[jamf_compliance_reporter] JAMF Compliance Reporter.

[vinit-chauhan]

What does this PR do?

• Generated the skeleton of the JAMF Compliance Reporter integration package.
• Added a data stream.
• Added data collection logic to the data stream.
• Added the ingest pipeline for the data stream.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files
• Added dashboards and visualizations.
• Added test for pipeline for the data stream.
• Added system test cases for the data stream.

NOTE: This integration has been tested using a mock server and with sample events only.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• If I'm introducing a new feature, I have modified the Kibana version constraint in my package's manifest.yml file to point to the latest Elastic stack release (e.g. ^7.17.0 || ^8.0.0).

How to test this PR locally

• Clone integrations repo.
• Install elastic-package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/jamf_compliance_reporter directory.
• Run the following command to run tests.

elastic-package test

Screenshots

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-07-05T12:42:16.015+0000

• Duration: 17 min 34 sec

Test stats 🧪

Test	Results
Failed	0
Passed	11
Skipped	0
Total	11

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (47/47)	💚 3.263
Classes	100.0% (47/47)	💚 3.263
Methods	100.0% (156/156)	💚 10.97
Lines	99.297% (2542/2560)	👍 9.419
Conditionals	100.0% (0/0)	💚

[r00tu53r]

I've only looked at audit data stream. Looking good have a few comments around mapping to ECS fields etc.

In general since this is for macos. The main pipeline could also set host.os.type to macos.

[vinit-chauhan]

Hey @r00tu53r, We are looking into the field mapping changes which you suggested. We will get back to you with the updates.

[andrewkroh]

Missing some event.* fields.

jamf_compliance_reporter/audit Verify sample_event.json:
[0] field "event.outcome" is undefined
[1] field "event.code" is undefined

Duplicate field definitions.

packages/jamf_compliance_reporter/data_stream/app_metrics
packages/jamf_compliance_reporter/data_stream/app_metrics/fields/ecs.yml:17 - host.id : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/app_metrics/fields/agent.yml:105 - host.id : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/app_metrics/fields/agent.yml:153 - host.os.version : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/app_metrics/fields/ecs.yml:23 - host.os.version : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/app_metrics/fields/ecs.yml:15 - host.hostname : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/app_metrics/fields/agent.yml:100 - host.hostname : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/app_metrics/fields/ecs.yml:19 - host.mac : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/app_metrics/fields/agent.yml:114 - host.mac : [Duplicate field (2 times).]

packages/jamf_compliance_reporter/data_stream/audit
packages/jamf_compliance_reporter/data_stream/audit/fields/agent.yml:100 - host.hostname : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/audit/fields/ecs.yml:15 - host.hostname : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/audit/fields/agent.yml:153 - host.os.version : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/audit/fields/ecs.yml:25 - host.os.version : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/audit/fields/ecs.yml:17 - host.id : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/audit/fields/agent.yml:105 - host.id : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/audit/fields/ecs.yml:19 - host.ip : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/audit/fields/agent.yml:110 - host.ip : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/audit/fields/ecs.yml:21 - host.mac : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/audit/fields/agent.yml:114 - host.mac : [Duplicate field (2 times).]

packages/jamf_compliance_reporter/data_stream/event
packages/jamf_compliance_reporter/data_stream/event/fields/agent.yml:100 - host.hostname : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/event/fields/ecs.yml:21 - host.hostname : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/event/fields/ecs.yml:31 - host.os.version : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/event/fields/agent.yml:153 - host.os.version : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/event/fields/agent.yml:110 - host.ip : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/event/fields/ecs.yml:25 - host.ip : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/event/fields/agent.yml:114 - host.mac : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/event/fields/ecs.yml:27 - host.mac : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/event/fields/agent.yml:105 - host.id : [Duplicate field (2 times).]
packages/jamf_compliance_reporter/data_stream/event/fields/ecs.yml:23 - host.id : [Duplicate field (2 times).]

Please make sure the MAC addresses are valid. See my comment at #3232 (comment).

jamf_compliance_reporter/event test-pipeline-xprotect-event-log.log:
[0] parsing field value failed: field "host.mac"'s value, 38-X9-X8-15-5X-82, does not match the expected pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$

[andrewkroh]

Can you please update the dashboards to embed the visualizations into the dashboards.

[andrewkroh]

Suggested change

	if: ctx?.json?.app_metric_info?.cpu_percentage != null
	if: ctx.json?.app_metric_info?.cpu_percentage != null

ctx is always going to be present. Can you apply this change everywhere.

[r00tu53r]

Sorry for taking long to come back to this. Thank you for making the earlier suggested changes. Its looking good.
I see a few more cases where I have comments around ECS and duplication of data.

1. In general avoid duplicate storage. If a value is stored in ECS then no need to store it in the field group.
2. Convert access_mode to octal representation so users can search 755 or 666 etc. instead of 33261.
3. All the syscall audit events seem to have header, host_info, identity, return, subject sections. Perhaps the pipeline can be arranged to take advantage of this ?
4. The subject group fields can be mapped to ECS as shown below.

subject
{
   "audit_id"|"user_id" --> process.real_user.id
   "audit_user_name"|"user_name" --> process.real_user.name
   "effective_group_id": process.group.id
   "effective_group_name": --> process.group.name
   "effective_user_id": --> process.user.id
   "effective_user_name":  --> process.user.name
   "group_id": -> process.real_group.id
   "group_name": --> process.real_group.name
}

5.I saw instances of PID (Process ID) in some pipelines which can be mapped to process.pid or equivalent.

[r00tu53r]

The integration involves making configuration changes on two sides Elastic and Jamf. That could be made clearer in the documentation. The doc could state what needs to be done and then point to the exact documentation on Jamf so the user can view the how part. You could refer to this doc for the headings etc. that have been used in other packages too.

[r00tu53r]

It might be a good idea to take the user through a series of steps and point them to the exact Jamf link / page for each step that needs to be performed in that order. Also I see the Remote Endpoint Logging Preference Keys page here shows a list of configurations. I presume that user must choose generic TLS Logging endpoint ? If so can that be explicitly specified in the steps.

[r00tu53r]

nit: @timestamp is the default target for the date processor.

[r00tu53r]

I wonder if it is worth making app_metric_info a flattened field and storing the values as-is. Unless there is a plan to raise an alert for configured CPU thresholds.

[r00tu53r]

Could be renamed instead of set as it gets duplicated.

[r00tu53r]

Saving serial_number in host.id might be more useful as its more likely for users to query by serial number than UUID

[r00tu53r]

Is this required ? The json object is being removed in the end during cleanup.

[r00tu53r]

Can go into process.pid

[r00tu53r]

can go into process.parent.pid

[r00tu53r]

Many of the fields here jamf_compliance_reporter.audit.process.* can go into process.*, process.user.*, process.group.* etc.

[vinit-chauhan]

Hey @r00tu53r, Sorry for the delayed response. We are working on the changes.

[r00tu53r]

Thank you for making the changes. LGTM

[andrewkroh]

This should match 8.3.0 in the build manifest.