[Security Solution] Add privileges to Kibana System role for management of internal indexes in support of Elastic Defend features

[paul-tavares]

Description

Changes the Kibana System role with:

• Adds privileges access and manage .endpoint-* index pattern
  • Indexes under this index pattern are used internally (private) in Kibana when needing to support features that require Elastic Defend (via Fleet Server) to access data
  • Current feature being worked will use the following two indexes: .endpoint-script-file-meta and .endpoint-script-file-data

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[elasticsearchmachine]

Hi @paul-tavares, I've created a changelog YAML for you.

[jeramysoucy]

Would it be possible to define more explicit/granular privileges here? We generally prefer granting the minimum set of privileges even for internal indices, It keeps usage as explicit as possible and it allows us to track evolution over time.

[paul-tavares]

Sure. I'll push through a change soon here. Thanks for the review

[paul-tavares]

Ok. I updated to give it what I think is the minimal set.

[jfreden]

I think this pattern could be more restrictive:

.endpoint-script-file-*

or even:

`".endpoint-script-file-meta", ".endpoint-script-file-data"` 

if no additions are expected.

[paul-tavares]

Sure. I'll do some quick testing to ensure that it all works for us in Kibana if we use the explicit full index names as you suggested above and will adjust. Thanks for the feedback

[paul-tavares]

Ok I updated them to a more restrictive index pattern

[jfreden]

nit: can this be grouped with other edr workflows privileges? (for example: edr-workflow-insights-*)

[paul-tavares]

sure. I'll refactor it. Thanks for the feedback.

[jfreden]

LGTM!

[paul-tavares]

Hey @jfreden - could you take another look here... I had to split up the tests and not attempt to run along with .logs-endpoint.action.responses- below - that set of indexes has more privileges than the scripts one I'm adding support for.

[nicpenning]

Any idea how this will work with Fleet RBAC per space?

For example, we are trying to get away from having a Kibana Admin or Kibana System role for our administrators because we need to separate having that deep of administrative privileges that can access any space design. We need admins in Space X that can manage Fleet, Agents, Defend different lly than Space Y. For example, SOC can read all of Space X and not make changes but Server admins can read/write Space X and not see a Space Y. Kibana System/Admin had been seemingly a requirement for some of these deeper setups and configurations when I would rather have the exact needed privileges per space, so having them documented on how to achieve this without Kibana Admin/System would be nice.

I just want to make sure this future feature can be segregated like most other features. If none of this applies, feel free to tell me to buzz off! :)

[paul-tavares]

"tell me to buzz off! :)"

🤣

Hey @nicpenning 👋 .
For this particular PR and the indexes it exposes to the Kibana System role, they have no impact on Fleet space awareness. The overarching feature I'm working on for Security/Elastic Defend (runscript) will use the data in these indexes, but only via Fleet-Server (there will be an API that the Elastic Defend "beat" on a host will use to download scripts to the host machine for execution).

Re: Space Awareness

The current implementation of space awareness in Fleet (and in Security Solution Elastic Defend workflows) should already support the use case you detailed:

"We need admins in Space X that can manage Fleet, Agents, Defend different lly than Space Y. For example, SOC can read all of Space X and not make changes but Server admins can read/write Space X and not see a Space Y"

The need for an internal "user" (Kibana System) remains necessary due to the fact that Fleet's space awareness allows Policies to be shared across spaces, and thus when compiling data for delivery to the Agent/Host there is a need to access all spaces. The Spaces implementation for Elastic Defend in Kibana follows the same model as Fleet, thus internally, we use the Kibana System user to ensure that data from multiple spaces is compiled for the agent that are running Elastic Defend.

Hope I understood your concern correctly and that this response helps clarify the usage/need.

[nicpenning]

Perfect, that makes sense to me, thank you for taking the time to explain this to me! Have a great day!

[jeramysoucy]

@paul-tavares Can you update the Kibana System Privileges spreadsheet to reflect these changes?

[paul-tavares]

@jeramysoucy - done. I added a new row entry to the worksheet