Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] File paths for Blocklist Windows and Mac should be case insensitive #164200

Merged
merged 5 commits into from
Aug 21, 2023
Merged

[Security Solution] File paths for Blocklist Windows and Mac should be case insensitive #164200

merged 5 commits into from
Aug 21, 2023

Conversation

kevinlog
Copy link
Contributor

@kevinlog kevinlog commented Aug 17, 2023
edited by kibanamachine
Loading

Summary

This fixes a bug where Windows and Mac Blocklist file path entries should be passed as case insensitive. This is because Mac and Windows are caseless for most use cases.

Bug ticket: #158581

Here is how it will be displayed in the UI:
image

Here are the breakdown of the artifacts after the fix:

Linux:

-------------------------------------------------------------------
Policy:   Protect
Manifest: 1.0.6 | v1
Artifact: endpoint-blocklist-linux-v1
          Relative URL:   /api/fleet/artifacts/endpoint-blocklist-linux-v1/f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640
          Encoded SHA256: a907835be40af89b8b7aa23a6efc66c01ceaa5a19622edd378139319f3ca5fa0
          Decoded SHA256: f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path",
          "operator": "included",
          "type": "exact_cased_any",
          "value": [
            "/opt/bin/bin.exe"
          ]
        }
      ]
    }
  ]
}

Mac:

-------------------------------------------------------------------
Policy:   Protect
Manifest: 1.0.6 | v1
Artifact: endpoint-blocklist-macos-v1
          Relative URL:   /api/fleet/artifacts/endpoint-blocklist-macos-v1/b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f
          Encoded SHA256: 4f3e80d688f5cae4bf6a88b0704e37909f9fa4f47fe8325b7b154cddd46a2db9
          Decoded SHA256: b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path",
          "operator": "included",
          "type": "exact_caseless_any",
          "value": [
            "/opt/exe.exe"
          ]
        }
      ]
    }

Windows:

-------------------------------------------------------------------
Policy:   Protect
Manifest: 1.0.6 | v1
Artifact: endpoint-blocklist-windows-v1
          Relative URL:   /api/fleet/artifacts/endpoint-blocklist-windows-v1/2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac
          Encoded SHA256: c6e045fce97651336eeb400f0123541475b940e3aa38ce721f299585683da288
          Decoded SHA256: 2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path",
          "operator": "included",
          "type": "exact_caseless_any",
          "value": [
            "C:\\path\\path.exe"
          ]
        }
      ]
    }
  ]
}

Checklist

Delete any items that are not applicable to this PR.

@kevinlog kevinlog added release_note:fix Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.10.0 v8.11.0 v8.9.2 labels Aug 17, 2023
@kevinlog kevinlog mentioned this pull request Aug 17, 2023
Closed
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #49 / Reporting Functional Tests with Security enabled Security with reporting_user built-in role Dashboard: Generate Screenshot does not allow user that does not have reporting privileges

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 15.7MB 15.7MB +618.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@kevinlog kevinlog marked this pull request as ready for review August 17, 2023 19:54
@kevinlog kevinlog requested review from a team as code owners August 17, 2023 19:54
@kevinlog kevinlog requested review from tomsonpl and parkiino August 17, 2023 19:54
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

dasansol92
dasansol92 approved these changes Aug 21, 2023
View reviewed changes
Copy link
Contributor

@dasansol92 dasansol92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

e40pud
e40pud approved these changes Aug 21, 2023
View reviewed changes
Copy link
Contributor

@e40pud e40pud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DE changes LGTM

@kevinlog kevinlog merged commit 88bd71c into elastic:main Aug 21, 2023
@kevinlog kevinlog deleted the bug/blocklist-windows-mac-filepaths-case-insensitive branch August 21, 2023 14:00
@kibanamachine kibanamachine mentioned this pull request Aug 21, 2023
Merged
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Aug 21, 2023
@kevinlog
[Security Solution] File paths for Blocklist Windows and Mac should b…
0ad72f3 
…e case insensitive (elastic#164200)

## Summary

This fixes a bug where Windows and Mac Blocklist file path entries
should be passed as case insensitive. This is because Mac and Windows
are caseless for most use cases.

