├── .gitignore ├── CPU-Profiling-Windows.md ├── EndpointTopCommand.md ├── LICENSE.txt ├── NOTICE.txt ├── PerformanceIssues-Windows.md ├── README.md ├── deployment ├── linux │ └── README.md └── macos │ ├── diagnostic │ └── SystemExtensionTester │ │ ├── LICENSE │ │ └── LICENSE.txt │ │ ├── README.md │ │ ├── SystemExtensionTester.xcodeproj │ │ ├── .xcodesamplecode.plist │ │ ├── project.pbxproj │ │ └── project.xcworkspace │ │ │ └── xcshareddata │ │ │ └── WorkspaceSettings.xcsettings │ │ ├── SystemExtensionTester │ │ ├── AppDelegate.swift │ │ ├── Assets.xcassets │ │ │ ├── AppIcon.appiconset │ │ │ │ └── Contents.json │ │ │ ├── Contents.json │ │ │ ├── dot_green.imageset │ │ │ │ ├── Contents.json │ │ │ │ ├── green_dot.png │ │ │ │ ├── green_dot@2x.png │ │ │ │ └── green_dot@3x.png │ │ │ ├── dot_red.imageset │ │ │ │ ├── Contents.json │ │ │ │ ├── red_dot.png │ │ │ │ ├── red_dot@2x.png │ │ │ │ └── red_dot@3x.png │ │ │ └── dot_yellow.imageset │ │ │ │ ├── Contents.json │ │ │ │ ├── yellow_dot.png │ │ │ │ ├── yellow_dot@2x.png │ │ │ │ └── yellow_dot@3x.png │ │ ├── Base.lproj │ │ │ └── Main.storyboard │ │ ├── Info.plist │ │ ├── SystemExtensionTester-DeveloperID.entitlements │ │ ├── SystemExtensionTester.entitlements │ │ └── ViewController.swift │ │ └── TestSystemExtension │ │ ├── FIlterPacketProvider.swift │ │ ├── FilterDataProvider.swift │ │ ├── IPCConnection.swift │ │ ├── Info.plist │ │ ├── TestSystemExtension-DeveloperID.entitlements │ │ ├── TestSystemExtension.entitlements │ │ └── main.swift │ └── mobiledevicemanagement │ ├── README.md │ └── mobile_config_gen.py └── releases ├── 8.4.0 └── kubernetes │ └── deploy │ └── elastic-endpoint-security.yaml ├── 8.5.0 └── kubernetes │ └── deploy │ └── elastic-defend.yaml ├── 8.6.0 └── kubernetes │ └── deploy │ └── elastic-defend.yaml ├── 8.7.0 └── kubernetes │ └── deploy │ └── elastic-defend.yaml ├── 8.8.0 └── kubernetes │ └── deploy │ └── elastic-defend.yaml └── 8.9.0 └── kubernetes └── deploy └── elastic-defend.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | # See LICENSE folder for this sample’s licensing information. 2 | # 3 | # Apple sample code gitignore configuration. 4 | 5 | # Finder 6 | .DS_Store 7 | 8 | # Xcode - User files 9 | xcuserdata/ 10 | 11 | **/*.xcodeproj/project.xcworkspace/* 12 | !**/*.xcodeproj/project.xcworkspace/xcshareddata 13 | 14 | **/*.xcodeproj/project.xcworkspace/xcshareddata/* 15 | !**/*.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings 16 | 17 | **/*.playground/playground.xcworkspace/* 18 | !**/*.playground/playground.xcworkspace/xcshareddata 19 | 20 | **/*.playground/playground.xcworkspace/xcshareddata/* 21 | !**/*.playground/playground.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings 22 | -------------------------------------------------------------------------------- /CPU-Profiling-Windows.md: -------------------------------------------------------------------------------- 1 | # Collecting Windows CPU Traces 2 | 3 | When reporting a CPU usage issue to Elastic support, it can be very helpful to provide a CPU profiling trace. This allows Elastic Support to precisely identify which portions of Defend's code are using CPU during the capture. 4 | 5 | > [!IMPORTANT] 6 | > It is important to only capture traces while the problematic behavior is occurring. A trace captured on an idle system isn't useful. 7 | 8 | ## Windows Performance Recorder (WPR) Trace 9 | 10 | Windows Performance Recorder is a Windows feature which leverages built-in kernel features to capture detailed low-level CPU usage information. 11 | 12 | To capture a WPR trace, run this command then provide the resulting `Defend-CPU.etl` to Elastic Support: 13 | ``` 14 | powershell.exe -noprofile -command "&wpr.exe -start CPU -filemode; Start-Sleep 60; &wpr.exe -stop Defend-CPU.etl -compress -skipPdbGen; &wpr.exe -stop Defend-CPU.etl" 15 | ``` 16 | 17 | 18 | > [!WARNING] 19 | > Due to the volume of data captured, CPU profiling is a very resource-intensive operation. It requires significant CPU and disk I/O to capture and record the data as it is generated. If either CPU or I/O cannot keep up, the resulting trace can be corrupted. If you want to verify the trace is not corrupted before providing it to Elastic Support, you can open the resulting ETL file in [Windows Performance Analyzer](https://learn.microsoft.com/en-us/windows-hardware/test/wpt/windows-performance-analyzer). If any errors occur while opening it, then it is corrupted and must be re-captured. 20 | 21 | ## Process Monitor Trace 22 | [Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) also provides the ability to capture profiling data. ProcMon CPU traces are less-comprehensive and lower fidelity than WPR traces, but include other context such as file, registry, network, image, and process events. 23 | 24 | ### Enabling ProcMon CPU Tracing 25 | 26 | ProcMon does not capture CPU traces by default. When enabled, its GUI limits resolution to 10 samples/second. This resolution isn't useful for diagnosing many types of CPU issues. To capture higher-fidelity (20 samples/second) traces, set the following **before launching ProcMon**: 27 | ``` 28 | reg.exe add "HKCU\Software\SysInternals\Process Monitor" /f /v Profiling /t REG_DWORD /d 20 29 | ``` 30 | 31 | If the system becomes unusable during high-fidelity CPU profiling, then either follow the GUI instructions below or run this command **before launching ProcMon**: 32 | 33 | ``` 34 | reg.exe add "HKCU\Software\SysInternals\Process Monitor" /f /v Profiling /t REG_DWORD /d 10 35 | ``` 36 | 37 |
38 | 39 | Configure Low-Fidelity CPU Profiling via GUI 40 | 41 | To enable profiling 10 samples/sec data capture, Select **Options** -> **Profiling Events** 42 | 43 | ![image](https://github.com/user-attachments/assets/8d79cab5-a425-4fe8-8016-107b76bfa3c0) 44 | 45 | Then check **Generate thread profiling events** and select **Every 100 milliseconds** 46 | 47 | ![image](https://github.com/user-attachments/assets/25113c84-2ebb-4f0b-8373-fb682489dbe6) 48 | 49 | If a trace was already running, start a new one by selecting **Edit** -> **Clear Display** 50 | 51 | ![image](https://github.com/user-attachments/assets/2155763c-c447-4ea6-9791-b58ff1a46b58) 52 | 53 |
54 | 55 | ### Capturing the ProcMon Trace 56 | 57 | Now, reproduce the problematic behavior while the trace is running. When you are done, select **All Events** and PML format in the save dialog. The resulting PML file should compress well - please zip it. 58 | 59 | ![image](https://github.com/user-attachments/assets/8ecbc63f-3f09-4175-aa1a-b61a33cfdbd9) 60 | 61 | Because Elastic Defend runs as an [Antimalware Protected Process Light](https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-), Procmon cannot fully enrich the CPU trace. To facilitate analysis by Elastic Support, please also capture a memory dump using the following command: 62 | ``` 63 | "C:\Program Files\ELastic\Endpoint\elastic-endpoint.exe" memorydump 64 | ``` 65 | 66 | The resulting DMP file will compress well. Please zip it. Note you will not be able to navigate to `C:\Program Files\ELastic\Endpoint` in Windows Explorer on most systems, but you should be able to copy out the DMP file via command line. 67 | 68 | > [!TIP] 69 | > PML and DMP files usually compress well. To reduce file transfer times, please zip them. 70 | -------------------------------------------------------------------------------- /EndpointTopCommand.md: -------------------------------------------------------------------------------- 1 | # Identifying Endpoint CPU triggers with the `top` command 2 | 3 | ### Applicable Versions 4 | - Elastic Endpoint 8.8.2+ (Windows only) 5 | - Elastic Endpoint 8.9.0+ (All platforms) 6 | - Elastic Endpoint 8.12.0 (new UI) 7 | - Elastic Endpoint 8.13.0 8 | 9 | ## Background 10 | 11 | Elastic Endpoint provides comprehensive Endpoint Detection Response (EDR) capabilities, combining malware protection, memory threat protection, ransomware protection, and a comprehensive behavioral protection (rules) engine. Beyond these protections, Endpoint provides event collection, enrichment, and streaming. In order to implement these protections, Endpoint must monitor and record activity performed by all processes on the system. This monitoring requires CPU and I/O. 12 | 13 | For example, a software update may write out thousands of files and registry keys. As these files are written, Endpoint must scan these files for malware, create file events describing them, enrich those events with information about the process that wrote them, and then evaluate these events against [hundreds](https://github.com/elastic/protections-artifacts/tree/main/behavior/rules) of behavioral protection rules to identify patterns of malicious behavior. Simultaneously, Endpoint is analyzing this activity for behavior indicative of ransomware. 14 | 15 | In other words, if Endpoint is consuming CPU, it's likely in response to some other activity occurring on the system. Previously, it was difficult to identify which processes were causing Endpoint's resource usage, but it is now easier thanks to the `top` command. 16 | 17 | ## The `top` command 18 | 19 | 20 | ``` 21 | | PROCESS | OVERALL | AUTH | BHVR | DIAG BHVR | DNS | FILE | LIB | MLWR | MEM SCAN | NET | PROC | RANSOM | REG | API | 22 | ================================================================================================================================= 23 | | cmake.exe | 16.4 | 0.0 | 0.2 | 1.9 | 0.0 | 10.9 | 0.0 | 3.3 | 0.0 | 0.0 | 0.1 | 0.0 | 0.0 | 0.0 | 24 | | MSBuild.exe | 11.6 | 0.0 | 0.9 | 1.3 | 0.0 | 0.5 | 2.7 | 5.3 | 0.0 | 0.0 | 0.9 | 0.0 | 0.0 | 0.0 | 25 | | cmd.exe | 6.1 | 0.0 | 1.3 | 1.7 | 0.0 | 0.1 | 0.0 | 0.0 | 1.2 | 0.0 | 1.7 | 0.0 | 0.0 | 0.1 | 26 | | conhost.exe | 1.6 | 0.0 | 0.3 | 0.4 | 0.0 | 0.0 | 0.1 | 0.0 | 0.0 | 0.0 | 0.8 | 0.0 | 0.0 | 0.0 | 27 | | svchost.exe | 1.2 | 0.0 | 0.0 | 0.0 | 0.0 | 1.2 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 28 | | Slack.exe | 0.1 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 29 | | cl.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 30 | | msiexec.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 31 | | setup.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 32 | | chrome.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 33 | | Code.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 34 | | mscorsvw.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 35 | | msedge.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 36 | | vctip.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 37 | | mscorsvw.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 38 | | msedgewebview2.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 39 | | filebeat.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 40 | | devenv.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 41 | | Tracker.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 42 | | link.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 43 | 44 | Endpoint service (16 CPU): 44.3% out of 1600% 45 | ``` 46 | 47 | _Image: Elastic Endpoint 8.12.0 running on Windows_ 48 | 49 | Newer versions of Endpoint include a feature similar to `top` on POSIX platforms. `top` graphically shows a breakdown of the processes groups that triggered Endpoint's CPU usage. Further, `top` breaks this activity down by feature. 