', + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.api', { + defaultMessage: 'API', }), os: OS.windows, - protectionField: 'process', + protectionField: 'api', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.clr', { + defaultMessage: 'CLR', + }), + os: OS.windows, + protectionField: 'clr', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.dllDriverLoad', { + defaultMessage: 'DLL and Driver Load', + }), + os: OS.windows, + protectionField: 'dll_and_driver_load', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.dns', { + defaultMessage: 'DNS', + }), + os: OS.windows, + protectionField: 'dns', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.file', { + defaultMessage: 'File', + }), + os: OS.windows, + protectionField: 'file', }, { name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.network', { @@ -42,6 +70,41 @@ export const WindowsEvents = React.memo(() => { os: OS.windows, protectionField: 'network', }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.powershell', { + defaultMessage: 'Powershell', + }), + os: OS.windows, + protectionField: 'powershell', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.process', { + defaultMessage: 'Process', + }), + os: OS.windows, + protectionField: 'process', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.registry', { + defaultMessage: 'Registry', + }), + os: OS.windows, + protectionField: 'registry', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.security', { + defaultMessage: 'Security', + }), + os: OS.windows, + protectionField: 'security', + }, + { + name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.wmi', { + defaultMessage: 'WMI', + }), + os: OS.windows, + protectionField: 'wmi', + }, ], [] ); From 5d217e4ac14a458168d9702aec833fac6f6d347e Mon Sep 17 00:00:00 2001 From: Candace Park Date: Mon, 13 Apr 2020 15:23:17 -0400 Subject: [PATCH 2/3] reverted uipolicy types, added windows checkbox types, linux test --- .../store/policy_details/index.test.ts | 22 +++++ .../public/applications/endpoint/types.ts | 90 ++++++++++--------- 2 files changed, 70 insertions(+), 42 deletions(-) diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/policy_details/index.test.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/policy_details/index.test.ts index e09a62b235e353..f81852d6a074a8 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/policy_details/index.test.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/policy_details/index.test.ts @@ -98,4 +98,26 @@ describe('policy details: ', () => { expect(config!.mac.events.file).toEqual(true); }); }); + + describe('when the user has enabled linux process events', () => { + beforeEach(() => { + const config = policyConfig(getState()); + if (!config) { + throw new Error(); + } + + const newPayload1 = clone(config); + newPayload1.linux.events.file = true; + + dispatch({ + type: 'userChangedPolicyConfig', + payload: { policyConfig: newPayload1 }, + }); + }); + + it('linux file events is enabled', () => { + const config = policyConfig(getState()); + expect(config!.linux.events.file).toEqual(true); + }); + }); }); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/types.ts b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts index e8e30a9c50d9a5..56730cb792d37b 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/types.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts @@ -118,21 +118,46 @@ export interface PolicyDetailsState { * Endpoint Policy configuration */ export interface PolicyConfig { - windows: UIPolicyConfig['windows'] & { + windows: { + events: { + api: boolean; + clr: boolean; + dll_and_driver_load: boolean; + dns: boolean; + file: boolean; + network: boolean; + powershell: boolean; + process: boolean; + registry: boolean; + security: boolean; + wmi: boolean; + }; + malware: MalwareFields; logging: { stdout: string; file: string; }; advanced: PolicyConfigAdvancedOptions; }; - mac: UIPolicyConfig['mac'] & { + mac: { + events: { + file: boolean; + process: boolean; + network: boolean; + }; + malware: MalwareFields; logging: { stdout: string; file: string; }; advanced: PolicyConfigAdvancedOptions; }; - linux: UIPolicyConfig['linux'] & { + linux: { + events: { + file: boolean; + process: boolean; + network: boolean; + }; logging: { stdout: string; file: string; @@ -156,47 +181,28 @@ interface PolicyConfigAdvancedOptions { } /** - * The set of Policy configuration settings that are show/edited via the UI + * Windows-specific policy configuration that is supported