[Cloud Security][CDR] Update Wiz vuln privileges

Author: CohenIdo

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java

@@ -30,7 +30,8 @@
 import static org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore.getRemoteIndicesReadPrivileges;
 
 /**
- * This exists in a separate file so it can be assigned to the Kibana security team in the CODEOWNERS file
+ * This exists in a separate file so it can be assigned to the Kibana security
+ * team in the CODEOWNERS file
  */
 class KibanaOwnedReservedRoleDescriptors {
 
@@ -87,9 +88,11 @@ static RoleDescriptor kibanaSystem(String name) {
                 SuggestProfilesAction.NAME,
                 ProfileHasPrivilegesAction.NAME,
                 "write_fleet_secrets",
-                // To facilitate ML UI functionality being controlled using Kibana security privileges
+                // To facilitate ML UI functionality being controlled using Kibana security
+                // privileges
                 "manage_ml",
-                // The symbolic constant for this one is in SecurityActionMapper, so not accessible from X-Pack core
+                // The symbolic constant for this one is in SecurityActionMapper, so not
+                // accessible from X-Pack core
                 "cluster:admin/analyze",
                 // To facilitate using the file uploader functionality
                 "monitor_text_structure",
@@ -104,7 +107,8 @@ static RoleDescriptor kibanaSystem(String name) {
                     .build(),
                 RoleDescriptor.IndicesPrivileges.builder().indices(".monitoring-*").privileges("read", "read_cross_cluster").build(),
                 RoleDescriptor.IndicesPrivileges.builder().indices(".management-beats").privileges("create_index", "read", "write").build(),
-                // To facilitate ML UI functionality being controlled using Kibana security privileges
+                // To facilitate ML UI functionality being controlled using Kibana security
+                // privileges
                 RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*", ".ml-stats-*").privileges("read").build(),
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".ml-annotations*", ".ml-notifications*")
@@ -139,20 +143,23 @@ static RoleDescriptor kibanaSystem(String name) {
                 RoleDescriptor.IndicesPrivileges.builder().indices("traces-apm.*").privileges("read", "read_cross_cluster").build(),
                 RoleDescriptor.IndicesPrivileges.builder().indices("traces-apm-*").privileges("read", "read_cross_cluster").build(),
 
-                // Logstash telemetry queries of kibana task runner to access Logstash metric indices
+                // Logstash telemetry queries of kibana task runner to access Logstash metric
+                // indices
                 RoleDescriptor.IndicesPrivileges.builder().indices("metrics-logstash.*").privileges("read").build(),
 
