Enhance the existing CSP violation reporting pipeline to include more fields and support other policy violation reports #175113
Assignees
Labels
Feature:Security/CSP
Platform Security - Content Security Policy
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
|
Pinging @elastic/kibana-security (Team:Security) |
This was referenced Jun 26, 2024
elena-shostak
added a commit
that referenced
this issue
Jul 4, 2024
## Summary 1. Added top-level `permissionsPolicy` configuration setting. 2. Added support for `report_to` directive. 3. Added support for `Permissions-Policy-Report-Only` header to enable reporting mode. 4. The [spec](https://www.w3.org/TR/permissions-policy/#reporting) mentions `featureId` in the reporting body, however the field is `policyId` in Chromium. ## How to test - Add in your `kibana.dev.yml`. ``` server.customResponseHeaders.Reporting-Endpoints: violations-endpoint="https://localhost:5601/kibana/internal/security/analytics/_record_violations" server.securityResponseHeaders.permissionsPolicy: 'microphone=()' server.securityResponseHeaders.permissionsPolicyReportOnly: 'camera=()' ``` - Make sure you have [dev tools configured for Reporting API](https://developer.chrome.com/docs/capabilities/web-apis/reporting-api#use_devtools). - In the browser console invoke `navigator.mediaDevices.getUserMedia({ audio: true, video: true }).catch((e) => {});` - Open Dev Tools -> Application -> Reporting API. You should see 2 reports for permissions violation, one with `report` disposition and another with `enforce` disposition. <img width="1285" alt="Screenshot 2024-06-27 at 13 36 12" src="https://github.com/elastic/kibana/assets/165678770/3f3da7f6-f6b0-4f33-9a81-dff3db0ac2b8"> ### Checklist - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Related Issue(s) #175113, #184939 ### Release Note Added support for Permissions Policy reporting.
|
All work here is done! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
In the scope of #162974 and #153584, we successfully adapted the event-based telemetry (EBT) framework for the collection of CSP violation reports. Now that we know it works well for this use case, we can consider moving further and enhancing this reporting pipeline to cover other types of policy violation reports (e.g.,
Permission Policyviolation reports). Additionally, we need to add more fields to the violation reports to make monitoring and investigation more efficient, so that the final document/report might look like this:In addition to new fields, we also need to add the ingest pipeline with the following processors to make data more filterable/searchable:
user_agentfield, so that we have dedicated fields for the user agent's OS and browser, which might be beneficial while debugging OS- or browser-specific issues.Tasks
hasCustomPluginsreport field)version,deploymentId, etc.)kibana-security-csp-violations.edn-->kibana-security-web-policy-violations.edn)The text was updated successfully, but these errors were encountered: