[Fleet]: Uninstall token is not displayed on enabling tamper protection toggle under Edit agent policy on secondary space.

elastic / kibana

Your window into the Elastic Stack

https://www.elastic.co/products/kibana

Other

19.69k stars 8.24k forks source link

[Fleet]: Uninstall token is not displayed on enabling tamper protection toggle under Edit agent policy on secondary space. #192800

Open amolnater-qasource opened 2 months ago

amolnater-qasource commented 2 months ago

Kibana Build details:

VERSION: 8.16.0 BUILD: 78156 COMMIT: 6ef9f6c640a86180e92945b1e729ab11709cad3b

Preconditions:

8.16.0 or above Kibana should be available.
Agent Policy should be created.

Steps to reproduce:

Log into the Default Space.
Create an agent policy and grant access for secondary space.
Login to Secondary Space.
Observe policy is visible under Agent policies tab and add Elastic Defend to this policy.
Navigate to Edit agent policy.
Enable tamper protection toggle and click Get Uninstall command.
Observe the "Unable to fetch uninstall token" error is displayed.

Expected Result: Uninstall token should be displayed on enabling tamper protection toggle under Edit agent policy on secondary space.

Screen Recording:

https://github.com/user-attachments/assets/9a860324-0065-48f3-8180-83d5556e0e99

Feature: https://github.com/elastic/ingest-dev/issues/1664

elasticmachine commented 2 months ago

Pinging @elastic/fleet (Team:Fleet)

amolnater-qasource commented 2 months ago

@muskangulati-qasource Please review.

muskangulati-qasource commented 2 months ago

Secondary review is Done for this ticket

rbr101 commented 1 week ago

Same shit for 8.15.4, why is this still not fixed ? Tamper protection is gone for new policies, but still works for policies defined many months ago.

can someone give an ETA for a fix ?

kpollich commented 1 week ago

Hi @rbr101 - this is a bug for a feature behind an experimental feature flag related to agent policies shared across multiple Kibana spaces. If you're dealing with a bug related to tamper protection on new policies, this issue does not capture that bug.

As far as I'm aware, you need to manually opt into agent tamper protection on a new agent policy's settings page per https://www.elastic.co/guide/en/security/current/agent-tamper-protection.html. Are you expecting tamper protection to be enabled by default for new Elastic Defend policies, or is there an issue with the actual tamper protection behavior?

rbr101 commented 1 week ago

Hi kpollich,

After upgrading from 8.14.x to 8.14.4 we noticed that we are unable to enable tamper protection for newly created polices. (it is possible this bug was already there few version prior 8.14.x) Also when enabling the option "Prevent agent tampering" we get an error message "Unable to fetch uninstall token". We tested an agent deployment and were able to completely remove elastic agent and defend using the policy with the tamper option enabled. When clicking on "Get uninstall command" for older policies we do get the token as expected. But for newly created policies we get the error message:

We also tested this on two separate elastic instances (8.15.4) and they both have the same behaviour/bug.

So for new policies the Agent tamper protection is not working anymore, only for agents deployed with older policies.

This seems related to the issue posted above, but if you think it's a new one then a new issue should be created. For me it's important that this bug is fixed within the next release.

kpollich commented 1 week ago

Will take a look in more detail shortly, but I want to loop in @elastic/security-defend-workflows as well