                 // Data telemetry reads mappings, metadata and stats of indices
                 RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("view_index_metadata", "monitor").build(),
-                // Endpoint diagnostic information. Kibana reads from these indices to send telemetry
+                // Endpoint diagnostic information. Kibana reads from these indices to send
+                // telemetry
                 RoleDescriptor.IndicesPrivileges.builder().indices(".logs-endpoint.diagnostic.collection-*").privileges("read").build(),
                 // Fleet secrets. Kibana can only write to this index.
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".fleet-secrets*")
                     .privileges("write", "delete", "create_index")
                     .allowRestrictedIndices(true)
                     .build(),
-                // Other Fleet indices. Kibana reads and writes to these indices to manage Elastic Agents.
+                // Other Fleet indices. Kibana reads and writes to these indices to manage
+                // Elastic Agents.
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".fleet-actions*")
                     .privileges("all")
@@ -217,26 +224,32 @@ static RoleDescriptor kibanaSystem(String name) {
                     .indices(ReservedRolesStore.LISTS_INDEX, ReservedRolesStore.LISTS_ITEMS_INDEX)
                     .privileges("all")
                     .build(),
-                // "Alerts as data" internal backing indices used in Security Solution, Observability, etc.
-                // Kibana system user creates these indices; reads / writes to them via the aliases (see below).
+                // "Alerts as data" internal backing indices used in Security Solution,
+                // Observability, etc.
+                // Kibana system user creates these indices; reads / writes to them via the
+                // aliases (see below).
                 RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_BACKING_INDEX).privileges("all").build(),
-                // "Alerts as data" public index aliases used in Security Solution, Observability, etc.
+                // "Alerts as data" public index aliases used in Security Solution,
+                // Observability, etc.
                 // Kibana system user uses them to read / write alerts.
                 RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_INDEX_ALIAS).privileges("all").build(),
                 // "Alerts as data" public index alias used in Security Solution
                 // Kibana system user uses them to read / write alerts.
                 RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(),
                 // "Alerts as data" internal backing indices used in Security Solution
-                // Kibana system user creates these indices; reads / writes to them via the aliases (see below).
+                // Kibana system user creates these indices; reads / writes to them via the
+                // aliases (see below).
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_ALIAS)
                     .privileges("all")
                     .build(),
-                // Endpoint / Fleet policy responses. Kibana requires read access to send telemetry
+                // Endpoint / Fleet policy responses. Kibana requires read access to send
+                // telemetry
                 RoleDescriptor.IndicesPrivileges.builder().indices("metrics-endpoint.policy-*").privileges("read").build(),
                 // Endpoint metrics. Kibana requires read access to send telemetry
                 RoleDescriptor.IndicesPrivileges.builder().indices("metrics-endpoint.metrics-*").privileges("read").build(),
-                // Endpoint events. Kibana reads endpoint alert lineage for building and sending telemetry
+                // Endpoint events. Kibana reads endpoint alert lineage for building and sending
+                // telemetry
                 RoleDescriptor.IndicesPrivileges.builder().indices("logs-endpoint.events.*").privileges("read").build(),
                 // Fleet package install and upgrade
                 RoleDescriptor.IndicesPrivileges.builder()
@@ -261,39 +274,48 @@ static RoleDescriptor kibanaSystem(String name) {
                         "indices:admin/data_stream/lifecycle/put"
                     )
                     .build(),
-                // Endpoint specific action responses. Kibana reads and writes (for third party agents) to the index
+                // Endpoint specific action responses. Kibana reads and writes (for third party
+                // agents) to the index
                 // to display action responses to the user.
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".logs-endpoint.action.responses-*")
                     .privileges("auto_configure", "read", "write")
                     .build(),
-                // Endpoint specific actions. Kibana reads and writes to this index to track new actions and display them.
+                // Endpoint specific actions. Kibana reads and writes to this index to track new
+                // actions and display them.
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".logs-endpoint.actions-*")
                     .privileges("auto_configure", "read", "write")
                     .build(),
-                // Legacy Osquery manager specific action responses. Kibana reads from these to display responses to the user.
+                // Legacy Osquery manager specific action responses. Kibana reads from these to
+                // display responses to the user.
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".logs-osquery_manager.action.responses-*")
                     .privileges("auto_configure", "create_index", "read", "index", "delete")
                     .build(),
-                // Osquery manager specific action responses. Kibana reads from these to display responses to the user.
+                // Osquery manager specific action responses. Kibana reads from these to display
+                // responses to the user.
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("logs-osquery_manager.action.responses-*")
                     .privileges("read", "view_index_metadata")
                     .build(),
-                // Osquery manager specific actions. Kibana reads and writes to this index to track new actions and display them.
+                // Osquery manager specific actions. Kibana reads and writes to this index to
+                // track new actions and display them.
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".logs-osquery_manager.actions-*")
                     .privileges("auto_configure", "create_index", "read", "index", "write", "delete")
                     .build(),
 