via the UI */ -/* eslint-disable @typescript-eslint/consistent-type-definitions */ -export type UIPolicyConfig = { - windows: { - events: { - api: boolean; - clr: boolean; - dll_and_driver_load: boolean; - dns: boolean; - file: boolean; - network: boolean; - powershell: boolean; - process: boolean; - registry: boolean; - security: boolean; - wmi: boolean; - }; - /** malware mode can be off, detect, prevent or prevent and notify user */ - malware: MalwareFields; - }; - mac: { - events: { - file: boolean; - process: boolean; - network: boolean; - }; - malware: MalwareFields; - }; +type WindowsPolicyConfig = Pick; - /** - * Linux-specific policy configuration that is supported via the UI - */ - linux: { - events: { - file: boolean; - process: boolean; - network: boolean; - }; - }; -}; +/** + * Mac-specific policy configuration that is supported via the UI + */ +type MacPolicyConfig = Pick; + +/** + * Linux-specific policy configuration that is supported via the UI + */ +type LinuxPolicyConfig = Pick; + +/** + * The set of Policy configuration settings that are show/edited via the UI + */ +export interface UIPolicyConfig { + windows: WindowsPolicyConfig; + mac: MacPolicyConfig; + linux: LinuxPolicyConfig; +} /** OS used in Policy */ export enum OS { From bac2b7c038c3414b9fbf6309ddd625df35235644 Mon Sep 17 00:00:00 2001 From: Candace Park Date: Mon, 13 Apr 2020 16:58:20 -0400 Subject: [PATCH 3/3] removes unimplimented windows events --- .../applications/endpoint/models/policy.ts | 4 --- .../public/applications/endpoint/types.ts | 4 --- .../policy/policy_forms/events/windows.tsx | 28 ------------------- 3 files changed, 36 deletions(-) diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/models/policy.ts b/x-pack/plugins/endpoint/public/applications/endpoint/models/policy.ts index 668ddd71da38aa..5269ee72f4039d 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/models/policy.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/models/policy.ts @@ -15,17 +15,13 @@ export const generatePolicy = (): PolicyConfig => { return { windows: { events: { - api: true, - clr: true, dll_and_driver_load: true, dns: true, file: true, network: true, - powershell: true, process: true, registry: true, security: true, - wmi: true, }, malware: { mode: ProtectionModes.prevent, diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/types.ts b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts index 56730cb792d37b..2942f74b60994b 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/types.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts @@ -120,17 +120,13 @@ export interface PolicyDetailsState { export interface PolicyConfig { windows: { events: { - api: boolean; - clr: boolean; dll_and_driver_load: boolean; dns: boolean; file: boolean; network: boolean; - powershell: boolean; process: boolean; registry: boolean; security: boolean; - wmi: boolean; }; malware: MalwareFields; logging: { diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/windows.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/windows.tsx index 2be2f1dab0bf0a..da675dc1e23938 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/windows.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/policy/policy_forms/events/windows.tsx @@ -28,20 +28,6 @@ export const WindowsEvents = React.memo(() => { protectionField: keyof UIPolicyConfig['windows']['events']; }> = useMemo( () => [ - { - name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.api', { - defaultMessage: 'API', - }), - os: OS.windows, - protectionField: 'api', - }, - { - name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.clr', { - defaultMessage: 'CLR', - }), - os: OS.windows, - protectionField: 'clr', - }, { name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.dllDriverLoad', { defaultMessage: 'DLL and Driver Load', @@ -70,13 +56,6 @@ export const WindowsEvents = React.memo(() => { os: OS.windows, protectionField: 'network', }, - { - name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.powershell', { - defaultMessage: 'Powershell', - }), - os: OS.windows, - protectionField: 'powershell', - }, { name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.process', { defaultMessage: 'Process', @@ -98,13 +77,6 @@ export const WindowsEvents = React.memo(() => { os: OS.windows, protectionField: 'security', }, - { - name: i18n.translate('xpack.endpoint.policyDetailsConfig.windows.events.wmi', { - defaultMessage: 'WMI', - }), - os: OS.windows, - protectionField: 'wmi', - }, ], [] );