nimarezainia
commented
2 years ago @jguay is this only for cases where Endpoint security has been deployed as an integration?
Closed jguay closed 7 months ago
nimarezainia
commented
2 years ago @jguay is this only for cases where Endpoint security has been deployed as an integration?
jguay
commented
2 years ago @nimarezainia Yes the concern is Endpoint security (if this is easier to only implement for this part of the agent - as opposed to entire agent)
athanatos64
commented
2 years ago If Elastic Agent is not present (or if the service is stopped/disabled), then Endpoint Security service won't be able to send events to Elasticsearch/Logstash. This is a big concern as anyone with admin rights can simply uninstall the agent using CLI and poof your log forwarding and EDR protection is gone. No logs, no EDR, no security.
Besides ability to uninstall Elastic Agent/remove Endpoint Security integration, there should also be some way to monitor/prevent disabling/prevent stopping Elastic Agent service or make Endpoint Security restart the agent since no detections will be send to Elasticsearch. I assume this will also affect Endpoint Isolation if Elastic Agent service is not running.
ITSEC-Hescalona
commented
2 years ago If you are facing a Human Ransonware operator or Human attacker, the first action it's remove security software them we need prevent this.
oliver-creed
commented
1 year ago this would be a useful feature is there any timescale for this?
BizaNator
commented
1 year ago Agreed, virtually every security product out there has some sort of tamper protection policy. Either by check-in, password or MFA/One-time-code.
amitkanfer
commented
1 year ago @kevinlog can you please reference this issue to those in the security repo that will unblock the feature?
kevinlog
commented
1 year ago @dasansol92 - see @amitkanfer comment above. Can you link this issue to our epic?
mpg-13
commented
1 year ago We're coming up on 6 months, any updates on this issue?
joshdover
commented
1 year ago Hi @mpg-13 implementation of this feature is in progress, but is being tracked and discussed mostly in private issues.
The first iteration of this feature will target protecting Endpoint from being removed without a password, and the next iteration will support protecting the entire Agent from being uninstalled. The first iteration of this is targeting one of the next few releases, but we can't make any firm commitments until the implementation and testing has been completed.
craiglawson
commented
1 year ago Is there a version target for this enhancement?
smnschneider
commented
1 year ago Partially solved with 8.11. It is now possible to set tamper protection in agent policies with Elastic Defend integration.
hblankers
commented
11 months ago This is not a fix for the problem. Someone with Administrator privileges is still able to simply rename the agent and reboot the laptop. This will disable all the detection capabilities of Elastic Agent and Elastic Defend.
nimarezainia
commented
7 months ago tamper protection was introduced in 8.11 - closing this issue. Followup for the open comments.
nimarezainia
commented
7 months ago This is not a fix for the problem. Someone with Administrator privileges is still able to simply rename the agent and reboot the laptop. This will disable all the detection capabilities of Elastic Agent and Elastic Defend.
FYI @roxana-gheorghe
Describe the enhancement: At the moment, any local administrator can uninstall Elastic Agent. There is no built-in way to prevent uninstallation Describe a specific use case for the enhancement or feature: A password in the policy that would need to be provided for the uninstall of the agent (or any other solution) Example: if part of the policy include Endpoint Security, we might not want users to be able to uninstall it without limit, even if the users have administrator privileges