50 | 51 | `top` displays the percentage of time Endpoint service spent on particular process group not accounting for operating system's process scheduling, etc, also known as "the wall clock". In other words, it's a coarse indicator how much percent of service's CPU consumption might* be consumed by a particular work unit. Taking the above example, Elastic Endpoint service consumed 44.3% (out of 1600%) system CPU time, where 16% might* be consumed by work done on behalf of `cmake.exe`. 52 | 53 | _\*Endpoint service, as a user mode process, cannot track reliably CPU time spent executing particular code path. Time measured by a wall clock is higher than real CPU time spent because the code path execution could get blocked on synchronization elements and as any process the Endpoint service shares CPU time with other processes_ 54 | 55 | Endpoint displays metrics for process groups as opposed to POSIX's `top` command displaying metrics per process. Taking the above example, there could have been multiple `MSBuild.exe` processes running at that time but the statistics for all of them are added together. This information can be useful to guide you in the creation of [Exceptions](https://www.elastic.co/guide/en/security/8.13/add-exceptions.html#endpoint-rule-exceptions) and [Trusted Applications](https://www.elastic.co/guide/en/security/8.13/trusted-apps-ov.html) to [optimize Endpoint](https://www.elastic.co/guide/en/security/8.13/endpoint-artifacts.html) for your environment. 56 | 57 | If you prefer to see values normalized to 100%, regardless of how many logical processors you have, use `top --normalized` 58 | 59 | **Note** 60 | 61 | The `top` statistics are far from perfect but they are tried and tested tool to fine tune Endpoint configuration to eliminate outliers. 62 | 63 | The content comes from Endpoint metrics module which writes the metrics document to `metrics-endpoint.metrics-*` index, `Endpoint.metrics.system_impact` node. Endpoint has been collecting it since many releases, aggregating data over a week for each executing binary: 64 | ``` 65 | { 66 | "process": { 67 | "executable": """C:\Program Files\Elastic\Agent\data\elastic-agent-dc443b\components\metricbeat.exe""" 68 | }, 69 | "process_events": { 70 | "week_ms": 74 71 | }, 72 | "overall": { 73 | "week_ms": 74 74 | } 75 | }, 76 | ``` 77 | This has helped us to see what the customer is experiencing in their environment anytime they contacted our support about performance issues. Moreover we could clearly see which feature required tuning. 78 | 79 | **Takeaway: it's not about precise numbers** 80 | 81 | The name `top` was chosen for the general meaning, not to indicate a close relationship with POSIX `top` command output. Don't expect to have a precise breakdown of real time Endpoint CPU usage by Endpoint's feature. Even though we give you `--interval x` option don't be tempted to set it too low, the lower it is the higher the error. Focus your attention on numbers standing out over longer time, if you can clearly see an outlier consider adding an Exception or Trusted Application and validate the effect in `top` after policy change. 82 | 83 | #### Earlier implementations 84 | 85 | Earlier implementations displayed the raw time statistics, in milliseconds, gathered in fixed time interval. To get the percentage view, you'd need to divide (value displayed)/(interval in millisecond). The Endpoint service CPU utilization % was normalized to 100%. 86 | 87 | - Elastic Endpoint 8.8.2+ used interval 3000 ms. 88 | - Elastic Endpoint 8.9.0+ used interval 5000 ms. 89 | 90 | ## Abbreviations 91 | 92 | To fit everything on the screen, columns are abbreviated as follows: 93 | 94 | | Abbreviation | Feature | How do I toggle this off? | 95 | | - | - | - | 96 | | MLWR | Malware Protection | Uncheck [Malware protections enabled](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#malware-protection) | 97 | | NET | Network Events | Uncheck in [Event Collection](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#event-collection) | 98 | | PROC | Process Events | Uncheck in [Event Collection](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#event-collection)| 99 | | FILE | File Events | Uncheck in [Event Collection](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#event-collection)| 100 | | REG | Registry Events | Uncheck in [Event Collection](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#event-collection)| 101 | | DNS | DNS Events | Uncheck in [Event Collection](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#event-collection)| 102 | | LIB | Library Load Events | Uncheck in [Event Collection](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#event-collection)| 103 | | AUTH | Authentication Events | Uncheck Security Events in [Event Collection](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#event-collection) | 104 | | CRED | Credential Access Events | Uncheck API in [Event Collection](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#event-collection)| 105 | | RANSOM | Ransomware Protection | Uncheck [Ransomware protections enabled](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#ransomware-protection) | 106 | | API | API Events | In [Advanced Policy](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#adv-policy-settings), set `windows.advanced.events.api: false` | 107 | | PROC INJ | Process Injection Protection (part of Memory Protection) | Uncheck [Memory threat protections enabled](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#memory-protection) to turn off Memory Protection entirely, or set `windows.advanced.memory_protection.shellcode: false` in [Advanced Policy](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#adv-policy-settings) to turn off only Process Injection protection. | 108 | | MEM SCAN | Memory Scanning (part of Memory Protection) | Uncheck [Memory threat protections enabled](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#memory-protection) to turn off Memory Protection entirely, or set `*.advanced.memory_protection.memory_scan: false` in [Advanced Policy](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#adv-policy-settings) to turn off only Memory Scanning. | 109 | | BHVR | Malicious Behavior Protection (Rules Engine) | Uncheck [Malicious behavior protections enabled](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#behavior-protection) | 110 | | DIAG BHVR | Diagnostic Malicious Behavior Protection (Rules Engine) | Set `*.advanced.diagnostic.enabled: false` in [Advanced Policy](https://www.elastic.co/guide/en/security/8.13/configure-endpoint-integration-policy.html#adv-policy-settings) | 111 | 112 | _*For up-to-date list of abbreviations consult built in help, `elastic-endpoint --help`_ 113 | 114 | ## Conclusion 115 | 116 | The Elastic Endpoint team is constantly working to evaluate and improve performance, but every environment is unique with varying combinations of software and configurations. The `top` command can help you gain a greater understanding of performance issues in your environment, empowering you to take action to [resolve](https://www.elastic.co/guide/en/security/8.13/endpoint-artifacts.html) them. 117 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Elastic License 2.0 2 | 3 | URL: https://www.elastic.co/licensing/elastic-license 4 | 5 | ## Acceptance 6 | 7 | By using the software, you agree to all of the terms and conditions below. 8 | 9 | ## Copyright License 10 | 11 | The licensor grants you a non-exclusive, royalty-free, worldwide, 12 | non-sublicensable, non-transferable license to use, copy, distribute, make 13 | available, and prepare derivative works of the software, in each case subject to 14 | the limitations and conditions below. 15 | 16 | ## Limitations 17 | 18 | You may not provide the software to third parties as a hosted or managed 19 | service, where the service provides users with access to any substantial set of 20 | the features or functionality of the software. 21 | 22 | You may not move, change, disable, or circumvent the license key functionality 23 | in the software, and you may not remove or obscure any functionality in the 24 | software that is protected by the license key. 25 | 26 | You may not alter, remove, or obscure any licensing, copyright, or other notices 27 | of the licensor in the software. Any use of the licensor’s trademarks is subject 28 | to applicable law. 29 | 30 | ## Patents 31 | 32 | The licensor grants you a license, under any patent claims the licensor can 33 | license, or becomes able to license, to make, have made, use, sell, offer for 34 | sale, import and have imported the software, in each case subject to the 35 | limitations and conditions in this license. This license does not cover any 36 | patent claims that you cause to be infringed by modifications or additions to 37 | the software. If you or your company make any written claim that the software 38 | infringes or contributes to infringement of any patent, your patent license for 39 | the software granted under these terms ends immediately. If your company makes 40 | such a claim, your patent license ends immediately for work on behalf of your 41 | company. 42 | 43 | ## Notices 44 | 45 | You must ensure that anyone who gets a copy of any part of the software from you 46 | also gets a copy of these terms. 47 | 48 | If you modify the software, you must include in any modified copies of the 49 | software prominent notices stating that you have modified the software. 50 | 51 | ## No Other Rights 52 | 53 | These terms do not imply any licenses other than those expressly granted in 54 | these terms. 55 | 56 | ## Termination 57 | 58 | If you use the software in violation of these terms, such use is not licensed, 59 | and your licenses will automatically terminate. If the licensor provides you 60 | with a notice of your violation, and you cease all violation of this license no 61 | later than 30 days after you receive that notice, your licenses will be 62 | reinstated retroactively. However, if you violate these terms after such 63 | reinstatement, any additional violation of these terms will cause your licenses 64 | to terminate automatically and permanently. 65 | 66 | ## No Liability 67 | 68 | *As far as the law allows, the software comes as is, without any warranty or 69 | condition, and the licensor will not be liable to you for any damages arising 70 | out of these terms or the use or nature of the software, under any kind of 71 | legal claim.* 72 | 73 | ## Definitions 74 | 75 | The **licensor** is the entity offering these terms, and the **software** is the 76 | software the licensor makes available under these terms, including any portion 77 | of it. 78 | 79 | **you** refers to the individual or entity agreeing to these terms. 80 | 81 | **your company** is any legal entity, sole proprietorship, or other kind of 82 | organization that you work for, plus all organizations that have control over, 83 | are under the control of, or are under common control with that 84 | organization. **control** means ownership of substantially all the assets of an 85 | entity, or the power to direct its management and policies by vote, contract, or 86 | otherwise. Control can be direct or indirect. 87 | 88 | **your licenses** are all the licenses granted to you for the software under 89 | these terms. 