[Security Solution] User with Security: Read privileges can install and upgrade prebuilt rules via UI #161443
Assignees
Labels
8.9 candidate
blocker
bug
Fixes for quality problems that affect the customer experience
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
fixed
impact:critical
This issue should be addressed immediately due to a critical level of impact on the product.
QA:Validated
Issue has been validated by QA
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.9.0
Comments
banderror
added
bug
5 tasks
banderror
pushed a commit
that referenced
this issue
Jul 10, 2023
… and upgrade prebuilt rules (#161454) Fixes: #161443 ## Summary ### When user doesn't have write permission: - Disables "Add Elastic rules" button and removes Rule Updates tab  - Disables buttons to individually install rules, install selected rules and install all rules  - Disables buttons to individually upgrade rules, upgrade selected rules and upgrade all rules  ### `_perform` endpoints - Returns 403 when installing all rules or specific rules   - Returns 403 when upgrading all rules or specific rules   ### Checklist Delete any items that are not applicable to this PR. - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Dmitrii <dmitrii.shevchenko@elastic.co>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Jul 10, 2023
… and upgrade prebuilt rules (elastic#161454) Fixes: elastic#161443 ## Summary ### When user doesn't have write permission: - Disables "Add Elastic rules" button and removes Rule Updates tab  - Disables buttons to individually install rules, install selected rules and install all rules  - Disables buttons to individually upgrade rules, upgrade selected rules and upgrade all rules  ### `_perform` endpoints - Returns 403 when installing all rules or specific rules   - Returns 403 when upgrading all rules or specific rules   ### Checklist Delete any items that are not applicable to this PR. - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Dmitrii <dmitrii.shevchenko@elastic.co> (cherry picked from commit 31b28a0)
kibanamachine
referenced
this issue
Jul 10, 2023
…nstall and upgrade prebuilt rules (#161454) (#161555) # Backport This will backport the following commits from `main` to `8.9`: - [[Security Solution] Allow only users with 'all' privileges to install and upgrade prebuilt rules (#161454)](#161454) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Juan Pablo Djeredjian","email":"jpdjeredjian@gmail.com"},"sourceCommit":{"committedDate":"2023-07-10T14:35:17Z","message":"[Security Solution] Allow only users with 'all' privileges to install and upgrade prebuilt rules (#161454)\n\nFixes: https://github.com/elastic/kibana/issues/161443\r\n\r\n## Summary\r\n\r\n### When user doesn't have write permission:\r\n- Disables \"Add Elastic rules\" button and removes Rule Updates tab\r\n\r\n\r\n\r\n- Disables buttons to individually install rules, install selected rules\r\nand install all rules\r\n\r\n\r\n\r\n- Disables buttons to individually upgrade rules, upgrade selected rules\r\nand upgrade all rules\r\n\r\n\r\n\r\n### `_perform` endpoints\r\n- Returns 403 when installing all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n- Returns 403 when upgrading all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Dmitrii <dmitrii.shevchenko@elastic.co>","sha":"31b28a06606d4f5b1fe10173859c44fb9fce3b10","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","blocker","release_note:skip","impact:critical","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","8.9 candidate","v8.9.0","v8.10.0"],"number":161454,"url":"https://github.com/elastic/kibana/pull/161454","mergeCommit":{"message":"[Security Solution] Allow only users with 'all' privileges to install and upgrade prebuilt rules (#161454)\n\nFixes: https://github.com/elastic/kibana/issues/161443\r\n\r\n## Summary\r\n\r\n### When user doesn't have write permission:\r\n- Disables \"Add Elastic rules\" button and removes Rule Updates tab\r\n\r\n\r\n\r\n- Disables buttons to individually install rules, install selected rules\r\nand install all rules\r\n\r\n\r\n\r\n- Disables buttons to individually upgrade rules, upgrade selected rules\r\nand upgrade all rules\r\n\r\n\r\n\r\n### `_perform` endpoints\r\n- Returns 403 when installing all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n- Returns 