-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[7.x] [Security Solution] [Detections] Adds scripts to create users +…
… roles based on specific privileges (#81866) (#83861) * shell scripts for creating roles + users for testing * update readme's and updated privilege requirements based on testing with the users and inferring what the roles are supposed to do * update role privileges based on feedback meeting yesterday * updated scripts to accept filepath to role / user, added a test to ensure upload value list button is disabled * updated role scripts to be parameterized * adds login with role function and adds a sample test with a role to test that a t1 analyst user cannot upload a value list * add object with corresponding roles * fix spacing * parameterize urls for basic auth with roles + users * forgot to change the cy.visit string * add KIBANA_URL env var for cli runner * add env vars for curl script execution * second script * update readme's for each role and remove create_index from lists privilege for the soc manager role * remove 'manage' cluster privilege for rule author * remove 'create_index' privilege from soc_manager role since that is not parity with the security workflows spreadsheet * update the login function logic with glo's feedback * replace SIEM with Security Solution in markdown files * make role param optional not just undefined * remove unused file * add copyright to scripts files * update top-level README for roles scripts * remove reference to internal spreadsheet and reference readme for this pr * remove unnecessary -XPOST and remove verbose mode from post_detections_user script * adds utils for running integration tests with other users and adds two sample tests showing example usage * minor type updates and small refactor * fix x-pack/test types * use enum types instead of custom type * fix path to json Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Xavier Mouligneau <[email protected]> Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Xavier Mouligneau <[email protected]>
- Loading branch information
1 parent
b88833d
commit 9390d4e
Showing
58 changed files
with
1,013 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
// For the source of these roles please consult the PR these were introduced https://github.com/elastic/kibana/pull/81866#issue-511165754 | ||
export enum ROLES { | ||
t1_analyst = 't1_analyst', | ||
t2_analyst = 't2_analyst', | ||
hunter = 'hunter', | ||
rule_author = 'rule_author', | ||
soc_manager = 'soc_manager', | ||
platform_engineer = 'platform_engineer', | ||
detections_admin = 'detections_admin', | ||
} | ||
|
||
export type RolesType = keyof typeof ROLES; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
...ins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
1. When first starting up elastic, detections will not be available until you visit the page with a SOC Manager role or Platform Engineer role | ||
2. I gave the Hunter role "all" privileges for saved objects management and builtInAlerts so that they can create rules. | ||
3. Rule Author has the ability to create rules and create value lists | ||
|
||
| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | | ||
| :------------------------------------------: | :----------: | :-------------------------------: | :---------: | :--------------: | :---------------: | :------------------------------: | | ||
| T1 Analyst | read | read | none | read | read | read, write | | ||
| T2 Analyst | read | read | read | read | read | read, write | | ||
| Hunter / T3 Analyst | read, write | read | read | read, write | read | read, write | | ||
| Rule Author / Manager / Detections Engineer | read, write | read | read, write | read, write | read | read, write, view_index_metadata | | ||
| SOC Manager | read, write | read | read, write | read, write | all | read, write, manage | | ||
| Platform Engineer (data ingest, cluster ops) | read, write | all | all | read, write | all | all | |
1 change: 1 addition & 0 deletions
1
...tion/server/lib/detection_engine/scripts/roles_users/detections_admin/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
This user contains all the possible privileges listed in our detections privileges docs https://www.elastic.co/guide/en/security/current/detections-permissions-section.html This user has higher privileges than the Platform Engineer user |
10 changes: 10 additions & 0 deletions
10
...erver/lib/detection_engine/scripts/roles_users/detections_admin/delete_detections_user.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
|
||
# | ||
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
# or more contributor license agreements. Licensed under the Elastic License; | ||
# you may not use this file except in compliance with the Elastic License. | ||
# | ||
|
||
curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ | ||
-u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ | ||
-XDELETE ${ELASTICSEARCH_URL}/_security/user/detections_admin |