90 | 91 | **use** means anything you do with the software requiring one of your licenses. 92 | 93 | **trademark** means trademarks, service marks, and similar rights. -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Elastic Endpoint 2 | Copyright 2012-2018 Elasticsearch B.V. -------------------------------------------------------------------------------- /PerformanceIssues-Windows.md: -------------------------------------------------------------------------------- 1 | # [Windows] Elastic Defend (Endpoint) high CPU utilization 2 | 3 | This article pertains to the Elastic Defend (Endpoint) on Windows. 4 | 5 | ## Introduction 6 | 7 | This article aims to provide a greater understanding of the causes of Elastic Defend’s system resource utilization, and provides workarounds for some common problems that users may encounter, especially when deploying Defend alongside other security software. 8 | 9 | ## Event Collection 10 | 11 | The Elastic Endpoint (part of Elastic Defend) monitors activity across your system. In response to the actions of other programs, it collects information including: 12 | 13 | * Process Creation/Termination 14 | * File Access/Creation/Modification/Rename/Deletion 15 | * Registry modifications 16 | * Network activity 17 | * DNS activity 18 | * Windows Security Logs 19 | * Threat Intelligence API Activity (such as process injection) 20 | 21 | It may or may not forward these events to your Elastic Stack. If events are disabled in policy, Defend won’t stream these events to ElasticSearch, but it may still collect and enrich them to support other features such as Behavioral Protections. 22 | 23 | ## Event Enrichment 24 | 25 | Beyond collecting the base event information, Defend also collects additional information to enrich each event. For example, it computes and verifies digital signatures to include signer information in every process event. It also parses PE files to extract their [Original File Names](https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.fileversioninfo.originalfilename?view=net-7.0). These are just some examples - there are many more enrichments. 26 | 27 | Collecting this information requires CPU cycles, and may require I/O. For example, when a file is written, the Defend must then read that file to scan it for malware. This involves checking its digital signature, computing file hashes, computing file entropy for its Machine Learning model, and scanning the file with yara. 28 | 29 | ## Behavioral Protections 30 | If Behavioral Protections are enabled, Defend runs all collected events through a stateful rules engine that checks for (and quickly reacts to) [hundreds](https://github.com/elastic/protections-artifacts/tree/main/behavior/rules) of known-malicious patterns of behavior. This evaluation process requires CPU cycles. 31 | 32 | # Feedback Loops 33 | Defend reacts to activity on your system, generating its own activity in response. Problems can arise on systems running other software that does the same thing. Example of such software include: 34 | 35 | * Anti-Malware (AM) / Anti-Virus (AV) 36 | * Endpoint Detection and Response (EDR) 37 | * eXtended Detection and Response (XDR) 38 | * Endpoint Protection Platform (EPP) 39 | * Data Loss Prevention (DLP) 40 | * Employee Monitoring Software 41 | * Application Virtualization Software 42 | 43 | If two or more applications react to system activity by generating their own activity, then feedback loops are possible. These feedback loops can cause spikes in resource usage for either or both products, or lead to [deadlocks](https://en.wikipedia.org/wiki/Deadlock) that cause the system to hang. 44 | 45 | Imagine the following scenario with hypothetical third-party AV product: 46 | 47 | 1. A user downloads a file with their web browser 48 | 2. Elastic Defend's filesystem minifilter driver intercepts this file creation and asks its user-mode component, `elastic-endpoint.exe`, to scan the file. 49 | 3. `elastic-endpoint.exe` attempts to open the file to scan it. 50 | 4. AV's filesystem minifilter driver sees an application (`elastic-endpoint.exe`) opening a file and intercepts it, asking its user-mode process to scan a file. 51 | 5. AV's user-mode process `AV.exe` attempts to open the file to scan it. 52 | 6. Elastic Defend's filesystem minifilter driver intercepts `AV.exe`'s activity and asks its user-mode component, `elastic-endpoint.exe`, to scan the file. 53 | 7. `elastic-endpoint.exe` attempts to open the file to scan it. 54 | 8. AV's filesystem minifilter driver sees an application (`elastic-endpoint.exe`) opening a file and intercepts it, asking its user-mode process to scan a file. 55 | 9. AV's user-mode process `AV.exe` attempts to open the file to scan it. 56 | 10. ... the loop continues 57 | 58 | Such feedback loops degrade system performance and responsiveness, and can lead to spikes in CPU and I/O utilization. There are variations of this too, such as where the AV makes a temporary copy of the file to scan it asynchronously. Interactions can get even more complex when there are more than two products installed on a system. 59 | 60 | # Trusted Applications 61 | Generally, it's not recommended to run multiple AV applications simultaneously. Here is AV Comparatives' take on it, titled "[Why you should never have multiple antivirus programs on your computer](https://www.av-comparatives.org/why-you-should-never-have-multiple-antivirus-programs-on-your-computer)." Despite this, some users prefer to run multiple security products simultaneously. In response, we created [Trusted Applications](https://www.elastic.co/guide/en/security/master/trusted-apps-ov.html) to help deal with these conflicts. By having Defend ignore the activity of the other security software on your system, we can break this cycle, reduce wasted resources, and improve system performance. By also adding Defend as a Trusted Application in the third-party security product, we can break this cycle even sooner for better performance and fewer wasted resources. In the above example, even if both AV applications trust each other, both will still scan the file saved by the web browser. 62 | 63 | While not guaranteed to resolve performance issues, Trusted Applications are a common first step when deploying new security software to an already-protected environment. **If you intend to run multiple security applications in your environment and are encountering performance problems, we strongly recommend you deploy Trusted Applications ASAP.** 64 | 65 | ## Limitations of Trusted Applications 66 | Trusted applications work on a process level. Many security products also include kernel-level components (drivers) that can generate activity in [system worker threads](https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/system-worker-threads) and/or [arbitrary thread contexts](https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/driver-thread-context). System worker threads run inside the System process in Task Manager, which should not be added as a Trusted Application. Activity generated within an arbitrary thread context can come from any thread (in any process) on the system while it is executing in kernel mode, such as performing a system call. 67 | 68 | Many security products also inject DLLs into processes throughout the system to perform user-mode hooking. For example, an EDR may inject a DLL into Microsoft Office in order to intercept specific intra-process activity that is not easily accessible from its kernel driver. In this example, activity generated by this injected DLL appears to come from Microsoft Office, not the EDR. Microsoft Office should not be added as a Trusted Application, so Trusted Applications will likely not be able to work around issues stemming from this activity. 69 | 70 | ## Trusting Elastic Defend in Other Software 71 | While adding your existing AV/EDR/EPP/DLP/etc software as a Trusted Application in Elastic Defend can help performance, better performance will be achieved (with fewer compatibility issues) if the trust is mutual. Defend calls these exclusions Trusted Applications, but other products may call them Process Exclusions, Ignored Processes, or Trusted Processes. **It is important to note that file-, folder-, and path-based exclusions/exceptions are distinct from Trusted Applications and will NOT achieve the same result. The goal here is to ignore actions taken BY a process, not ignore the file that the process was spawned from. Files are different from processes.** 72 | 73 | The Elastic Defend’s main executable is “`C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe`”. It is signed by “`Elasticsearch, Inc.`” (spaces included, sans quotes). There may be a secondary signature from “`Elasticsearch B.V.`”, though this may change in future releases. When adding Defend as a Trusted Application in a third-party product, you should require both the path and the signer to match if possible. This will reduce the risk of an attacker exploiting the gap created by this trust. 74 | 75 | Here is an example of the process exclusion UI in Microsoft Defender: 76 | 77 | ![image](https://github.com/elastic/endpoint/assets/42078554/c660fd36-d4c3-4ea3-bdb9-d9d7571caac2) 78 | 79 | # Third-Party Resources 80 | Below are some resources to help you add Defend as a Trusted Application in your third-party security software. If you use a product not listed here, try searching for “[PRODUCTNAME add process exclusion](https://www.google.com/search?q=PRODUCTNAME+add+process+exclusion)” 81 | 82 | | Product | Resources | 83 | | - | - | 84 | | Microsoft Defender | [How to add a file type or process exclusion to Windows Security](https://support.microsoft.com/en-us/topic/how-to-add-a-file-type-or-process-exclusion-to-windows-security-e524cbc2-3975-63c2-f9d1-7c2eb5331e53)
[Configure exclusions for files opened by processes](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus) | 85 | | Symantec Endpoint Protection | [Preventing SEP from scanning files accessed by a trusted process](https://knowledge.broadcom.com/external/article/199534/preventing-sep-from-scanning-files-acces.html) | 86 | | Carbon Black Protection (Bit9) | [Anti-Virus Exclusions for Agent (Windows)](https://community.carbonblack.com/t5/Knowledge-Base/App-Control-Anti-Virus-Exclusions-for-Agent-Windows/ta-p/38334)
[Antivirus Exclusions for Server](https://community.carbonblack.com/t5/Knowledge-Base/App-Control-Antivirus-Exclusions-for-Server/ta-p/65891) | 87 | | Carbon Black Cloud | [How to Set up Exclusions in the Carbon Black Cloud Console for AV Products](https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-Set-up-Exclusions-in-the-Carbon-Black/ta-p/42334) | 88 | | Trend Micro | [Adding exclusion for Anti-Malware Real-Time Scan in Deep Security](https://success.trendmicro.com/dcx/s/solution/1122045-adding-exclusion-for-anti-malware-real-time-scan-in-deep-security?language=en_US) | 89 | | SentinelOne | [SentinelOne - Path Exclusion](https://www.cybervigilance.uk/post/sentinelone-path-exclusion)