Bug ticket: elastic#158581

Here is how it will be displayed in the UI:
<img width="1728" alt="image"
src="https://github.com/elastic/kibana/assets/56395104/a3006397-f49e-4de0-818d-94e2de20dba3">

Here are the breakdown of the artifacts after the fix:

Linux:
```
-------------------------------------------------------------------
Policy:   Protect
Manifest: 1.0.6 | v1
Artifact: endpoint-blocklist-linux-v1
          Relative URL:   /api/fleet/artifacts/endpoint-blocklist-linux-v1/f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640
          Encoded SHA256: a907835be40af89b8b7aa23a6efc66c01ceaa5a19622edd378139319f3ca5fa0
          Decoded SHA256: f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path",
          "operator": "included",
          "type": "exact_cased_any",
          "value": [
            "/opt/bin/bin.exe"
          ]
        }
      ]
    }
  ]
}
```

Mac:
```
-------------------------------------------------------------------
Policy:   Protect
Manifest: 1.0.6 | v1
Artifact: endpoint-blocklist-macos-v1
          Relative URL:   /api/fleet/artifacts/endpoint-blocklist-macos-v1/b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f
          Encoded SHA256: 4f3e80d688f5cae4bf6a88b0704e37909f9fa4f47fe8325b7b154cddd46a2db9
          Decoded SHA256: b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path",
          "operator": "included",
          "type": "exact_caseless_any",
          "value": [
            "/opt/exe.exe"
          ]
        }
      ]
    }
```

Windows:
```
-------------------------------------------------------------------
Policy:   Protect
Manifest: 1.0.6 | v1
Artifact: endpoint-blocklist-windows-v1
          Relative URL:   /api/fleet/artifacts/endpoint-blocklist-windows-v1/2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac
          Encoded SHA256: c6e045fce97651336eeb400f0123541475b940e3aa38ce721f299585683da288
          Decoded SHA256: 2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path",
          "operator": "included",
          "type": "exact_caseless_any",
          "value": [
            "C:\\path\\path.exe"
          ]
        }
      ]
    }
  ]
}
```

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit 88bd71c)
kibanamachine added a commit that referenced this pull request Aug 21, 2023
@kibanamachine @kevinlog
[8.10] [Security Solution] File paths for Blocklist Windows and Mac s…
1a1bdb7 
…hould be case insensitive (#164200) (#164317)