35 changes: 35 additions & 0 deletions
35
...ion/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
{ | ||
"elasticsearch": { | ||
"cluster": ["manage"], | ||
"indices": [ | ||
{ | ||
"names": [ | ||
".siem-signals-*", | ||
".lists*", | ||
".items*", | ||
"apm-*-transaction*", | ||
"auditbeat-*", | ||
"endgame-*", | ||
"filebeat-*", | ||
"logs-*", | ||
"packetbeat-*", | ||
"winlogbeat-*" | ||
], | ||
"privileges": ["manage", "write", "read"] | ||
} | ||
] | ||
}, | ||
"kibana": [ | ||
{ | ||
"feature": { | ||
"ml": ["all"], | ||
"siem": ["all"], | ||
"actions": ["read"], | ||
"builtInAlerts": ["all"], | ||
"dev_tools": ["all"], | ||
"savedObjectsManagement": ["all"] | ||
}, | ||
"spaces": ["*"] | ||
} | ||
] | ||
} |
6 changes: 6 additions & 0 deletions
6
...ion/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_user.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
{ | ||
"password": "changeme", | ||
"roles": ["detections_admin"], | ||
"full_name": "Detections User", | ||
"email": "[email protected]" | ||
} |
10 changes: 10 additions & 0 deletions
10
...n/server/lib/detection_engine/scripts/roles_users/detections_admin/get_detections_role.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
|
||
# | ||
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
# or more contributor license agreements. Licensed under the Elastic License; | ||
# you may not use this file except in compliance with the Elastic License. | ||
# | ||
|
||
curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ | ||
-u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ | ||
-XGET ${KIBANA_URL}/api/security/role/detections_admin | jq -S . |
11 changes: 11 additions & 0 deletions
11
.../server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_role.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
|
||
# | ||
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
# or more contributor license agreements. Licensed under the Elastic License; | ||
# you may not use this file except in compliance with the Elastic License. | ||
# | ||
|
||
curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ | ||
-u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ | ||
-XPUT ${KIBANA_URL}/api/security/role/detections_admin \ | ||
-d @detections_role.json |
13 changes: 13 additions & 0 deletions
13
.../server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_user.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
|
||
# | ||
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
# or more contributor license agreements. Licensed under the Elastic License; | ||
# you may not use this file except in compliance with the Elastic License. | ||
# | ||
|
||
USER=(${@:-./detections_user.json}) | ||
|
||
curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ | ||
-u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ | ||
${ELASTICSEARCH_URL}/_security/user/detections_admin \ | ||
-d @${USER} |
12 changes: 12 additions & 0 deletions
12
...urity_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
This user can CRUD rules and signals. The main difference here is the user has | ||
|
||
```json | ||
"builtInAlerts": ["all"], | ||
"savedObjectsManagement": ["all"] | ||
``` | ||
|
||
privileges whereas the T1 and T2 have "read" privileges which prevents them from creating rules | ||
|
||
| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | | ||
| :-----------------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: | | ||
| Hunter / T3 Analyst | read, write | read | read | read, write | read | read, write | |
10 changes: 10 additions & 0 deletions
10
...solution/server/lib/detection_engine/scripts/roles_users/hunter/delete_detections_user.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
|
||
# | ||
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
# or more contributor license agreements. Licensed under the Elastic License; | ||
# you may not use this file except in compliance with the Elastic License. | ||
# | ||
|
||
curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ | ||
-u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ | ||
-XDELETE ${ELASTICSEARCH_URL}/_security/user/hunter |
39 changes: 39 additions & 0 deletions
39
...rity_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
{ | ||
"elasticsearch": { | ||
"cluster": [], | ||
"indices": [ | ||
{ | ||
"names": [ | ||
"apm-*-transaction*", | ||
"auditbeat-*", | ||
"endgame-*", | ||
"filebeat-*", | ||
"logs-*", | ||
"packetbeat-*", | ||
"winlogbeat-*" | ||
], | ||
"privileges": ["read", "write"] | ||
}, | ||
{ | ||
"names": [".siem-signals-*"], | ||
"privileges": ["read", "write"] | ||
}, | ||
{ | ||
"names": [".lists*", ".items*"], | ||
"privileges": ["read", "write"] | ||
} | ||
] | ||
}, | ||
"kibana": [ | ||
{ | ||
"feature": { | ||
"ml": ["read"], | ||
"siem": ["all"], | ||
"actions": ["read"], | ||
"builtInAlerts": ["all"], | ||
"savedObjectsManagement": ["all"] | ||
}, | ||
"spaces": ["*"] | ||
} | ||
] | ||
} |
Oops, something went wrong.