(SentinelOne appears to combine path and process exclusions) | 90 | | Cisco Secure Endpoint / AMP | [Configure and Identify Cisco Secure Endpoint Exclusions](https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html#toc-hId-1814232963) | 91 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Elastic Endpoint Security 2 | 3 | The Elastic Endpoint provides deep, kernel-level data and adds free antivirus to the Elastic Stack. 4 | Information on getting started with Elastic Endpoint Security is available 5 | [here](https://www.elastic.co/guide/en/security/index.html). 6 | 7 | Thanks for checking out the Elastic Endpoint. Protecting the world's data from attackers is our 8 | passion. We're proud to secure your systems and hope you love Elastic Endpoint Security. 9 | 10 | If you have any issues or questions with the Elastic Endpoint please get in touch. We'd love to hear 11 | from you! 12 | 13 | ## Where to File Issues 14 | Please file issues with the Elastic Endpoint that runs on protected hosts in this repository. 15 | 16 | Issues with the Elastic Agent (which installs and manages the Elastic Endpoint) should be filed in 17 | the [Beats](https://github.com/elastic/beats) repository and issues with the Kibana Security 18 | application or Ingest Manager should be filed in the [Kibana](https://github.com/elastic/kibana) 19 | repository. 20 | 21 | If you're using malware protection and are experiencing false positives, you should be able to use 22 | the 23 | [exceptions workflow](https://www.elastic.co/guide/en/security/7.9/detections-ui-exceptions.html) to 24 | tune your environment. You can help us improve the feature though by telling us about false 25 | positives. To do so, please use 26 | [this](https://discuss.elastic.co/t/submitting-false-positives/232322) process. 27 | 28 | If you aren't sure where to file an issue, don't worry. Just put it where it feels best placed. 29 | We'll take it from there. 30 | 31 | ## Experiencing Performance Issues 32 | 33 | Please see [PerformanceIssues-Windows.md](PerformanceIssues-Windows.md). 34 | 35 | ## Security Concerns 36 | 37 | If you need to report a bug that an attacker could take advantage of, please instead email 38 | security@elastic.co so we can responsibly address the issue. Further reading [here](https://www.elastic.co/community/security) 39 | 40 | ## Asking questions 41 | 42 | * You are welcome to join [Elastic Stack Community](https://elasticstack.slack.com) slack and ask for help on the `#endpoint-security` channel. 43 | * You can ask a question in the [forum](https://discuss.elastic.co/c/security/endpoint-security). 44 | 45 | -------------------------------------------------------------------------------- /deployment/linux/README.md: -------------------------------------------------------------------------------- 1 | # Kernel Configuration with `make menuconfig` 2 | You can find Elastic Defend's official list of supported Linux distributions and kernels [here](https://www.elastic.co/support/matrix). 3 | 4 | Outside this list, there may be cases where a Linux kernel does not provide all the capabilities required for Defend to run. The following are experimental and unsupported steps to configure a Linux kernel on Gentoo to run Elastic Defend. 5 | 6 | ### `make menuconfig` instructions to enabled Elastic Defend: 7 | 8 | NOTE: In order to compile the kernel with BTF `pahole` needs to be installed: 9 | `emerge -av dev-util/pahole` 10 | 11 | 1. First enable `CONFIG_DEBUG_INFO_DWARF4` to enable `CONFIG_DEBUG_INFO` 12 | ``` 13 | | Symbol: DEBUG_INFO [=n] │ 14 | │ Type : bool │ 15 | │ Defined at lib/Kconfig.debug:227 │ 16 | │ Selected by [n]: │ 17 | │ - DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT [=n] && && (!CC_IS_CLANG [=n] || AS_IS_LLVM [=n] || CLANG_VERSION [=0]<140000 || AS_IS_GNU [=y] && AS_VERSION [=24000]>=23502 && AS_HAS_NON_ │ 18 | │ - DEBUG_INFO_DWARF4 [=n] && && (!CC_IS_CLANG [=n] || AS_IS_LLVM [=n] || AS_IS_GNU [=y] && AS_VERSION [=24000]>=23502) │ 19 | │ - DEBUG_INFO_DWARF5 [=n] && && (!CC_IS_CLANG [=n] || AS_IS_LLVM [=n] || AS_IS_GNU [=y] && AS_VERSION [=24000]>=23502 && AS_HAS_NON_CONST_LEB128 [=y]) 20 | ``` 21 | ``` 22 | │ Symbol: DEBUG_INFO_DWARF4 [=n] │ 23 | │ Type : bool │ 24 | │ Defined at lib/Kconfig.debug:270 │ 25 | │ Prompt: Generate DWARF Version 4 debuginfo │ 26 | │ Depends on: && (!CC_IS_CLANG [=n] || AS_IS_LLVM [=n] || AS_IS_GNU [=y] && AS_VERSION [=24000]>=23502) │ 27 | │ Location: │ 28 | │ -> Kernel hacking │ 29 | │ -> Compile-time checks and compiler options │ 30 | │ -> Debug information ( [=y]) │ 31 | │ (1) -> Generate DWARF Version 4 debuginfo (DEBUG_INFO_DWARF4 [=n]) │ 32 | │ Selects: DEBUG_INFO [=n] 33 | ``` 34 | 2. Second disable structure layout randomization (`CONFIG_RANDSTRUCT_NONE`) in order to allow for `CONFIG_DEBUG_INFO_BTF` to be enabled 35 | ``` 36 | │ Symbol: DEBUG_INFO_BTF [=n] │ 37 | │ Type : bool │ 38 | │ Defined at lib/Kconfig.debug:345 │ 39 | │ Prompt: Generate BTF typeinfo │ 40 | │ Depends on: DEBUG_INFO [=y] && !DEBUG_INFO_SPLIT [=n] && !DEBUG_INFO_REDUCED [=n] && (!GCC_PLUGIN_RANDSTRUCT [=y] || COMPILE_TEST [=n]) && BPF_SYSCALL [=y] && (!DEBUG_INFO_DWARF5 [=n] || │ 41 | │ Location: │ 42 | │ -> Kernel hacking │ 43 | │ (1) -> Compile-time checks and compiler options │ 44 | │ -> Generate BTF typeinfo (DEBUG_INFO_BTF [=n]) 45 | ``` 46 | ``` 47 | │ Symbol: RANDSTRUCT_NONE [=n] │ 48 | │ Type : bool │ 49 | │ Defined at security/Kconfig.hardening:312 │ 50 | │ Prompt: Disable structure layout randomization │ 51 | │ Depends on: │ 52 | │ Location: │ 53 | │ -> Security options │ 54 | │ -> Kernel hardening options │ 55 | │ -> Randomize layout of sensitive kernel structures ( [=y]) │ 56 | │ (1) -> Disable structure layout randomization (RANDSTRUCT_NONE [=n]) 57 | ``` 58 | NOTE: Enabling `RANDSTRUCT_NONE` will provide the option in `make menuconfig` to enable `DEBUG_INFO_BTF`. Both `RANDSTRUCT_NONE` and `DEBUG_INFO_BTF` need to be enabled. 59 | 60 | 3. Export taskstats (`CONFIG_TASKSTATS`) to enable an eBPF hook point 61 | ``` 62 | │ Symbol: TASKSTATS [=n] │ 63 | │ Type : bool │ 64 | │ Defined at init/Kconfig:584 │ 65 | │ Prompt: Export task/process statistics through netlink │ 66 | │ Depends on: NET [=y] && MULTIUSER [=y] │ 67 | │ Location: │ 68 | │ -> General setup │ 69 | │ -> CPU/Task time and stats accounting │ 70 | │ (1) -> Export task/process statistics through netlink (TASKSTATS [=n]) 71 | ``` 72 | 4. Enable `CONFIG_SECURITY` to then enable fanotify permission events (`CONFIG_FANOTIFY_ACCESS_PERMISSIONS`) 73 | ``` 74 | │ Symbol: FANOTIFY_ACCESS_PERMISSIONS [=n] │ 75 | │ Type : bool │ 76 | │ Defined at fs/notify/fanotify/Kconfig:15 │ 77 | │ Prompt: fanotify permissions checking │ 78 | │ Depends on: FANOTIFY [=y] && SECURITY [=n] │ 79 | │ Location: │ 80 | │ -> File systems │ 81 | │ (1) -> Filesystem wide access notification (FANOTIFY [=y]) │ 82 | │ -> fanotify permissions checking (FANOTIFY_ACCESS_PERMISSIONS [=n]) 83 | ``` 84 | ``` 85 | │ Symbol: SECURITY [=n] │ 86 | │ Type : bool │ 87 | │ Defined at security/Kconfig:22 │ 88 | │ Prompt: Enable different security models │ 89 | │ Depends on: SYSFS [=y] && MULTIUSER [=y] │ 90 | │ Location: │ 91 | │ -> Security options │ 92 | │ (1) -> Enable different security models (SECURITY [=n]) 93 | ``` 94 | 5. Enable network queueing disciplines for host isolation. 95 | ``` 96 | │ Symbol: NET_CLS_ACT [=n] 97 | │ Type : bool │ 98 | │ Defined at net/sched/Kconfig:742 │ 99 | │ Prompt: Actions │ 100 | │ Depends on: NET [=y] && NET_SCHED [=y] │ 101 | │ Location: │ 102 | │ -> Networking support (NET [=y]) │ 103 | │ -> Networking options │ 104 | │ -> QoS and/or fair queueing (NET_SCHED [=y]) │ 105 | │ (2) -> Actions (NET_CLS_ACT [=n]) │ 106 | │ Selects: NET_CLS [=y] 107 | ``` 108 | ``` 109 | │ Symbol: NET_CLS_BPF [=n] │ 110 | │ Type : tristate │ 111 | │ Defined at net/sched/Kconfig:602 │ 112 | │ Prompt: BPF-based classifier │ 113 | │ Depends on: NET [=y] && NET_SCHED [=y] │ 114 | │ Location: │ 115 | │ -> Networking support (NET [=y]) │ 116 | │ -> Networking options │ 117 | │ -> QoS and/or fair queueing (NET_SCHED [=y]) │ 118 | │ (1) -> BPF-based classifier (NET_CLS_BPF [=n]) │ 119 | │ Selects: NET_CLS [=y] 120 | ``` 121 | ``` 122 | │ Symbol: NET_SCH_CBQ [=n] │ 123 | │ Type : tristate │ 124 | │ Defined at net/sched/Kconfig:48 │ 125 | │ Prompt: Class Based Queueing (CBQ) │ 126 | │ Depends on: NET [=y] && NET_SCHED [=y] │ 127 | │ Location: │ 128 | │ -> Networking support (NET [=y]) │ 129 | │ -> Networking options │ 130 | │ -> QoS and/or fair queueing (NET_SCHED [=y]) │ 131 | │ (1) -> Class Based Queueing (CBQ) (NET_SCH_CBQ [=n]) 132 | ``` 133 | ``` 134 | │ Symbol: NET_ACT_BPF [=y] │ 135 | │ Type : tristate │ 136 | │ Defined at net/sched/Kconfig:890 │ 137 | │ Prompt: BPF based action │ 138 | │ Depends on: NET [=y] && NET_SCHED [=y] && NET_CLS_ACT [=y] │ 139 | │ Location: │ 140 | │ -> Networking support (NET [=y]) │ 141 | │ -> Networking options │ 142 | │ -> QoS and/or fair queueing (NET_SCHED [=y]) │ 143 | │ -> Actions (NET_CLS_ACT [=y]) │ 144 | │ (1) -> BPF based action (NET_ACT_BPF [=y]) 145 | ``` 146 | ``` 147 | │ Symbol: NET_SCH_INGRESS [=y] │ 148 | │ Type : tristate │ 149 | │ Defined at net/sched/Kconfig:382 │ 150 | │ Prompt: Ingress/classifier-action Qdisc │ 151 | │ Depends on: NET [=y] && NET_SCHED [=y] && NET_CLS_ACT [=y] │ 152 | │ Location: │ 153 | │ -> Networking support (NET [=y]) │ 154 | │ -> Networking options │ 155 | │ -> QoS and/or fair queueing (NET_SCHED [=y]) │ 156 | │ (2) -> Ingress/classifier-action Qdisc (NET_SCH_INGRESS [=y]) │ 157 | │ Selects: NET_INGRESS [=y] && NET_EGRESS [=y] 158 | ``` 159 | 6. Enable `CONFIG_SECURITY_NETWORK` for tracefs (kprobe) network event sources 160 | ``` 161 | │ Symbol: SECURITY_NETWORK [=y] │ 162 | │ Type : bool │ 163 | │ Defined at security/Kconfig:48 │ 164 | │ Prompt: Socket and Networking Security Hooks │ 165 | │ Depends on: SECURITY [=y] │ 166 | │ Location: │ 167 | │ -> Security options │ 168 | │ (1) -> Socket and Networking Security Hooks (SECURITY_NETWORK [=y]) │ 169 | │ Selected by [n]: │ 170 | │ - SECURITY_SMACK [=n] && NET [=y] && INET [=y] && SECURITY [=y] │ 171 | │ - SECURITY_TOMOYO [=n] && SECURITY [=y] && NET [=y] │ 172 | │ - SECURITY_APPARMOR [=n] && SECURITY [=y] && NET [=y] 173 | ``` 174 | 175 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/LICENSE/LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright © 2022 Elastic, NV. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 4 | 5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 8 | 9 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/README.md: -------------------------------------------------------------------------------- 1 | # System Extension Tester 2 | 3 | Use this application to test loading a system extension, loading a network extension content filter, and querying for Full Disk Access. Use this application to determine if an issue you are seeing is something related to third party code or a bug within macOS itself 4 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester.xcodeproj/.xcodesamplecode.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 50; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | BE4393B12769EDB900C69008 /* FIlterPacketProvider.swift in Sources */ = {isa = PBXBuildFile; fileRef = BE4393B02769EDB900C69008 /* FIlterPacketProvider.swift */; }; 11 | BEC9531D2791619100D99D52 /* libEndpointSecurity.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = BEC9531C2791619100D99D52 /* libEndpointSecurity.tbd */; }; 12 | BEC9531E2791FDB700D99D52 /* libEndpointSecurity.