# Backport

This will backport the following commits from `main` to `8.10`:
- [[Security Solution] File paths for Blocklist Windows and Mac should
be case insensitive
(#164200)](#164200)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kevin
Logan","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-08-21T14:00:53Z","message":"[Security
Solution] File paths for Blocklist Windows and Mac should be case
insensitive (#164200)\n\n## Summary\r\n\r\nThis fixes a bug where
Windows and Mac Blocklist file path entries\r\nshould be passed as case
insensitive. This is because Mac and Windows\r\nare caseless for most
use cases.\r\n\r\nBug ticket:
https://github.com/elastic/kibana/issues/158581\r\n\r\nHere is how it
will be displayed in the UI:\r\n<img width=\"1728\"
alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/56395104/a3006397-f49e-4de0-818d-94e2de20dba3\">\r\n\r\nHere
are the breakdown of the artifacts after the
fix:\r\n\r\nLinux:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-linux-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-linux-v1/f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n
Encoded SHA256:
a907835be40af89b8b7aa23a6efc66c01ceaa5a19622edd378139319f3ca5fa0\r\n
Decoded SHA256:
f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_cased_any\",\r\n \"value\": [\r\n
\"/opt/bin/bin.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\nMac:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-macos-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-macos-v1/b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n
Encoded SHA256:
4f3e80d688f5cae4bf6a88b0704e37909f9fa4f47fe8325b7b154cddd46a2db9\r\n
Decoded SHA256:
b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"/opt/exe.exe\"\r\n ]\r\n }\r\n ]\r\n
}\r\n```\r\n\r\nWindows:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-windows-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-windows-v1/2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n
Encoded SHA256:
c6e045fce97651336eeb400f0123541475b940e3aa38ce721f299585683da288\r\n
Decoded SHA256:
2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"C:\\\\path\\\\path.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"88bd71c0773d158ed1e6312075633ed85abc575e","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Defend
Workflows","v8.10.0","v8.11.0","v8.9.2"],"number":164200,"url":"https://github.com/elastic/kibana/pull/164200","mergeCommit":{"message":"[Security
Solution] File paths for Blocklist Windows and Mac should be case
insensitive (#164200)\n\n## Summary\r\n\r\nThis fixes a bug where
Windows and Mac Blocklist file path entries\r\nshould be passed as case
insensitive. This is because Mac and Windows\r\nare caseless for most
use cases.\r\n\r\nBug ticket:
https://github.com/elastic/kibana/issues/158581\r\n\r\nHere is how it
will be displayed in the UI:\r\n<img width=\"1728\"
alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/56395104/a3006397-f49e-4de0-818d-94e2de20dba3\">\r\n\r\nHere
are the breakdown of the artifacts after the
fix:\r\n\r\nLinux:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-linux-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-linux-v1/f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n
Encoded SHA256:
a907835be40af89b8b7aa23a6efc66c01ceaa5a19622edd378139319f3ca5fa0\r\n
Decoded SHA256:
f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_cased_any\",\r\n \"value\": [\r\n
\"/opt/bin/bin.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\nMac:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-macos-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-macos-v1/b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n
Encoded SHA256:
4f3e80d688f5cae4bf6a88b0704e37909f9fa4f47fe8325b7b154cddd46a2db9\r\n
Decoded SHA256:
b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"/opt/exe.exe\"\r\n ]\r\n }\r\n ]\r\n
}\r\n```\r\n\r\nWindows:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-windows-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-windows-v1/2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n
Encoded SHA256:
c6e045fce97651336eeb400f0123541475b940e3aa38ce721f299585683da288\r\n
Decoded SHA256:
2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"C:\\\\path\\\\path.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"88bd71c0773d158ed1e6312075633ed85abc575e"}},"sourceBranch":"main","suggestedTargetBranches":["8.11","8.9"],"targetPullRequestStates":[{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/164200","number":164200,"mergeCommit":{"message":"[Security
Solution] File paths for Blocklist Windows and Mac should be case
insensitive (#164200)\n\n## Summary\r\n\r\nThis fixes a bug where
Windows and Mac Blocklist file path entries\r\nshould be passed as case
insensitive. This is because Mac and Windows\r\nare caseless for most
use cases.\r\n\r\nBug ticket:
https://github.com/elastic/kibana/issues/158581\r\n\r\nHere is how it
will be displayed in the UI:\r\n<img width=\"1728\"
alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/56395104/a3006397-f49e-4de0-818d-94e2de20dba3\">\r\n\r\nHere
are the breakdown of the artifacts after the
fix:\r\n\r\nLinux:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-linux-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-linux-v1/f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n
Encoded SHA256:
a907835be40af89b8b7aa23a6efc66c01ceaa5a19622edd378139319f3ca5fa0\r\n
Decoded SHA256:
f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_cased_any\",\r\n \"value\": [\r\n
\"/opt/bin/bin.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\nMac:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-macos-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-macos-v1/b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n
Encoded SHA256:
4f3e80d688f5cae4bf6a88b0704e37909f9fa4f47fe8325b7b154cddd46a2db9\r\n
Decoded SHA256:
b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"/opt/exe.exe\"\r\n ]\r\n }\r\n ]\r\n
}\r\n```\r\n\r\nWindows:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-windows-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-windows-v1/2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n
Encoded SHA256:
c6e045fce97651336eeb400f0123541475b940e3aa38ce721f299585683da288\r\n
Decoded SHA256:
2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"C:\\\\path\\\\path.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"88bd71c0773d158ed1e6312075633ed85abc575e"}},{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.9","label":"v8.9.2","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Kevin Logan <[email protected]>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Aug 21, 2023
@kevinlog
[Security Solution] File paths for Blocklist Windows and Mac should b…
32602d4 
…e case insensitive (elastic#164200)

## Summary

This fixes a bug where Windows and Mac Blocklist file path entries
should be passed as case insensitive. This is because Mac and Windows
are caseless for most use cases.

Bug ticket: elastic#158581

Here is how it will be displayed in the UI:
<img width="1728" alt="image"
src="https://github.com/elastic/kibana/assets/56395104/a3006397-f49e-4de0-818d-94e2de20dba3">

Here are the breakdown of the artifacts after the fix:

Linux:
```
-------------------------------------------------------------------
Policy:   Protect
Manifest: 1.0.6 | v1
Artifact: endpoint-blocklist-linux-v1
          Relative URL:   /api/fleet/artifacts/endpoint-blocklist-linux-v1/f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640
          Encoded SHA256: a907835be40af89b8b7aa23a6efc66c01ceaa5a19622edd378139319f3ca5fa0
          Decoded SHA256: f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path",
          "operator": "included",
          "type": "exact_cased_any",
          "value": [
            "/opt/bin/bin.exe"
          ]
        }
      ]
    }
  ]
}
```