403 when upgrading all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Dmitrii <dmitrii.shevchenko@elastic.co>","sha":"31b28a06606d4f5b1fe10173859c44fb9fce3b10"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161454","number":161454,"mergeCommit":{"message":"[Security Solution] Allow only users with 'all' privileges to install and upgrade prebuilt rules (#161454)\n\nFixes: https://github.com/elastic/kibana/issues/161443\r\n\r\n## Summary\r\n\r\n### When user doesn't have write permission:\r\n- Disables \"Add Elastic rules\" button and removes Rule Updates tab\r\n\r\n\r\n\r\n- Disables buttons to individually install rules, install selected rules\r\nand install all rules\r\n\r\n\r\n\r\n- Disables buttons to individually upgrade rules, upgrade selected rules\r\nand upgrade all rules\r\n\r\n\r\n\r\n### `_perform` endpoints\r\n- Returns 403 when installing all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n- Returns 403 when upgrading all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Dmitrii <dmitrii.shevchenko@elastic.co>","sha":"31b28a06606d4f5b1fe10173859c44fb9fce3b10"}}]}] BACKPORT--> Co-authored-by: Juan Pablo Djeredjian <jpdjeredjian@gmail.com>
|
Privilege checks on the API level have been removed as they prevent a properly configured role from installing or updating detection rules. See #161641 |
xcrzx
added a commit
that referenced
this issue
Jul 11, 2023
…d update (#161641) **Related to: #161443, #161454 ## Summary The `access:securitySolution-all` access level prevents a properly configured role from installing or updating detection rules. This PR aligns the access level for the `installation/_perform` and `upgrade/_perform` endpoints with the rest of the detection engine APIs. ### Test instructions Configure a role with the following permissions: ```json { "test": { "cluster": [], "indices": [ { "names": [ ".alerts-security.alerts-default", ".lists-default", ".items-default" ], "privileges": [ "read", "write", "view_index_metadata", "maintenance" ], "field_security": { "grant": [ "*" ] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_siem.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } } ``` Call the upgrade/install APIs on behalf of that role to see that no 403 is returned: ```sh curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{ "mode": "ALL_RULES" }' curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/upgrade/_perform' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{ "mode": "ALL_RULES" }' ```
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Jul 11, 2023
…d update (elastic#161641) **Related to: elastic#161443, elastic#161454 ## Summary The `access:securitySolution-all` access level prevents a properly configured role from installing or updating detection rules. This PR aligns the access level for the `installation/_perform` and `upgrade/_perform` endpoints with the rest of the detection engine APIs. ### Test instructions Configure a role with the following permissions: ```json { "test": { "cluster": [], "indices": [ { "names": [ ".alerts-security.alerts-default", ".lists-default", ".items-default" ], "privileges": [ "read", "write", "view_index_metadata", "maintenance" ], "field_security": { "grant": [ "*" ] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_siem.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } } ``` Call the upgrade/install APIs on behalf of that role to see that no 403 is returned: ```sh curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{ "mode": "ALL_RULES" }' curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/upgrade/_perform' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{ "mode": "ALL_RULES" }' ``` (cherry picked from commit a5627be)
kibanamachine
referenced
this issue
Jul 11, 2023