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = BEC9531C2791619100D99D52 /* libEndpointSecurity.tbd */; }; 13 | C40A5C46229DD6A500627D50 /* NetworkExtension.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = C4B45DDD2273A3450050C59B /* NetworkExtension.framework */; }; 14 | C40A5C4B229DD6A500627D50 /* main.swift in Sources */ = {isa = PBXBuildFile; fileRef = C40A5C4A229DD6A500627D50 /* main.swift */; }; 15 | C40A5C50229DD6A500627D50 /* co.elastic.diagnostic.SystemExtensionTester.systemextension.systemextension in Embed System Extensions */ = {isa = PBXBuildFile; fileRef = C40A5C45229DD6A500627D50 /* co.elastic.diagnostic.SystemExtensionTester.systemextension.systemextension */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; }; 16 | C40A5C56229DD92E00627D50 /* IPCConnection.swift in Sources */ = {isa = PBXBuildFile; fileRef = C4B1415A227A396500B26560 /* IPCConnection.swift */; }; 17 | C40A5C57229DD93200627D50 /* FilterDataProvider.swift in Sources */ = {isa = PBXBuildFile; fileRef = C4E0DBB42273BEA0005B02F4 /* FilterDataProvider.swift */; }; 18 | C4B1415C227BBC0200B26560 /* IPCConnection.swift in Sources */ = {isa = PBXBuildFile; fileRef = C4B1415A227A396500B26560 /* IPCConnection.swift */; }; 19 | C4B45DB922739FFF0050C59B /* AppDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = C4B45DB822739FFF0050C59B /* AppDelegate.swift */; }; 20 | C4B45DBB22739FFF0050C59B /* ViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = C4B45DBA22739FFF0050C59B /* ViewController.swift */; }; 21 | C4B45DBD2273A0020050C59B /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = C4B45DBC2273A0020050C59B /* Assets.xcassets */; }; 22 | C4B45DC02273A0020050C59B /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = C4B45DBE2273A0020050C59B /* Main.storyboard */; }; 23 | C4B45DDE2273A3450050C59B /* NetworkExtension.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = C4B45DDD2273A3450050C59B /* NetworkExtension.framework */; }; 24 | /* End PBXBuildFile section */ 25 | 26 | /* Begin PBXContainerItemProxy section */ 27 | C40A5C4E229DD6A500627D50 /* PBXContainerItemProxy */ = { 28 | isa = PBXContainerItemProxy; 29 | containerPortal = C4B45DAD22739FFF0050C59B /* Project object */; 30 | proxyType = 1; 31 | remoteGlobalIDString = C40A5C44229DD6A500627D50; 32 | remoteInfo = SimpleFirewallExtension; 33 | }; 34 | /* End PBXContainerItemProxy section */ 35 | 36 | /* Begin PBXCopyFilesBuildPhase section */ 37 | C40A5C51229DD6A500627D50 /* Embed System Extensions */ = { 38 | isa = PBXCopyFilesBuildPhase; 39 | buildActionMask = 2147483647; 40 | dstPath = "$(SYSTEM_EXTENSIONS_FOLDER_PATH)"; 41 | dstSubfolderSpec = 16; 42 | files = ( 43 | C40A5C50229DD6A500627D50 /* co.elastic.diagnostic.SystemExtensionTester.systemextension.systemextension in Embed System Extensions */, 44 | ); 45 | name = "Embed System Extensions"; 46 | runOnlyForDeploymentPostprocessing = 0; 47 | }; 48 | /* End PBXCopyFilesBuildPhase section */ 49 | 50 | /* Begin PBXFileReference section */ 51 | 03411C5003411ED000000001 /* README.md */ = {isa = PBXFileReference; lastKnownFileType = net.daringfireball.markdown; path = README.md; sourceTree = ""; }; 52 | 6ED8E4306ED7A1A000000001 /* LICENSE.txt */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text; path = LICENSE.txt; sourceTree = ""; }; 53 | BE4393B02769EDB900C69008 /* FIlterPacketProvider.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = FIlterPacketProvider.swift; sourceTree = ""; }; 54 | BEC9531C2791619100D99D52 /* libEndpointSecurity.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libEndpointSecurity.tbd; path = usr/lib/libEndpointSecurity.tbd; sourceTree = SDKROOT; }; 55 | C40A5C45229DD6A500627D50 /* co.elastic.diagnostic.SystemExtensionTester.systemextension.systemextension */ = {isa = PBXFileReference; explicitFileType = "wrapper.system-extension"; includeInIndex = 0; path = co.elastic.diagnostic.SystemExtensionTester.systemextension.systemextension; sourceTree = BUILT_PRODUCTS_DIR; }; 56 | C40A5C4A229DD6A500627D50 /* main.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = main.swift; sourceTree = ""; }; 57 | C40A5C4C229DD6A500627D50 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 58 | C40A5C4D229DD6A500627D50 /* TestSystemExtension.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = TestSystemExtension.entitlements; sourceTree = ""; }; 59 | C4B1415A227A396500B26560 /* IPCConnection.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = IPCConnection.swift; sourceTree = ""; }; 60 | C4B45DB522739FFF0050C59B /* SystemExtensionTester.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = SystemExtensionTester.app; sourceTree = BUILT_PRODUCTS_DIR; }; 61 | C4B45DB822739FFF0050C59B /* AppDelegate.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppDelegate.swift; sourceTree = ""; }; 62 | C4B45DBA22739FFF0050C59B /* ViewController.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ViewController.swift; sourceTree = ""; }; 63 | C4B45DBC2273A0020050C59B /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 64 | C4B45DBF2273A0020050C59B /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; 65 | C4B45DC12273A0020050C59B /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 66 | C4B45DC22273A0020050C59B /* SystemExtensionTester.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = SystemExtensionTester.entitlements; sourceTree = ""; }; 67 | C4B45DDD2273A3450050C59B /* NetworkExtension.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NetworkExtension.framework; path = System/Library/Frameworks/NetworkExtension.framework; sourceTree = SDKROOT; }; 68 | C4E0DBB42273BEA0005B02F4 /* FilterDataProvider.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FilterDataProvider.swift; sourceTree = ""; }; 69 | /* End PBXFileReference section */ 70 | 71 | /* Begin PBXFrameworksBuildPhase section */ 72 | C40A5C42229DD6A500627D50 /* Frameworks */ = { 73 | isa = PBXFrameworksBuildPhase; 74 | buildActionMask = 2147483647; 75 | files = ( 76 | BEC9531D2791619100D99D52 /* libEndpointSecurity.tbd in Frameworks */, 77 | C40A5C46229DD6A500627D50 /* NetworkExtension.framework in Frameworks */, 78 | ); 79 | runOnlyForDeploymentPostprocessing = 0; 80 | }; 81 | C4B45DB222739FFF0050C59B /* Frameworks */ = { 82 | isa = PBXFrameworksBuildPhase; 83 | buildActionMask = 2147483647; 84 | files = ( 85 | BEC9531E2791FDB700D99D52 /* libEndpointSecurity.tbd in Frameworks */, 86 | C4B45DDE2273A3450050C59B /* NetworkExtension.framework in Frameworks */, 87 | ); 88 | runOnlyForDeploymentPostprocessing = 0; 89 | }; 90 | /* End PBXFrameworksBuildPhase section */ 91 | 92 | /* Begin PBXGroup section */ 93 | 6ED7B3006ED7B69000000001 /* LICENSE */ = { 94 | isa = PBXGroup; 95 | children = ( 96 | 6ED8E4306ED7A1A000000001 /* LICENSE.txt */, 97 | ); 98 | path = LICENSE; 99 | sourceTree = ""; 100 | }; 101 | C40A5C47229DD6A500627D50 /* TestSystemExtension */ = { 102 | isa = PBXGroup; 103 | children = ( 104 | C4E0DBB42273BEA0005B02F4 /* FilterDataProvider.swift */, 105 | BE4393B02769EDB900C69008 /* FIlterPacketProvider.swift */, 106 | C4B1415A227A396500B26560 /* IPCConnection.swift */, 107 | C40A5C4A229DD6A500627D50 /* main.swift */, 108 | C40A5C4C229DD6A500627D50 /* Info.plist */, 109 | C40A5C4D229DD6A500627D50 /* TestSystemExtension.entitlements */, 110 | ); 111 | path = TestSystemExtension; 112 | sourceTree = ""; 113 | }; 114 | C4B45DAC22739FFF0050C59B = { 115 | isa = PBXGroup; 116 | children = ( 117 | 03411C5003411ED000000001 /* README.md */, 118 | C4B45DB722739FFF0050C59B /* SystemExtensionTester */, 119 | C40A5C47229DD6A500627D50 /* TestSystemExtension */, 120 | C4B45DB622739FFF0050C59B /* Products */, 121 | C4B45DDC2273A3450050C59B /* Frameworks */, 122 | 6ED7B3006ED7B69000000001 /* LICENSE */, 123 | ); 124 | sourceTree = ""; 125 | }; 126 | C4B45DB622739FFF0050C59B /* Products */ = { 127 | isa = PBXGroup; 128 | children = ( 129 | C4B45DB522739FFF0050C59B /* SystemExtensionTester.app */, 130 | C40A5C45229DD6A500627D50 /* co.elastic.diagnostic.SystemExtensionTester.systemextension.systemextension */, 131 | ); 132 | name = Products; 133 | sourceTree = ""; 134 | }; 135 | C4B45DB722739FFF0050C59B /* SystemExtensionTester */ = { 136 | isa = PBXGroup; 137 | children = ( 138 | C4B45DB822739FFF0050C59B /* AppDelegate.swift */, 139 | C4B45DBA22739FFF0050C59B /* ViewController.swift */, 140 | C4B45DBC2273A0020050C59B /* Assets.xcassets */, 141 | C4B45DBE2273A0020050C59B /* Main.storyboard */, 142 | C4B45DC12273A0020050C59B /* Info.plist */, 143 | C4B45DC22273A0020050C59B /* SystemExtensionTester.entitlements */, 144 | ); 145 | path = SystemExtensionTester; 146 | sourceTree = ""; 147 | }; 148 | C4B45DDC2273A3450050C59B /* Frameworks */ = { 149 | isa = PBXGroup; 150 | children = ( 151 | BEC9531C2791619100D99D52 /* libEndpointSecurity.tbd */, 152 | C4B45DDD2273A3450050C59B /* NetworkExtension.framework */, 153 | ); 154 | name = Frameworks; 155 | sourceTree = ""; 156 | }; 157 | /* End PBXGroup section */ 158 | 159 | /* Begin PBXNativeTarget section */ 160 | C40A5C44229DD6A500627D50 /* TestSystemExtension */ = { 161 | isa = PBXNativeTarget; 162 | buildConfigurationList = C40A5C54229DD6A500627D50 /* Build configuration list for PBXNativeTarget "TestSystemExtension" */; 163 | buildPhases = ( 164 | C40A5C41229DD6A500627D50 /* Sources */, 165 | C40A5C42229DD6A500627D50 /* Frameworks */, 166 | C40A5C43229DD6A500627D50 /* Resources */, 167 | ); 168 | buildRules = ( 169 | ); 170 | dependencies = ( 171 | ); 172 | name = TestSystemExtension; 173 | productName = SimpleFirewallExtension; 174 | productReference = C40A5C45229DD6A500627D50 /* co.elastic.diagnostic.SystemExtensionTester.systemextension.systemextension */; 175 | productType = "com.apple.product-type.system-extension"; 176 | }; 177 | C4B45DB422739FFF0050C59B /* SystemExtensionTester */ = { 178 | isa = PBXNativeTarget; 179 | buildConfigurationList = C4B45DC52273A0020050C59B /* Build configuration list for PBXNativeTarget "SystemExtensionTester" */; 180 | buildPhases = ( 181 | C4B45DB122739FFF0050C59B /* Sources */, 182 | C4B45DB222739FFF0050C59B /* Frameworks */, 183 | C4B45DB322739FFF0050C59B /* Resources */, 184 | C40A5C51229DD6A500627D50 /* Embed System Extensions */, 185 | ); 186 | buildRules = ( 187 | ); 188 | dependencies = ( 189 | C40A5C4F229DD6A500627D50 /* PBXTargetDependency */, 190 | ); 191 | name = SystemExtensionTester; 192 | productName = SimpleFirewall; 193 | productReference = C4B45DB522739FFF0050C59B /* SystemExtensionTester.app */; 194 | productType = "com.apple.product-type.application"; 195 | }; 196 | /* End PBXNativeTarget section */ 197 | 198 | /* Begin PBXProject section */ 199 | C4B45DAD22739FFF0050C59B /* Project object */ = { 200 | isa = PBXProject; 201 | attributes = { 202 | DefaultBuildSystemTypeForWorkspace = Latest; 203 | LastSwiftUpdateCheck = 1100; 204 | LastUpgradeCheck = 1310; 205 | ORGANIZATIONNAME = Apple; 206 | TargetAttributes = { 207 | C40A5C44229DD6A500627D50 = { 208 | CreatedOnToolsVersion = 11.0; 209 | }; 210 | C4B45DB422739FFF0050C59B = { 211 | CreatedOnToolsVersion = 11.0; 212 | }; 213 | }; 214 | }; 215 | buildConfigurationList = C4B45DB022739FFF0050C59B /* Build configuration list for PBXProject "SystemExtensionTester" */; 216 | compatibilityVersion = "Xcode 9.3"; 217 | developmentRegion = en; 218 | hasScannedForEncodings = 0; 219 | knownRegions = ( 220 | en, 