Mac:
```
-------------------------------------------------------------------
Policy:   Protect
Manifest: 1.0.6 | v1
Artifact: endpoint-blocklist-macos-v1
          Relative URL:   /api/fleet/artifacts/endpoint-blocklist-macos-v1/b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f
          Encoded SHA256: 4f3e80d688f5cae4bf6a88b0704e37909f9fa4f47fe8325b7b154cddd46a2db9
          Decoded SHA256: b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path",
          "operator": "included",
          "type": "exact_caseless_any",
          "value": [
            "/opt/exe.exe"
          ]
        }
      ]
    }
```

Windows:
```
-------------------------------------------------------------------
Policy:   Protect
Manifest: 1.0.6 | v1
Artifact: endpoint-blocklist-windows-v1
          Relative URL:   /api/fleet/artifacts/endpoint-blocklist-windows-v1/2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac
          Encoded SHA256: c6e045fce97651336eeb400f0123541475b940e3aa38ce721f299585683da288
          Decoded SHA256: 2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path",
          "operator": "included",
          "type": "exact_caseless_any",
          "value": [
            "C:\\path\\path.exe"
          ]
        }
      ]
    }
  ]
}
```

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit 88bd71c)
@kibanamachine kibanamachine mentioned this pull request Aug 21, 2023
Merged
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.10
8.9

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Aug 22, 2023
@kibanamachine @kevinlog
[8.9] [Security Solution] File paths for Blocklist Windows and Mac sh…
2ac7591 
…ould be case insensitive (#164200) (#164319)