-                // Third party agent (that use non-Elastic Defend integrations) info logs indices.
+                // Third party agent (that use non-Elastic Defend integrations) info logs
+                // indices.
                 // Kibana reads from these to display agent status/info to the user.
-                // These are indices that filebeat writes to, and the data in these indices are ingested by Fleet integrations
-                // in order to provide support for response actions related to malicious events for such agents.
+                // These are indices that filebeat writes to, and the data in these indices are
+                // ingested by Fleet integrations
+                // in order to provide support for response actions related to malicious events
+                // for such agents.
                 RoleDescriptor.IndicesPrivileges.builder().indices("logs-sentinel_one.*", "logs-crowdstrike.*").privileges("read").build(),
-                // For ILM policy for APM, Endpoint, & Synthetics packages that have delete action
+                // For ILM policy for APM, Endpoint, & Synthetics packages that have delete
+                // action
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(
                         ".logs-endpoint.diagnostic.collection-*",
@@ -332,7 +354,8 @@ static RoleDescriptor kibanaSystem(String name) {
                         TransportUpdateSettingsAction.TYPE.name()
                     )
                     .build(),
-                // For destination indices of the Threat Intel (ti_*) packages that ships a transform for supporting IOC expiration
+                // For destination indices of the Threat Intel (ti_*) packages that ships a
+                // transform for supporting IOC expiration
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("logs-ti_*_latest.*")
                     .privileges(
@@ -346,7 +369,8 @@ static RoleDescriptor kibanaSystem(String name) {
                         TransportUpdateSettingsAction.TYPE.name()
                     )
                     .build(),
-                // For source indices of the Threat Intel (ti_*) packages that ships a transform for supporting IOC expiration
+                // For source indices of the Threat Intel (ti_*) packages that ships a transform
+                // for supporting IOC expiration
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("logs-ti_*.*-*")
                     .privileges(
@@ -370,7 +394,8 @@ static RoleDescriptor kibanaSystem(String name) {
                         TransportUpdateSettingsAction.TYPE.name()
                     )
                     .build(),
-                // For src/dest indices of the Cloud Security Posture packages that ships a transform
+                // For src/dest indices of the Cloud Security Posture packages that ships a
+                // transform
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("logs-cloud_security_posture.findings-*", "logs-cloud_security_posture.vulnerabilities-*")
                     .privileges("read", "view_index_metadata")
@@ -390,6 +415,27 @@ static RoleDescriptor kibanaSystem(String name) {
                         TransportUpdateSettingsAction.TYPE.name()
                     )
                     .build(),
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices("logs-wiz.vulnerability-*")
+                    .privileges("read", "view_index_metadata")
+                    .build(),
+                RoleDescriptor.IndicesPrivileges.builder()
+                    // manage privilege required by the index alias
+                    .indices("security_solution-*.vulnerability_latest")
+                    .privileges("manage", TransportIndicesAliasesAction.NAME, TransportUpdateSettingsAction.TYPE.name())
+                    .build(),
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices("security_solution-*.vulnerability_latest-*")
+                    .privileges(
+                        "create_index",
+                        "index",
+                        "manage",
+                        "read",
+                        "delete",
+                        TransportIndicesAliasesAction.NAME,
+                        TransportUpdateSettingsAction.TYPE.name()
+                    )
+                    .build(),
                 RoleDescriptor.IndicesPrivileges.builder().indices("risk-score.risk-*").privileges("all").build(),
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".asset-criticality.asset-criticality-*")
@@ -403,7 +449,8 @@ static RoleDescriptor kibanaSystem(String name) {
                 // SLO observability solution internal indices
                 // Kibana system user uses them to read / write slo data.
                 RoleDescriptor.IndicesPrivileges.builder().indices(".slo-observability.*").privileges("all").build(),
-                // Endpoint heartbeat. Kibana reads from these to determine metering/billing for endpoints.
+                // Endpoint heartbeat. Kibana reads from these to determine metering/billing for
+                // endpoints.
                 RoleDescriptor.IndicesPrivileges.builder().indices(".logs-endpoint.heartbeat-*").privileges("read").build(),
                 // For connectors telemetry. Will be removed once we switched to connectors API
                 RoleDescriptor.IndicesPrivileges.builder().indices(".elastic-connectors*").privileges("read").build() },

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

@@ -1609,13 +1609,41 @@ public void testKibanaSystemRole() {
             assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
         });
 
+        Arrays.asList("logs-wiz.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((cspIndex) -> {
+            final IndexAbstraction indexAbstraction = mockIndexAbstraction(cspIndex);
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(indexAbstraction), is(false));
+            assertThat(
+                kibanaRole.indices().allowedIndicesMatcher(TransportDeleteIndexAction.TYPE.name()).test(indexAbstraction),
+                is(false)
+            );
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(indexAbstraction), is(true));
+            assertThat(
+                kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(indexAbstraction),
+                is(false)
+            );
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportIndexAction.NAME).test(indexAbstraction), is(false));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportDeleteAction.NAME).test(indexAbstraction), is(false));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportMultiSearchAction.TYPE.name()).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportGetAction.TYPE.name()).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(indexAbstraction), is(false));
+            assertThat(
+                kibanaRole.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(indexAbstraction),
+                is(true)
+            );
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportPutMappingAction.TYPE.name()).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
+        });
+
         Arrays.asList(
             "logs-cloud_security_posture.findings_latest-default",
             "logs-cloud_security_posture.scores-default",
             "logs-cloud_security_posture.vulnerabilities_latest-default",
             "logs-cloud_security_posture.findings_latest-default-" + Version.CURRENT,
             "logs-cloud_security_posture.scores-default-" + Version.CURRENT,
-            "logs-cloud_security_posture.vulnerabilities_latest-default" + Version.CURRENT
+            "logs-cloud_security_posture.vulnerabilities_latest-default" + Version.CURRENT,
+            "security_solution-*.vulnerability_latest-" + Version.CURRENT
         ).forEach(indexName -> {
             logger.info("index name [{}]", indexName);
             final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);