221 | Base, 222 | ); 223 | mainGroup = C4B45DAC22739FFF0050C59B; 224 | productRefGroup = C4B45DB622739FFF0050C59B /* Products */; 225 | projectDirPath = ""; 226 | projectRoot = ""; 227 | targets = ( 228 | C4B45DB422739FFF0050C59B /* SystemExtensionTester */, 229 | C40A5C44229DD6A500627D50 /* TestSystemExtension */, 230 | ); 231 | }; 232 | /* End PBXProject section */ 233 | 234 | /* Begin PBXResourcesBuildPhase section */ 235 | C40A5C43229DD6A500627D50 /* Resources */ = { 236 | isa = PBXResourcesBuildPhase; 237 | buildActionMask = 2147483647; 238 | files = ( 239 | ); 240 | runOnlyForDeploymentPostprocessing = 0; 241 | }; 242 | C4B45DB322739FFF0050C59B /* Resources */ = { 243 | isa = PBXResourcesBuildPhase; 244 | buildActionMask = 2147483647; 245 | files = ( 246 | C4B45DBD2273A0020050C59B /* Assets.xcassets in Resources */, 247 | C4B45DC02273A0020050C59B /* Main.storyboard in Resources */, 248 | ); 249 | runOnlyForDeploymentPostprocessing = 0; 250 | }; 251 | /* End PBXResourcesBuildPhase section */ 252 | 253 | /* Begin PBXSourcesBuildPhase section */ 254 | C40A5C41229DD6A500627D50 /* Sources */ = { 255 | isa = PBXSourcesBuildPhase; 256 | buildActionMask = 2147483647; 257 | files = ( 258 | C40A5C57229DD93200627D50 /* FilterDataProvider.swift in Sources */, 259 | C40A5C56229DD92E00627D50 /* IPCConnection.swift in Sources */, 260 | BE4393B12769EDB900C69008 /* FIlterPacketProvider.swift in Sources */, 261 | C40A5C4B229DD6A500627D50 /* main.swift in Sources */, 262 | ); 263 | runOnlyForDeploymentPostprocessing = 0; 264 | }; 265 | C4B45DB122739FFF0050C59B /* Sources */ = { 266 | isa = PBXSourcesBuildPhase; 267 | buildActionMask = 2147483647; 268 | files = ( 269 | C4B1415C227BBC0200B26560 /* IPCConnection.swift in Sources */, 270 | C4B45DBB22739FFF0050C59B /* ViewController.swift in Sources */, 271 | C4B45DB922739FFF0050C59B /* AppDelegate.swift in Sources */, 272 | ); 273 | runOnlyForDeploymentPostprocessing = 0; 274 | }; 275 | /* End PBXSourcesBuildPhase section */ 276 | 277 | /* Begin PBXTargetDependency section */ 278 | C40A5C4F229DD6A500627D50 /* PBXTargetDependency */ = { 279 | isa = PBXTargetDependency; 280 | target = C40A5C44229DD6A500627D50 /* TestSystemExtension */; 281 | targetProxy = C40A5C4E229DD6A500627D50 /* PBXContainerItemProxy */; 282 | }; 283 | /* End PBXTargetDependency section */ 284 | 285 | /* Begin PBXVariantGroup section */ 286 | C4B45DBE2273A0020050C59B /* Main.storyboard */ = { 287 | isa = PBXVariantGroup; 288 | children = ( 289 | C4B45DBF2273A0020050C59B /* Base */, 290 | ); 291 | name = Main.storyboard; 292 | sourceTree = ""; 293 | }; 294 | /* End PBXVariantGroup section */ 295 | 296 | /* Begin XCBuildConfiguration section */ 297 | C40A5C52229DD6A500627D50 /* Debug */ = { 298 | isa = XCBuildConfiguration; 299 | buildSettings = { 300 | CODE_SIGN_ENTITLEMENTS = TestSystemExtension/TestSystemExtension.entitlements; 301 | CODE_SIGN_IDENTITY = "Developer ID Application"; 302 | CODE_SIGN_STYLE = Manual; 303 | DEVELOPMENT_TEAM = 2BT3HPN62Z; 304 | ENABLE_HARDENED_RUNTIME = YES; 305 | INFOPLIST_FILE = TestSystemExtension/Info.plist; 306 | LD_RUNPATH_SEARCH_PATHS = ( 307 | "$(inherited)", 308 | "@executable_path/../Frameworks", 309 | "@executable_path/../../../../Frameworks", 310 | ); 311 | OTHER_CODE_SIGN_FLAGS = "--timestamp"; 312 | PRODUCT_BUNDLE_IDENTIFIER = co.elastic.diagnostic.SystemExtensionTester.systemextension; 313 | PRODUCT_NAME = "$(PRODUCT_BUNDLE_IDENTIFIER)"; 314 | PROVISIONING_PROFILE_SPECIFIER = "System Extension Diagnostic"; 315 | SKIP_INSTALL = YES; 316 | SWIFT_VERSION = 5.0; 317 | }; 318 | name = Debug; 319 | }; 320 | C40A5C53229DD6A500627D50 /* Release */ = { 321 | isa = XCBuildConfiguration; 322 | buildSettings = { 323 | CODE_SIGN_ENTITLEMENTS = TestSystemExtension/TestSystemExtension.entitlements; 324 | CODE_SIGN_IDENTITY = "Developer ID Application"; 325 | CODE_SIGN_STYLE = Manual; 326 | DEVELOPMENT_TEAM = 2BT3HPN62Z; 327 | ENABLE_HARDENED_RUNTIME = YES; 328 | INFOPLIST_FILE = TestSystemExtension/Info.plist; 329 | LD_RUNPATH_SEARCH_PATHS = ( 330 | "$(inherited)", 331 | "@executable_path/../Frameworks", 332 | "@executable_path/../../../../Frameworks", 333 | ); 334 | OTHER_CODE_SIGN_FLAGS = "--timestamp"; 335 | PRODUCT_BUNDLE_IDENTIFIER = co.elastic.diagnostic.SystemExtensionTester.systemextension; 336 | PRODUCT_NAME = "$(PRODUCT_BUNDLE_IDENTIFIER)"; 337 | PROVISIONING_PROFILE_SPECIFIER = "System Extension Diagnostic"; 338 | SKIP_INSTALL = YES; 339 | SWIFT_VERSION = 5.0; 340 | }; 341 | name = Release; 342 | }; 343 | C4B45DC32273A0020050C59B /* Debug */ = { 344 | isa = XCBuildConfiguration; 345 | buildSettings = { 346 | ALWAYS_SEARCH_USER_PATHS = NO; 347 | CLANG_ANALYZER_NONNULL = YES; 348 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 349 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 350 | CLANG_CXX_LIBRARY = "libc++"; 351 | CLANG_ENABLE_MODULES = YES; 352 | CLANG_ENABLE_OBJC_ARC = YES; 353 | CLANG_ENABLE_OBJC_WEAK = YES; 354 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 355 | CLANG_WARN_BOOL_CONVERSION = YES; 356 | CLANG_WARN_COMMA = YES; 357 | CLANG_WARN_CONSTANT_CONVERSION = YES; 358 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 359 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 360 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 361 | CLANG_WARN_EMPTY_BODY = YES; 362 | CLANG_WARN_ENUM_CONVERSION = YES; 363 | CLANG_WARN_INFINITE_RECURSION = YES; 364 | CLANG_WARN_INT_CONVERSION = YES; 365 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 366 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 367 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 368 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 369 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 370 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 371 | CLANG_WARN_STRICT_PROTOTYPES = YES; 372 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 373 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 374 | CLANG_WARN_UNREACHABLE_CODE = YES; 375 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 376 | COPY_PHASE_STRIP = NO; 377 | DEBUG_INFORMATION_FORMAT = dwarf; 378 | ENABLE_STRICT_OBJC_MSGSEND = YES; 379 | ENABLE_TESTABILITY = YES; 380 | GCC_C_LANGUAGE_STANDARD = gnu11; 381 | GCC_DYNAMIC_NO_PIC = NO; 382 | GCC_NO_COMMON_BLOCKS = YES; 383 | GCC_OPTIMIZATION_LEVEL = 0; 384 | GCC_PREPROCESSOR_DEFINITIONS = ( 385 | "DEBUG=1", 386 | "$(inherited)", 387 | ); 388 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 389 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 390 | GCC_WARN_UNDECLARED_SELECTOR = YES; 391 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 392 | GCC_WARN_UNUSED_FUNCTION = YES; 393 | GCC_WARN_UNUSED_VARIABLE = YES; 394 | MACOSX_DEPLOYMENT_TARGET = 10.15; 395 | MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; 396 | MTL_FAST_MATH = YES; 397 | ONLY_ACTIVE_ARCH = NO; 398 | SDKROOT = macosx; 399 | SWIFT_ACTIVE_COMPILATION_CONDITIONS = DEBUG; 400 | SWIFT_OPTIMIZATION_LEVEL = "-Onone"; 401 | }; 402 | name = Debug; 403 | }; 404 | C4B45DC42273A0020050C59B /* Release */ = { 405 | isa = XCBuildConfiguration; 406 | buildSettings = { 407 | ALWAYS_SEARCH_USER_PATHS = NO; 408 | CLANG_ANALYZER_NONNULL = YES; 409 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 410 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 411 | CLANG_CXX_LIBRARY = "libc++"; 412 | CLANG_ENABLE_MODULES = YES; 413 | CLANG_ENABLE_OBJC_ARC = YES; 414 | CLANG_ENABLE_OBJC_WEAK = YES; 415 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 416 | CLANG_WARN_BOOL_CONVERSION = YES; 417 | CLANG_WARN_COMMA = YES; 418 | CLANG_WARN_CONSTANT_CONVERSION = YES; 419 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 420 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 421 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 422 | CLANG_WARN_EMPTY_BODY = YES; 423 | CLANG_WARN_ENUM_CONVERSION = YES; 424 | CLANG_WARN_INFINITE_RECURSION = YES; 425 | CLANG_WARN_INT_CONVERSION = YES; 426 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 427 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 428 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 429 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 430 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 431 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 432 | CLANG_WARN_STRICT_PROTOTYPES = YES; 433 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 434 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 435 | CLANG_WARN_UNREACHABLE_CODE = YES; 436 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 437 | COPY_PHASE_STRIP = NO; 438 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 439 | ENABLE_NS_ASSERTIONS = NO; 440 | ENABLE_STRICT_OBJC_MSGSEND = YES; 441 | GCC_C_LANGUAGE_STANDARD = gnu11; 442 | GCC_NO_COMMON_BLOCKS = YES; 443 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 444 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 445 | GCC_WARN_UNDECLARED_SELECTOR = YES; 446 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 447 | GCC_WARN_UNUSED_FUNCTION = YES; 448 | GCC_WARN_UNUSED_VARIABLE = YES; 449 | MACOSX_DEPLOYMENT_TARGET = 10.15; 450 | MTL_ENABLE_DEBUG_INFO = NO; 451 | MTL_FAST_MATH = YES; 452 | ONLY_ACTIVE_ARCH = NO; 453 | SDKROOT = macosx; 454 | SWIFT_COMPILATION_MODE = wholemodule; 455 | SWIFT_OPTIMIZATION_LEVEL = "-O"; 456 | }; 457 | name = Release; 458 | }; 459 | C4B45DC62273A0020050C59B /* Debug */ = { 460 | isa = XCBuildConfiguration; 461 | buildSettings = { 462 | ALWAYS_EMBED_SWIFT_STANDARD_LIBRARIES = YES; 463 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 464 | CODE_SIGN_ENTITLEMENTS = SystemExtensionTester/SystemExtensionTester.entitlements; 465 | CODE_SIGN_IDENTITY = "Developer ID Application"; 466 | CODE_SIGN_STYLE = Manual; 467 | COMBINE_HIDPI_IMAGES = YES; 468 | DEVELOPMENT_TEAM = 2BT3HPN62Z; 469 | ENABLE_HARDENED_RUNTIME = YES; 470 | INFOPLIST_FILE = SystemExtensionTester/Info.plist; 471 | LD_RUNPATH_SEARCH_PATHS = ( 472 | "$(inherited)", 473 | "@executable_path/../Frameworks", 474 | ); 475 | OTHER_CODE_SIGN_FLAGS = "--timestamp"; 476 | PRODUCT_BUNDLE_IDENTIFIER = co.elastic.diagnostic.SystemExtensionTester; 477 | PRODUCT_NAME = "$(TARGET_NAME)"; 478 | PROVISIONING_PROFILE_SPECIFIER = "System Extension Diagnostics Application"; 479 | SWIFT_VERSION = 5.0; 480 | }; 481 | name = Debug; 482 | }; 483 | C4B45DC72273A0020050C59B /* Release */ = { 484 | isa = XCBuildConfiguration; 485 | buildSettings = { 486 | ALWAYS_EMBED_SWIFT_STANDARD_LIBRARIES = YES; 487 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 488 | CODE_SIGN_ENTITLEMENTS = SystemExtensionTester/SystemExtensionTester.entitlements; 489 | CODE_SIGN_IDENTITY = "Developer ID Application"; 490 | CODE_SIGN_STYLE = Manual; 491 | COMBINE_HIDPI_IMAGES = YES; 492 | DEVELOPMENT_TEAM = 2BT3HPN62Z; 493 | ENABLE_HARDENED_RUNTIME = YES; 494 | INFOPLIST_FILE = SystemExtensionTester/Info.plist; 495 | LD_RUNPATH_SEARCH_PATHS = ( 496 | "$(inherited)", 497 | "@executable_path/../Frameworks", 498 | ); 499 | OTHER_CODE_SIGN_FLAGS = "--timestamp"; 500 | PRODUCT_BUNDLE_IDENTIFIER = co.elastic.diagnostic.SystemExtensionTester; 501 | PRODUCT_NAME = "$(TARGET_NAME)"; 502 | PROVISIONING_PROFILE_SPECIFIER = "System Extension Diagnostics Application"; 503 | SWIFT_VERSION = 5.0; 504 | }; 505 | name = Release; 506 | }; 507 | /* End XCBuildConfiguration section */ 508 | 509 | /* Begin XCConfigurationList section */ 510 | C40A5C54229DD6A500627D50 /* Build configuration list for PBXNativeTarget "TestSystemExtension" */ = { 511 | isa = XCConfigurationList; 512 | buildConfigurations = ( 513 | C40A5C52229DD6A500627D50 /* Debug */, 514 | C40A5C53229DD6A500627D50 /* Release */, 515 | ); 516 | defaultConfigurationIsVisible = 0; 517 | defaultConfigurationName = Release; 518 | }; 519 | C4B45DB022739FFF0050C59B /* Build configuration list for PBXProject "SystemExtensionTester" */ = { 520 | isa = XCConfigurationList; 521 | buildConfigurations = ( 522 | C4B45DC32273A0020050C59B /* Debug */, 523 | C4B45DC42273A0020050C59B /* Release */, 524 | ); 525 | defaultConfigurationIsVisible = 0; 526 | defaultConfigurationName = Release; 527 | }; 528 | C4B45DC52273A0020050C59B /* Build configuration list for PBXNativeTarget "SystemExtensionTester" */ = { 529 | isa = XCConfigurationList; 530 | buildConfigurations = ( 531 | C4B45DC62273A0020050C59B /* Debug */, 532 | C4B45DC72273A0020050C59B /* Release */, 533 | ); 534 | defaultConfigurationIsVisible = 0; 535 | defaultConfigurationName = Release; 536 | }; 537 | /* End XCConfigurationList section */ 538 | }; 539 | rootObject = C4B45DAD22739FFF0050C59B /* Project object */; 540 | } 541 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | BuildSystemType 6 | Latest 7 | 8 | 9 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/AppDelegate.swift: -------------------------------------------------------------------------------- 1 | /* 2 | See LICENSE folder for this project's licensing information. 