…ion and update (#161641) (#161649) # Backport This will backport the following commits from `main` to `8.9`: - [[Security Solution] Fix endpoint permissions for rule installation and update (#161641)](#161641) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Dmitrii Shevchenko","email":"dmitrii.shevchenko@elastic.co"},"sourceCommit":{"committedDate":"2023-07-11T13:07:35Z","message":"[Security Solution] Fix endpoint permissions for rule installation and update (#161641)\n\n**Related to: https://github.com/elastic/kibana/issues/161443,\r\nhttps://github.com/elastic/kibana/pull/161454**\r\n\r\n## Summary\r\n\r\nThe `access:securitySolution-all` access level prevents a properly\r\nconfigured role from installing or updating detection rules. This PR\r\naligns the access level for the `installation/_perform` and\r\n`upgrade/_perform` endpoints with the rest of the detection engine APIs.\r\n\r\n### Test instructions\r\n\r\nConfigure a role with the following permissions:\r\n\r\n```json\r\n{\r\n \"test\": {\r\n \"cluster\": [],\r\n \"indices\": [\r\n {\r\n \"names\": [\r\n \".alerts-security.alerts-default\",\r\n \".lists-default\",\r\n \".items-default\"\r\n ],\r\n \"privileges\": [\r\n \"read\",\r\n \"write\",\r\n \"view_index_metadata\",\r\n \"maintenance\"\r\n ],\r\n \"field_security\": {\r\n \"grant\": [\r\n \"*\"\r\n ]\r\n },\r\n \"allow_restricted_indices\": false\r\n }\r\n ],\r\n \"applications\": [\r\n {\r\n \"application\": \"kibana-.kibana\",\r\n \"privileges\": [\r\n \"feature_siem.all\"\r\n ],\r\n \"resources\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"run_as\": [],\r\n \"metadata\": {},\r\n \"transient_metadata\": {\r\n \"enabled\": true\r\n }\r\n }\r\n}\r\n```\r\n\r\nCall the upgrade/install APIs on behalf of that role to see that no 403\r\nis returned:\r\n\r\n```sh\r\ncurl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform' \\\r\n--header 'Content-Type: application/json' \\\r\n--header 'Accept: application/json' \\\r\n--data '{\r\n \"mode\": \"ALL_RULES\"\r\n}'\r\n\r\ncurl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/upgrade/_perform' \\\r\n--header 'Content-Type: application/json' \\\r\n--header 'Accept: application/json' \\\r\n--data '{\r\n \"mode\": \"ALL_RULES\"\r\n}'\r\n```","sha":"a5627bec5781575c02dec671f2635eaab8bc4f40","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","blocker","release_note:skip","impact:critical","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","v8.9.0","v8.10.0"],"number":161641,"url":"https://github.com/elastic/kibana/pull/161641","mergeCommit":{"message":"[Security Solution] Fix endpoint permissions for rule installation and update (#161641)\n\n**Related to: https://github.com/elastic/kibana/issues/161443,\r\nhttps://github.com/elastic/kibana/pull/161454**\r\n\r\n## Summary\r\n\r\nThe `access:securitySolution-all` access level prevents a properly\r\nconfigured role from installing or updating detection rules. This PR\r\naligns the access level for the `installation/_perform` and\r\n`upgrade/_perform` endpoints with the rest of the detection engine APIs.\r\n\r\n### Test instructions\r\n\r\nConfigure a role with the following permissions:\r\n\r\n```json\r\n{\r\n \"test\": {\r\n \"cluster\": [],\r\n \"indices\": [\r\n {\r\n \"names\": [\r\n \".alerts-security.alerts-default\",\r\n \".lists-default\",\r\n \".items-default\"\r\n ],\r\n \"privileges\": [\r\n \"read\",\r\n \"write\",\r\n \"view_index_metadata\",\r\n \"maintenance\"\r\n ],\r\n \"field_security\": {\r\n \"grant\": [\r\n \"*\"\r\n ]\r\n },\r\n \"allow_restricted_indices\": false\r\n }\r\n ],\r\n \"applications\": [\r\n {\r\n \"application\": \"kibana-.kibana\",\r\n \"privileges\": [\r\n \"feature_siem.all\"\r\n ],\r\n \"resources\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"run_as\": [],\r\n \"metadata\": {},\r\n \"transient_metadata\": {\r\n \"enabled\": true\r\n }\r\n }\r\n}\r\n```\r\n\r\nCall the upgrade/install APIs on behalf of that role to see that no 403\r\nis returned:\r\n\r\n```sh\r\ncurl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform' \\\r\n--header 'Content-Type: application/json' \\\r\n--header 'Accept: application/json' \\\r\n--data '{\r\n \"mode\": \"ALL_RULES\"\r\n}'\r\n\r\ncurl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/upgrade/_perform' \\\r\n--header 'Content-Type: application/json' \\\r\n--header 'Accept: application/json' \\\r\n--data '{\r\n \"mode\": \"ALL_RULES\"\r\n}'\r\n```","sha":"a5627bec5781575c02dec671f2635eaab8bc4f40"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161641","number":161641,"mergeCommit":{"message":"[Security Solution] Fix endpoint permissions for rule installation and update (#161641)\n\n**Related to: https://github.com/elastic/kibana/issues/161443,\r\nhttps://github.com/elastic/kibana/pull/161454**\r\n\r\n## Summary\r\n\r\nThe `access:securitySolution-all` access level prevents a properly\r\nconfigured role from installing or updating detection rules. This PR\r\naligns the access level for the `installation/_perform` and\r\n`upgrade/_perform` endpoints with the rest of the detection engine APIs.