# Backport

This will backport the following commits from `main` to `8.9`:
- [[Security Solution] File paths for Blocklist Windows and Mac should
be case insensitive
(#164200)](#164200)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kevin
Logan","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-08-21T14:00:53Z","message":"[Security
Solution] File paths for Blocklist Windows and Mac should be case
insensitive (#164200)\n\n## Summary\r\n\r\nThis fixes a bug where
Windows and Mac Blocklist file path entries\r\nshould be passed as case
insensitive. This is because Mac and Windows\r\nare caseless for most
use cases.\r\n\r\nBug ticket:
https://github.com/elastic/kibana/issues/158581\r\n\r\nHere is how it
will be displayed in the UI:\r\n<img width=\"1728\"
alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/56395104/a3006397-f49e-4de0-818d-94e2de20dba3\">\r\n\r\nHere
are the breakdown of the artifacts after the
fix:\r\n\r\nLinux:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-linux-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-linux-v1/f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n
Encoded SHA256:
a907835be40af89b8b7aa23a6efc66c01ceaa5a19622edd378139319f3ca5fa0\r\n
Decoded SHA256:
f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_cased_any\",\r\n \"value\": [\r\n
\"/opt/bin/bin.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\nMac:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-macos-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-macos-v1/b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n
Encoded SHA256:
4f3e80d688f5cae4bf6a88b0704e37909f9fa4f47fe8325b7b154cddd46a2db9\r\n
Decoded SHA256:
b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"/opt/exe.exe\"\r\n ]\r\n }\r\n ]\r\n
}\r\n```\r\n\r\nWindows:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-windows-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-windows-v1/2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n
Encoded SHA256:
c6e045fce97651336eeb400f0123541475b940e3aa38ce721f299585683da288\r\n
Decoded SHA256:
2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"C:\\\\path\\\\path.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"88bd71c0773d158ed1e6312075633ed85abc575e","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Defend
Workflows","v8.10.0","v8.11.0","v8.9.2"],"number":164200,"url":"https://github.com/elastic/kibana/pull/164200","mergeCommit":{"message":"[Security
Solution] File paths for Blocklist Windows and Mac should be case
insensitive (#164200)\n\n## Summary\r\n\r\nThis fixes a bug where
Windows and Mac Blocklist file path entries\r\nshould be passed as case
insensitive. This is because Mac and Windows\r\nare caseless for most
use cases.\r\n\r\nBug ticket:
https://github.com/elastic/kibana/issues/158581\r\n\r\nHere is how it
will be displayed in the UI:\r\n<img width=\"1728\"
alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/56395104/a3006397-f49e-4de0-818d-94e2de20dba3\">\r\n\r\nHere
are the breakdown of the artifacts after the
fix:\r\n\r\nLinux:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-linux-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-linux-v1/f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n
Encoded SHA256:
a907835be40af89b8b7aa23a6efc66c01ceaa5a19622edd378139319f3ca5fa0\r\n
Decoded SHA256:
f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_cased_any\",\r\n \"value\": [\r\n
\"/opt/bin/bin.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\nMac:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-macos-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-macos-v1/b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n
Encoded SHA256:
4f3e80d688f5cae4bf6a88b0704e37909f9fa4f47fe8325b7b154cddd46a2db9\r\n
Decoded SHA256:
b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"/opt/exe.exe\"\r\n ]\r\n }\r\n ]\r\n
}\r\n```\r\n\r\nWindows:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-windows-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-windows-v1/2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n
Encoded SHA256:
c6e045fce97651336eeb400f0123541475b940e3aa38ce721f299585683da288\r\n
Decoded SHA256:
2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"C:\\\\path\\\\path.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"88bd71c0773d158ed1e6312075633ed85abc575e"}},"sourceBranch":"main","suggestedTargetBranches":["8.11","8.9"],"targetPullRequestStates":[{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/164200","number":164200,"mergeCommit":{"message":"[Security
Solution] File paths for Blocklist Windows and Mac should be case
insensitive (#164200)\n\n## Summary\r\n\r\nThis fixes a bug where
Windows and Mac Blocklist file path entries\r\nshould be passed as case
insensitive. This is because Mac and Windows\r\nare caseless for most
use cases.\r\n\r\nBug ticket:
https://github.com/elastic/kibana/issues/158581\r\n\r\nHere is how it
will be displayed in the UI:\r\n<img width=\"1728\"
alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/56395104/a3006397-f49e-4de0-818d-94e2de20dba3\">\r\n\r\nHere
are the breakdown of the artifacts after the
fix:\r\n\r\nLinux:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-linux-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-linux-v1/f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n
Encoded SHA256:
a907835be40af89b8b7aa23a6efc66c01ceaa5a19622edd378139319f3ca5fa0\r\n
Decoded SHA256:
f33e6890aeced00861c26a08121dd42d2d29ba08abfeb3c065d0447e32e18640\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_cased_any\",\r\n \"value\": [\r\n
\"/opt/bin/bin.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\nMac:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-macos-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-macos-v1/b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n
Encoded SHA256:
4f3e80d688f5cae4bf6a88b0704e37909f9fa4f47fe8325b7b154cddd46a2db9\r\n
Decoded SHA256:
b28e7978da4314ebc2c94770e0638fc4b2270f9dc17a11d6d32b8634b1fbec0f\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"/opt/exe.exe\"\r\n ]\r\n }\r\n ]\r\n
}\r\n```\r\n\r\nWindows:\r\n```\r\n-------------------------------------------------------------------\r\nPolicy:
Protect\r\nManifest: 1.0.6 | v1\r\nArtifact:
endpoint-blocklist-windows-v1\r\n Relative URL:
/api/fleet/artifacts/endpoint-blocklist-windows-v1/2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n
Encoded SHA256:
c6e045fce97651336eeb400f0123541475b940e3aa38ce721f299585683da288\r\n
Decoded SHA256:
2a6fcc67c696ad4e29d91f8b685bff46977198cd34b9a61e8003d55b78dff6ac\r\n-------------------------------------------------------------------\r\n\r\n{\r\n
\"entries\": [\r\n {\r\n \"type\": \"simple\",\r\n \"entries\": [\r\n
{\r\n \"field\": \"file.path\",\r\n \"operator\": \"included\",\r\n
\"type\": \"exact_caseless_any\",\r\n \"value\": [\r\n
\"C:\\\\path\\\\path.exe\"\r\n ]\r\n }\r\n ]\r\n }\r\n
]\r\n}\r\n```\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"88bd71c0773d158ed1e6312075633ed85abc575e"}},{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.9","label":"v8.9.2","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: Kevin Logan <[email protected]>
Co-authored-by: Kevin Logan <[email protected]>
This was referenced Oct 1, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@parkiino parkiino parkiino approved these changes

@dasansol92 dasansol92 dasansol92 approved these changes

@e40pud e40pud e40pud approved these changes

@tomsonpl tomsonpl Awaiting requested review from tomsonpl tomsonpl is a code owner automatically assigned from elastic/security-defend-workflows

Assignees
No one assigned
Labels
release_note:fix Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.9.2 v8.10.0 v8.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@kevinlog @kibana-ci @elasticmachine @kibanamachine @e40pud @dasansol92 @parkiino