3 | 4 | Abstract: 5 | This file contains the implementation of the class that implements the NSApplicationDelegate protocol. 6 | */ 7 | 8 | import Cocoa 9 | 10 | @NSApplicationMain 11 | class AppDelegate: NSObject, NSApplicationDelegate { 12 | 13 | } 14 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "mac", 5 | "size" : "16x16", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "mac", 10 | "size" : "16x16", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "idiom" : "mac", 15 | "size" : "32x32", 16 | "scale" : "1x" 17 | }, 18 | { 19 | "idiom" : "mac", 20 | "size" : "32x32", 21 | "scale" : "2x" 22 | }, 23 | { 24 | "idiom" : "mac", 25 | "size" : "128x128", 26 | "scale" : "1x" 27 | }, 28 | { 29 | "idiom" : "mac", 30 | "size" : "128x128", 31 | "scale" : "2x" 32 | }, 33 | { 34 | "idiom" : "mac", 35 | "size" : "256x256", 36 | "scale" : "1x" 37 | }, 38 | { 39 | "idiom" : "mac", 40 | "size" : "256x256", 41 | "scale" : "2x" 42 | }, 43 | { 44 | "idiom" : "mac", 45 | "size" : "512x512", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "mac", 50 | "size" : "512x512", 51 | "scale" : "2x" 52 | } 53 | ], 54 | "info" : { 55 | "version" : 1, 56 | "author" : "xcode" 57 | } 58 | } -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "version" : 1, 4 | "author" : "xcode" 5 | } 6 | } -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_green.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "filename" : "green_dot.png", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "universal", 10 | "filename" : "green_dot@2x.png", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "idiom" : "universal", 15 | "filename" : "green_dot@3x.png", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "version" : 1, 21 | "author" : "xcode" 22 | } 23 | } -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_green.imageset/green_dot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint/e6084b92129094d000093e85351f9244ef0515f9/deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_green.imageset/green_dot.png -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_green.imageset/green_dot@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint/e6084b92129094d000093e85351f9244ef0515f9/deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_green.imageset/green_dot@2x.png -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_green.imageset/green_dot@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint/e6084b92129094d000093e85351f9244ef0515f9/deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_green.imageset/green_dot@3x.png -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_red.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "filename" : "red_dot.png", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "universal", 10 | "filename" : "red_dot@2x.png", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "idiom" : "universal", 15 | "filename" : "red_dot@3x.png", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "version" : 1, 21 | "author" : "xcode" 22 | } 23 | } -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_red.imageset/red_dot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint/e6084b92129094d000093e85351f9244ef0515f9/deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_red.imageset/red_dot.png -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_red.imageset/red_dot@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint/e6084b92129094d000093e85351f9244ef0515f9/deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_red.imageset/red_dot@2x.png -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_red.imageset/red_dot@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint/e6084b92129094d000093e85351f9244ef0515f9/deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_red.imageset/red_dot@3x.png -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_yellow.imageset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "universal", 5 | "filename" : "yellow_dot.png", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "universal", 10 | "filename" : "yellow_dot@2x.png", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "idiom" : "universal", 15 | "filename" : "yellow_dot@3x.png", 16 | "scale" : "3x" 17 | } 18 | ], 19 | "info" : { 20 | "version" : 1, 21 | "author" : "xcode" 22 | } 23 | } -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_yellow.imageset/yellow_dot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint/e6084b92129094d000093e85351f9244ef0515f9/deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_yellow.imageset/yellow_dot.png -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_yellow.imageset/yellow_dot@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint/e6084b92129094d000093e85351f9244ef0515f9/deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_yellow.imageset/yellow_dot@2x.png -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_yellow.imageset/yellow_dot@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/endpoint/e6084b92129094d000093e85351f9244ef0515f9/deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Assets.xcassets/dot_yellow.imageset/yellow_dot@3x.png -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIconFile 10 | 11 | CFBundleIdentifier 12 | $(PRODUCT_BUNDLE_IDENTIFIER) 13 | CFBundleInfoDictionaryVersion 14 | 6.0 15 | CFBundleName 16 | $(PRODUCT_NAME) 17 | CFBundlePackageType 18 | $(PRODUCT_BUNDLE_PACKAGE_TYPE) 19 | CFBundleShortVersionString 20 | 1.0 21 | CFBundleVersion 22 | 1 23 | LSMinimumSystemVersion 24 | $(MACOSX_DEPLOYMENT_TARGET) 25 | NSHumanReadableCopyright 26 | Copyright © 2022 Elastic NV. All rights reserved. 27 | NSMainStoryboardFile 28 | Main 29 | NSPrincipalClass 30 | NSApplication 31 | NSSupportsAutomaticTermination 32 | 33 | NSSupportsSuddenTermination 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/SystemExtensionTester-DeveloperID.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.developer.networking.networkextension 6 | 7 | content-filter-provider-systemextension 8 | 9 | com.apple.developer.system-extension.install 10 | 11 | com.apple.security.application-groups 12 | 13 | $(TeamIdentifierPrefix)app-group.co.elastic 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/SystemExtensionTester.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.developer.networking.networkextension 6 | 7 | content-filter-provider 8 | 9 | com.apple.developer.system-extension.install 10 | 11 | com.apple.security.application-groups 12 | 13 | $(TeamIdentifierPrefix)app-group.co.elastic 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/SystemExtensionTester/ViewController.swift: -------------------------------------------------------------------------------- 1 | /* 2 | See LICENSE folder for this sample’s licensing information. 3 | 4 | Abstract: 5 | This file contains the implementation of the primary NSViewController class. 6 | */ 7 | 8 | import Cocoa 9 | import NetworkExtension 10 | import SystemExtensions 11 | import os.log 12 | 13 | /** 14 | The ViewController class implements the UI functions of the app, including: 15 | - Activating the system extension and enabling the content filter configuration when the user clicks on the Start button 16 | - Disabling the content filter configuration when the user clicks on the Stop button 17 | - Prompting the user to allow or deny connections at the behest of the system extension 18 | - Logging connections in a NSTextView 19 | */ 20 | class ViewController: NSViewController { 21 | 22 | enum Status { 23 | case stopped 24 | case indeterminate 25 | case running 26 | } 27 | 28 | // MARK: Properties 29 | 30 | @IBOutlet var statusIndicator: NSImageView! 31 | @IBOutlet var statusSpinner: NSProgressIndicator! 32 | @IBOutlet var startButton: NSButton! 33 | @IBOutlet var stopButton: NSButton! 34 | @IBOutlet var fullDiskAccessButton: NSButton! 35 | @IBOutlet var fullDiskAccessStatusIndicator: NSImageView! 36 | 37 | var observer: Any? 38 | 39 | var status: Status = .stopped { 40 | didSet { 41 | // Update the UI to reflect the new status 42 | switch status { 43 | case .stopped: 44 | statusIndicator.image = #imageLiteral(resourceName: "dot_red") 45 | statusSpinner.stopAnimation(self) 46 | statusSpinner.isHidden = true 47 | stopButton.isHidden = true 48 | startButton.isHidden = false 49 | fullDiskAccessButton.isEnabled = false 50 | fullDiskAccessStatus = .stopped 51 | case .indeterminate: 52 | statusIndicator.image = #imageLiteral(resourceName: "dot_yellow") 53 | statusSpinner.startAnimation(self) 54 | statusSpinner.isHidden = false 55 | stopButton.isHidden = true 56 | startButton.isHidden = true 57 | case .running: 58 | statusIndicator.image = #imageLiteral(resourceName: "dot_green") 59 | statusSpinner.stopAnimation(self) 60 | statusSpinner.isHidden = true 61 | stopButton.isHidden = false 62 | startButton.isHidden = true 63 | fullDiskAccessButton.isEnabled = true 64 | } 65 | 66 | if !statusSpinner.isHidden { 67 | statusSpinner.startAnimation(self) 68 | } else { 69 | statusSpinner.stopAnimation(self) 70 | } 71 | } 72 | } 73 | 74 | var fullDiskAccessStatus: Status = .stopped { 75 | didSet { 76 | // Update the UI to reflect the new status 77 | switch fullDiskAccessStatus { 78 | case .stopped: 79 | fullDiskAccessStatusIndicator.image = #imageLiteral(resourceName: "dot_red") 80 | fullDiskAccessButton.isHidden = false 81 | case .indeterminate: 82 | fullDiskAccessStatusIndicator.image = #imageLiteral(resourceName: "dot_yellow") 83 | case .running: 84 | fullDiskAccessStatusIndicator.image = #imageLiteral(resourceName: "dot_green") 85 | } 86 | } 87 | } 88 | 89 | // Get the Bundle of the system extension. 