\r\n\r\n### Test instructions\r\n\r\nConfigure a role with the following permissions:\r\n\r\n```json\r\n{\r\n \"test\": {\r\n \"cluster\": [],\r\n \"indices\": [\r\n {\r\n \"names\": [\r\n \".alerts-security.alerts-default\",\r\n \".lists-default\",\r\n \".items-default\"\r\n ],\r\n \"privileges\": [\r\n \"read\",\r\n \"write\",\r\n \"view_index_metadata\",\r\n \"maintenance\"\r\n ],\r\n \"field_security\": {\r\n \"grant\": [\r\n \"*\"\r\n ]\r\n },\r\n \"allow_restricted_indices\": false\r\n }\r\n ],\r\n \"applications\": [\r\n {\r\n \"application\": \"kibana-.kibana\",\r\n \"privileges\": [\r\n \"feature_siem.all\"\r\n ],\r\n \"resources\": [\r\n \"*\"\r\n ]\r\n }\r\n ],\r\n \"run_as\": [],\r\n \"metadata\": {},\r\n \"transient_metadata\": {\r\n \"enabled\": true\r\n }\r\n }\r\n}\r\n```\r\n\r\nCall the upgrade/install APIs on behalf of that role to see that no 403\r\nis returned:\r\n\r\n```sh\r\ncurl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform' \\\r\n--header 'Content-Type: application/json' \\\r\n--header 'Accept: application/json' \\\r\n--data '{\r\n \"mode\": \"ALL_RULES\"\r\n}'\r\n\r\ncurl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/upgrade/_perform' \\\r\n--header 'Content-Type: application/json' \\\r\n--header 'Accept: application/json' \\\r\n--data '{\r\n \"mode\": \"ALL_RULES\"\r\n}'\r\n```","sha":"a5627bec5781575c02dec671f2635eaab8bc4f40"}}]}] BACKPORT--> Co-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co>
|
@banderror Since it turned out that users with read-only privileges couldn't install or upgrade prebuilt detection rules, it seems appropriate to downgrade the severity of this issue from a critical release blocker. Though an enabled install button in the UI leading to a 403 error upon clicking is not ideal for UX, but it is still pretty minor. |
|
@xcrzx This role allows a Security readonly user to bypass all the checks and successfully install or upgrade prebuilt rules via the API: {
"_test": {
"cluster": [],
"indices": [
{
"names": [
"filebeat-*",
"logs-*",
"metrics-*",
"packetbeat-*"
],
"privileges": [
"read",
"view_index_metadata"
],
"field_security": {
"grant": [
"*"
],
"except": []
},
"allow_restricted_indices": false
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_siem.read",
"feature_savedObjectsManagement.all"
],
"resources": [
"*"
]
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}We should prioritize fixing it in 8.10 for these two endpoints, as well as add appropriate RBAC checks to our other endpoints like CRUD and bulk actions. I'll create a separate ticket for that (https://github.com/elastic/security-team/issues/7114). Let's keep this ticket with the current labels and close it when QA have verified the fix for the UI. |
banderror
changed the title
|
After syncing with @xcrzx, I retried the And got the expected result: I get the same type of unauthorized result for upgrading rules. I think we might have mixed up the users or roles we were using when we tried while syncing this morning. The behaviour is as expected: a user with a role with That given the case, I think this is enough to close this ticket and https://github.com/elastic/security-team/issues/7114 One upgrade that can be done here, as we discussed with @xcrzx, is that the validation for privilege is done at the Rules Client level, which means that the check is done for every rule that is attempted to be installed or updated. We can move that check to our endpoint handler level to have a cleaner check and improve performance. I created this tech debt ticket for that: #161772 |
|
Fix for the UI has been verified, so I will close the issue and label it as validated |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🚨🚨🚨 This is a blocker for the
8.9.0release 🚨🚨🚨Summary
A user who has
Security:Readprivileges + other privileges required for Detections (docs) is able to install and upgrade prebuilt rules from the UI.Expected behavior:
Screenshots
User role
Rule installation
Rule upgrade
The text was updated successfully, but these errors were encountered: