[Security Solution][Endpoint] Saved object and Index template definitions for Elastic Defend scripts library (#243424)

## Summary

- PR adds saved objects and index template definitions in support of
Elastic Defend support for a Scripts Library
    - No logic uses these data storage definitions yet
- The new saved object type will be used to store information about the
scripts that user can upload and store
- The index templates will be used to store the actual content of the
script files that will be uploaded (using the `Files` plugins)
- They are currently hidden behind feature flag
`responseActionsScriptLibraryManagement`

Author: paul-tavares

x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts

@@ -49,6 +49,12 @@ export const allowedExperimentalValues = Object.freeze({
    */
   responseActionsEndpointMemoryDump: false,
 
+  /**
+   * Scripts library in support of `runscript`/upload-execute` new command for elastic defend
+   * Release: 9.4
+   */
+  responseActionsScriptLibraryManagement: false,
+
   /**
    * Enables the Assistant Model Evaluation advanced setting and API endpoint, introduced in `8.11.0`.
    */

x-pack/solutions/security/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts

@@ -28,6 +28,7 @@ import type { PluginStartContract as ActionsPluginStartContract } from '@kbn/act
 import type { Space } from '@kbn/spaces-plugin/common';
 import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common';
 import type { SpacesServiceStart } from '@kbn/spaces-plugin/server';
+import { installScriptsLibraryIndexTemplates } from './lib/scripts_library';
 import type { ReferenceDataClientInterface } from './lib/reference_data';
 import { ReferenceDataClient } from './lib/reference_data';
 import type { TelemetryConfigProvider } from '../../common/telemetry_config/telemetry_config_provider';
@@ -132,6 +133,17 @@ export class EndpointAppContextService {
 
     this.registerFleetExtensions();
     this.registerListsExtensions();
+
+    // Setup scripts library
+    if (this.startDependencies.experimentalFeatures.responseActionsScriptLibraryManagement) {
+      const scriptsLogger = this.createLogger('scriptsLibrarySetup');
+      installScriptsLibraryIndexTemplates({
+        esClient: this.getInternalEsClient(),
+        logger: scriptsLogger,
+      }).catch((e) => {
+        scriptsLogger.error(e);
+      });
+    }
   }
 
   public stop() {

x-pack/solutions/security/plugins/security_solution/server/endpoint/lib/scripts_library/constants.ts

@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+const SCRIPTS_LIBRARY_FILE_INDEX_NAME_PREFIX = '.endpoint-script-file';
+
+export const SCRIPTS_LIBRARY_FILE_METADATA_INDEX_NAME_PREFIX = `${SCRIPTS_LIBRARY_FILE_INDEX_NAME_PREFIX}-meta`;
+export const SCRIPTS_LIBRARY_FILE_DATA_INDEX_NAME_PREFIX = `${SCRIPTS_LIBRARY_FILE_INDEX_NAME_PREFIX}-data`;
+
+export const SCRIPTS_LIBRARY_FILE_METADATA_INDEX_NAME = `${SCRIPTS_LIBRARY_FILE_METADATA_INDEX_NAME_PREFIX}-default`;
+export const SCRIPTS_LIBRARY_FILE_DATA_INDEX_NAME = `${SCRIPTS_LIBRARY_FILE_DATA_INDEX_NAME_PREFIX}-default`;
+
+export const SCRIPTS_LIBRARY_SAVED_OBJECT_TYPE = 'security:endpoint-scripts-library';

x-pack/solutions/security/plugins/security_solution/server/endpoint/lib/scripts_library/es_assets/index.ts

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { installScriptsLibraryIndexTemplates } from './install';

x-pack/solutions/security/plugins/security_solution/server/endpoint/lib/scripts_library/es_assets/index_template.ts

@@ -0,0 +1,93 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { IndicesPutIndexTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
+import { deepFreeze } from '@kbn/std';
+import {
+  SCRIPTS_LIBRARY_FILE_DATA_INDEX_NAME_PREFIX,
+  SCRIPTS_LIBRARY_FILE_METADATA_INDEX_NAME_PREFIX,
+} from '../constants';
+
+/**
+ * Index template for storing File metadata. Index is used mainly with the Files plugin
+ * to manage files associated with Elastic Defend Scripts library entries
+ */
+export const ScriptsFileMetadataIndexTemplate = deepFreeze<IndicesPutIndexTemplateRequest>({
+  name: SCRIPTS_LIBRARY_FILE_METADATA_INDEX_NAME_PREFIX,
+  index_patterns: [`${SCRIPTS_LIBRARY_FILE_METADATA_INDEX_NAME_PREFIX}-*`],
+  priority: 500,
+  allow_auto_create: true,
+  _meta: {
+    description: 'Index template for Elastic Defend scripts library storage of file metadata',
+    managed: true,
+  },
+  template: {
+    settings: {
+      'index.auto_expand_replicas': '0-1',
+      'index.hidden': true,
+    },
+    mappings: {
+      dynamic: false,
+      properties: {
+        file: {
+          properties: {
+            Status: { type: 'keyword' },
+            ChunkSize: { type: 'integer' },
+            Compression: { type: 'keyword' },
+            name: { type: 'keyword' },
+            Meta: {
+              properties: {
+                script_id: { type: 'keyword' },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+}) as IndicesPutIndexTemplateRequest;
+
+/**
+ * Index template for storing File data content. Index is used mainly with the Files plugin
+ * to manage files associated with Elastic Defend Scripts library entries
+ */
+export const ScriptsFileDataIndexTemplate = deepFreeze<IndicesPutIndexTemplateRequest>({
+  name: SCRIPTS_LIBRARY_FILE_DATA_INDEX_NAME_PREFIX,
+  index_patterns: [`${SCRIPTS_LIBRARY_FILE_DATA_INDEX_NAME_PREFIX}-*`],
+  priority: 500,
+  allow_auto_create: true,
+  _meta: {
+    description: 'Index template for Elastic Defend scripts library storage of file data content',
+    managed: true,
+  },
+  template: {
+    settings: {
+      'index.auto_expand_replicas': '0-1',
+      'index.hidden': true,
+    },
+    mappings: {
+      dynamic: false,
+      properties: {
+        data: {
+          type: 'binary',
+          store: true,
+        },
+        bid: {
+          type: 'keyword',
+        },
+        sha2: {
+          type: 'keyword',
+          index: false,
+        },
+        last: {
+          type: 'boolean',
+          index: false,
+        },
+      },
+    },
+  },
+}) as IndicesPutIndexTemplateRequest;

