[Security Solution]Container workload protection showing with None Access to Security Sub Features

[karanbirsingh-qasource]

Describe the bug:
Container workload protection showing with None Access to Security Sub Features

Kibana/Elasticsearch Stack version
Version: 8.10.0 SNAPSHOT
Commit: 4637b74
Build: 65796

Browser and Browser OS Version:
Firefox for windows OS
Version: 116.0.2 (64-bit)

Elastic Endpoint Version:
v8.10.0-dev.0

Original install method:
Build summary: https://artifacts-api.elastic.co/v1/search/8.10.0-SNAPSHOT

Functional Area:
Security App side Navigation

Initial Setup:

• Create a custom rule with below kibana privilege (i.e Set Security to All , Security Sub Feature to None and Case to all)

Steps to reproduce

• Navigate to Security App
• Click on Setting Group
• Observed that Cloud Posture Benchmarks page is showing under navigation which is incorrect
• Click on Cloud Posture Benchmarks
• Observed that page tries to load and in end the forbidden error is shown

Additional Observation

• None

Current behavior

• Container workload protection showing with None Access to Security Sub Features
• Container workload protection tries to load however user should get instant forbidden banner

Expected behavior:

• Rule Grouping navigation should not show when whole security sub-features is set to None Access

Screen-shots:

Settings.-.Kibana.Mozilla.Firefox.Private.Browsing.2023-08-10.13-35-28.mp4

Errors in browser console:

Console Logs

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). manage:286:177238 XHRGET https://973747bc0ef84b97832d269c9bbdcd2d.us-central1.gcp.qa.cld.elstc.co:9243/internal/cloud_defend/status [HTTP/1.1 403 Forbidden 317ms]

XHRGET
https://973747bc0ef84b97832d269c9bbdcd2d.us-central1.gcp.qa.cld.elstc.co:9243/internal/cloud_defend/policies?policy_name=&per_page=10&page=1&sort_field=package_policy.name&sort_order=asc
[HTTP/1.1 403 Forbidden 327ms]

XHRGET
https://973747bc0ef84b97832d269c9bbdcd2d.us-central1.gcp.qa.cld.elstc.co:9243/internal/cloud_defend/status
[HTTP/1.1 403 Forbidden 344ms]

Any additional context (logs, chat logs, magical formulas, etc.):

Cloud_Posture_Benchmark_HAR.zip

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[karanbirsingh-qasource]

@amolnater-qasource please review and assign

[amolnater-qasource]

Reviewed and assigned to @MadameSheema

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[semd]

Rule Grouping navigation should not show when whole security sub-features is set to None Access

Not sure about that, I think Rules functionality is available as long as the main Security feature is enabled, it does not have any sub-feature associated.
I think that solving this one for the main feature will fix the issue

[maxcold]

@karanbirsingh-qasource The bug talks about Cloud Posture Benchmarks but the screenshot and the "steps to reproduce" seem to be related to "Container Workload Protection". Did you mention "Cloud Posture Benchmarks" by mistake? Because for "Security > Rules > Cloud Posture Benchmarks" I couldn't reproduce such behavior but for "Security > Settings > Container Workload Protection" I surely can, even though I'm not sure if it's a bug or not. cc @mitodrummer

[karanbirsingh-qasource]

yes @maxcold you are right, the bug is for Container workload protection not cloud posture benchmark.

we have updated the bug

[elasticmachine]

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

[machadoum]

@karanbirsingh-qasource could you check if it was fixed by #163102?
More details here

[MadameSheema]

@karanbirsingh-qasource @sukhwindersingh-qasource can you please validate the fix on latest BC? Thanks!

[karanbirsingh-qasource]

Hi @MadameSheema

We have validated this issue on 8.10 BC2 and found the issue to be still occuring ❌ . Same error same state is shown in Container workload protection.

Kibana/Elasticsearch Stack version

Version: 8.10.0 BC2
Commit: fa3473f42d7c5e7a3c2d66026a153e01002f5d3c
Build: 66107

Screen-Cast:

Get.started.-.Kibana.Mozilla.Firefox.Private.Browsing.2023-08-25.09-48-05.mp4

[MadameSheema]

@machadoum can you please take a look at the above? Thanks!

[machadoum]

Hey!

I investigated the issue and discovered that it isn't new. I was able to reproduce it on 8.9

It happens because the menu item is guarded by the general security show capability: capabilities: [${SERVER_APP_ID}.show] here

But when the page renders it has extra license checks here. So, it isn't related to the menu changes introduced by Sergi. One possible solution is to declare the license type to the link configuration:

const commonLinkProperties: Partial<LinkItem> = {
  hideTimeline: true,
  capabilities: [`${SERVER_APP_ID}.show`],
+ licenseType: 'enterprise',
};

But that can be better accessed by the security-defend-workflows team which owns the feature.

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[machadoum]

Maybe I pinged the wrong team. It seems it was introduced here by cloud-native-integrations.
By the PR comments, it looks like this behaviour is intended.
Ping: @elastic/sec-cloudnative-integrations @elastic/sec-linux-platform

[norrietaylor]

Thanks for the ping @machadoum!

Kibana work that was owned by @elastic/sec-cloudnative-integrations now should go to @elastic/cloud-security

@kfirpeled is this on your radar?

[mitodrummer]

Maybe I pinged the wrong team. It seems it was introduced here by cloud-native-integrations. By the PR comments, it looks like this behaviour is intended. Ping: @elastic/sec-cloudnative-integrations @elastic/sec-linux-platform

PR is up, needs an approval from security-threat-hunting-explore team. cc @machadoum

[mitodrummer]

fix and backport merged to 8.10 so will be ready for QA in the next BC