x-pack/solutions/security/plugins/security_solution/server/endpoint/lib/scripts_library/es_assets/install.ts

@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ElasticsearchClient, Logger } from '@kbn/core/server';
+import { ScriptsFileDataIndexTemplate, ScriptsFileMetadataIndexTemplate } from './index_template';
+import { catchAndWrapError } from '../../../utils';
+
+interface InstallScriptsLibraryIndexTemplatesOptions {
+  esClient: ElasticsearchClient;
+  logger: Logger;
+}
+
+export const installScriptsLibraryIndexTemplates = async ({
+  esClient,
+  logger,
+}: InstallScriptsLibraryIndexTemplatesOptions): Promise<void> => {
+  logger.debug('Installing/updating scripts library ES index templates');
+
+  await esClient.indices
+    .putIndexTemplate(ScriptsFileMetadataIndexTemplate)
+    .catch(catchAndWrapError);
+
+  await esClient.indices.putIndexTemplate(ScriptsFileDataIndexTemplate).catch(catchAndWrapError);
+};

x-pack/solutions/security/plugins/security_solution/server/endpoint/lib/scripts_library/index.ts

@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './es_assets';
+export * from './saved_objects';
+export * from './constants';

x-pack/solutions/security/plugins/security_solution/server/endpoint/lib/scripts_library/saved_objects/index.ts

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './mappings';

x-pack/solutions/security/plugins/security_solution/server/endpoint/lib/scripts_library/saved_objects/mappings.ts

@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { SavedObjectsType } from '@kbn/core-saved-objects-server';
+import { SECURITY_SOLUTION_SAVED_OBJECT_INDEX } from '@kbn/core-saved-objects-server';
+import { schema } from '@kbn/config-schema';
+import { SCRIPTS_LIBRARY_SAVED_OBJECT_TYPE } from '../constants';
+
+const ScriptsLibraryAttributesSchemaV1 = schema.object({
+  id: schema.string(),
+  name: schema.string(),
+  platform: schema.string(),
+  hash: schema.maybe(schema.string()),
+  requires_input: schema.maybe(schema.boolean()),
+  description: schema.maybe(schema.string()),
+  instructions: schema.maybe(schema.string()),
+  example: schema.maybe(schema.string()),
+  executable: schema.maybe(
+    schema.object({
+      linux: schema.maybe(schema.string()),
+      macos: schema.maybe(schema.string()),
+      windows: schema.maybe(schema.string()),
+    })
+  ),
+  created_by: schema.string(),
+  updated_by: schema.string(),
+});
+
+export const scriptsLibrarySavedObjectType: SavedObjectsType = {
+  name: SCRIPTS_LIBRARY_SAVED_OBJECT_TYPE,
+  indexPattern: SECURITY_SOLUTION_SAVED_OBJECT_INDEX,
+  namespaceType: 'multiple',
+  hidden: true,
+  mappings: {
+    dynamic: false,
+    properties: {
+      id: { type: 'keyword' },
+      name: { type: 'keyword' },
+      platform: { type: 'keyword' },
+      hash: { type: 'keyword' },
+      requires_input: { type: 'boolean' },
+      description: { type: 'keyword' },
+      instructions: { type: 'keyword' },
+      example: { type: 'keyword' },
+      executable: {
+        properties: {
+          linux: { type: 'keyword' },
+          macos: { type: 'keyword' },
+          windows: { type: 'keyword' },
+        },
+      },
+      created_by: { type: 'keyword' },
+      updated_by: { type: 'keyword' },
+      // FYI: the created_at/_by fields are auto populated by the so framework
+    },
+  },
+  modelVersions: {
+    1: {
+      changes: [],
+      schemas: {
+        forwardCompatibility: ScriptsLibraryAttributesSchemaV1.extends({}, { unknowns: 'ignore' }),
+        create: ScriptsLibraryAttributesSchemaV1,
+      },
+    },
+  },
+};

x-pack/solutions/security/plugins/security_solution/server/plugin.ts

@@ -234,7 +234,7 @@ export class Plugin implements ISecuritySolutionPlugin {
     const { appClientFactory, productFeaturesService, pluginContext, config, logger } = this;
     const experimentalFeatures = config.experimentalFeatures;
 
-    initSavedObjects(core.savedObjects);
+    initSavedObjects(core.savedObjects, experimentalFeatures, this.logger.get('initSavedObjects'));
     initEncryptedSavedObjects({
       encryptedSavedObjects: plugins.encryptedSavedObjects,
       logger: this.logger,