90 | lazy var extensionBundle: Bundle = { 91 | 92 | let extensionsDirectoryURL = URL(fileURLWithPath: "Contents/Library/SystemExtensions", relativeTo: Bundle.main.bundleURL) 93 | let extensionURLs: [URL] 94 | do { 95 | extensionURLs = try FileManager.default.contentsOfDirectory(at: extensionsDirectoryURL, 96 | includingPropertiesForKeys: nil, 97 | options: .skipsHiddenFiles) 98 | } catch let error { 99 | fatalError("Failed to get the contents of \(extensionsDirectoryURL.absoluteString): \(error.localizedDescription)") 100 | } 101 | 102 | guard let extensionURL = extensionURLs.first else { 103 | fatalError("Failed to find any system extensions") 104 | } 105 | 106 | guard let extensionBundle = Bundle(url: extensionURL) else { 107 | fatalError("Failed to create a bundle with URL \(extensionURL.absoluteString)") 108 | } 109 | 110 | return extensionBundle 111 | }() 112 | 113 | // MARK: NSViewController 114 | 115 | override func viewWillAppear() { 116 | 117 | super.viewWillAppear() 118 | 119 | status = .indeterminate 120 | fullDiskAccessStatus = .stopped 121 | 122 | loadFilterConfiguration { success in 123 | guard success else { 124 | self.status = .stopped 125 | return 126 | } 127 | 128 | self.updateStatus() 129 | 130 | self.observer = NotificationCenter.default.addObserver(forName: .NEFilterConfigurationDidChange, 131 | object: NEFilterManager.shared(), 132 | queue: .main) { [weak self] _ in 133 | self?.updateStatus() 134 | } 135 | } 136 | } 137 | 138 | override func viewWillDisappear() { 139 | 140 | super.viewWillDisappear() 141 | 142 | guard let changeObserver = observer else { 143 | return 144 | } 145 | 146 | NotificationCenter.default.removeObserver(changeObserver, name: .NEFilterConfigurationDidChange, object: NEFilterManager.shared()) 147 | } 148 | 149 | // MARK: Update the UI 150 | 151 | func updateStatus() { 152 | 153 | if NEFilterManager.shared().isEnabled { 154 | registerWithProvider() 155 | } else { 156 | status = .stopped 157 | } 158 | } 159 | 160 | // MARK: UI Event Handlers 161 | 162 | @IBAction func startFilter(_ sender: Any) { 163 | 164 | status = .indeterminate 165 | 166 | guard let extensionIdentifier = extensionBundle.bundleIdentifier else { 167 | self.status = .stopped 168 | return 169 | } 170 | 171 | // Start by activating the system extension 172 | let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifier, queue: .main) 173 | activationRequest.delegate = self 174 | OSSystemExtensionManager.shared.submitRequest(activationRequest) 175 | 176 | } 177 | 178 | @IBAction func stopFilter(_ sender: Any) { 179 | 180 | let filterManager = NEFilterManager.shared() 181 | 182 | status = .indeterminate 183 | 184 | guard filterManager.isEnabled else { 185 | status = .stopped 186 | return 187 | } 188 | 189 | loadFilterConfiguration { success in 190 | guard success else { 191 | self.status = .running 192 | return 193 | } 194 | 195 | // Disable the content filter configuration 196 | filterManager.isEnabled = false 197 | filterManager.saveToPreferences { saveError in 198 | DispatchQueue.main.async { 199 | if let error = saveError { 200 | os_log("Failed to disable the filter configuration: %@", error.localizedDescription) 201 | self.status = .running 202 | return 203 | } 204 | 205 | self.status = .stopped 206 | } 207 | } 208 | } 209 | } 210 | 211 | @IBAction func queryFullDiskAccess(_ sender: Any) 212 | { 213 | fullDiskAccessStatus = .indeterminate 214 | 215 | IPCConnection.shared.queryFullDiskAccessFromSystemExtension 216 | { success in 217 | DispatchQueue.main.async { 218 | self.fullDiskAccessStatus = (success ? .running : .stopped) 219 | } 220 | } 221 | } 222 | 223 | // MARK: Content Filter Configuration Management 224 | 225 | func loadFilterConfiguration(completionHandler: @escaping (Bool) -> Void) { 226 | 227 | NEFilterManager.shared().loadFromPreferences { loadError in 228 | DispatchQueue.main.async { 229 | var success = true 230 | if let error = loadError { 231 | os_log("Failed to load the filter configuration: %@", error.localizedDescription) 232 | success = false 233 | } 234 | completionHandler(success) 235 | } 236 | } 237 | } 238 | 239 | func enableFilterConfiguration() { 240 | 241 | let filterManager = NEFilterManager.shared() 242 | 243 | loadFilterConfiguration { success in 244 | 245 | guard success else { 246 | self.status = .stopped 247 | return 248 | } 249 | 250 | if filterManager.providerConfiguration == nil { 251 | let providerConfiguration = NEFilterProviderConfiguration() 252 | providerConfiguration.filterSockets = true 253 | providerConfiguration.filterPackets = true 254 | filterManager.providerConfiguration = providerConfiguration 255 | if let appName = Bundle.main.infoDictionary?["CFBundleName"] as? String { 256 | filterManager.localizedDescription = appName 257 | } 258 | } 259 | 260 | filterManager.isEnabled = true 261 | 262 | filterManager.saveToPreferences { saveError in 263 | DispatchQueue.main.async { 264 | if let error = saveError { 265 | os_log("Failed to save the filter configuration: %@", error.localizedDescription) 266 | self.status = .stopped 267 | return 268 | } 269 | 270 | self.registerWithProvider() 271 | } 272 | } 273 | } 274 | } 275 | 276 | // MARK: ProviderCommunication 277 | 278 | func registerWithProvider() { 279 | 280 | IPCConnection.shared.register(withExtension: extensionBundle) { success in 281 | DispatchQueue.main.async { 282 | self.status = (success ? .running : .stopped) 283 | } 284 | } 285 | } 286 | } 287 | 288 | extension ViewController: OSSystemExtensionRequestDelegate { 289 | 290 | // MARK: OSSystemExtensionActivationRequestDelegate 291 | 292 | func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) { 293 | 294 | guard result == .completed else { 295 | os_log("Unexpected result %d for system extension request", result.rawValue) 296 | status = .stopped 297 | return 298 | } 299 | 300 | enableFilterConfiguration() 301 | } 302 | 303 | func request(_ request: OSSystemExtensionRequest, didFailWithError error: Error) { 304 | 305 | os_log("System extension request failed: %@", error.localizedDescription) 306 | status = .stopped 307 | } 308 | 309 | func requestNeedsUserApproval(_ request: OSSystemExtensionRequest) { 310 | 311 | os_log("Extension %@ requires user approval", request.identifier) 312 | } 313 | 314 | func request(_ request: OSSystemExtensionRequest, 315 | actionForReplacingExtension existing: OSSystemExtensionProperties, 316 | withExtension extension: OSSystemExtensionProperties) -> OSSystemExtensionRequest.ReplacementAction { 317 | 318 | os_log("Replacing extension %@ version %@ with version %@", request.identifier, existing.bundleShortVersion, `extension`.bundleShortVersion) 319 | return .replace 320 | } 321 | } 322 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/TestSystemExtension/FIlterPacketProvider.swift: -------------------------------------------------------------------------------- 1 | // 2 | // FIlterPacketProvider.swift 3 | // 4 | 5 | import NetworkExtension 6 | import os.log 7 | 8 | /** 9 | The FilterDataProvider class handles connections that match the installed rules by prompting 10 | the user to allow or deny the connections. 11 | */ 12 | class FilterPacketProvider: NEFilterPacketProvider { 13 | 14 | override func startFilter(completionHandler: @escaping (Error?) -> Void) { 15 | 16 | self.packetHandler = { (context:NEFilterPacketContext, 17 | interface:nw_interface_t, 18 | direction:NETrafficDirection, 19 | packetBytes:UnsafeRawPointer, 20 | packetLength:Int) 21 | in 22 | return .allow 23 | } 24 | 25 | completionHandler(nil) 26 | } 27 | 28 | override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { 29 | completionHandler() 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/TestSystemExtension/FilterDataProvider.swift: -------------------------------------------------------------------------------- 1 | /* 2 | See LICENSE folder for this sample’s licensing information. 3 | 4 | Abstract: 5 | This file contains the implementation of the NEFilterDataProvider sub-class. 6 | */ 7 | 8 | import NetworkExtension 9 | import os.log 10 | 11 | /** 12 | The FilterDataProvider class handles connections that match the installed rules by prompting 13 | the user to allow or deny the connections. 14 | */ 15 | class FilterDataProvider: NEFilterDataProvider { 16 | 17 | // MARK: NEFilterDataProvider 18 | 19 | override func startFilter(completionHandler: @escaping (Error?) -> Void) { 20 | completionHandler(nil) 21 | } 22 | 23 | override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { 24 | 25 | completionHandler() 26 | } 27 | 28 | override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict { 29 | 30 | return .allow() 31 | } 32 | 33 | override func handle(_ report: NEFilterReport) { 34 | 35 | } 36 | 37 | override func handleOutboundDataComplete(for flow: NEFilterFlow) -> NEFilterDataVerdict { 38 | return .allow() 39 | } 40 | 41 | override func handleInboundDataComplete(for flow: NEFilterFlow) -> NEFilterDataVerdict { 42 | return .allow() 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/TestSystemExtension/IPCConnection.swift: -------------------------------------------------------------------------------- 1 | /* 2 | See LICENSE folder for this project's licensing information. 3 | 4 | Abstract: 5 | This file contains the implementation of the app <-> provider IPC connection 6 | */ 7 | 8 | import Foundation 9 | import os.log 10 | import Network 11 | import EndpointSecurity 12 | 13 | /// App --> Provider IPC 14 | @objc protocol ProviderCommunication { 15 | 16 | func register(_ completionHandler: @escaping (Bool) -> Void) 17 | func attemptFullDiskAccess(_ completionHandler: @escaping (Bool) -> Void) 18 | } 19 | 20 | /// The IPCConnection class is used by both the app and the system extension to communicate with each other 21 | class IPCConnection: NSObject { 22 | 23 | // MARK: Properties 24 | 25 | var listener: NSXPCListener? 26 | var currentConnection: NSXPCConnection? 27 | static let shared = IPCConnection() 28 | 29 | // MARK: Methods 30 | 31 | /** 32 | The NetworkExtension framework registers a Mach service with the name in the system extension's NEMachServiceName Info.plist key. 33 | The Mach service name must be prefixed with one of the app groups in the system extension's com.apple.security.application-groups entitlement. 34 | Any process in the same app group can use the Mach service to communicate with the system extension. 35 | */ 36 | private func extensionMachServiceName(from bundle: Bundle) -> String { 37 | 38 | guard let networkExtensionKeys = bundle.object(forInfoDictionaryKey: "NetworkExtension") as? [String: Any], 39 | let machServiceName = networkExtensionKeys["NEMachServiceName"] as? String else { 40 | fatalError("Mach service name is missing from the Info.plist") 41 | } 42 | 43 | return machServiceName 44 | } 45 | 46 | func startListener() { 47 | 48 | let machServiceName = extensionMachServiceName(from: Bundle.main) 49 | os_log("Starting XPC listener for mach service %@", machServiceName) 50 | 51 | let newListener = NSXPCListener(machServiceName: machServiceName) 52 | newListener.delegate = self 53 | newListener.resume() 54 | listener = newListener 55 | } 56 | 57 | /// This method is called by the app to register with the provider running in the system extension. 58 | func register(withExtension bundle: Bundle, completionHandler: @escaping (Bool) -> Void) { 59 | 60 | guard currentConnection == nil else { 61 | os_log("Already registered with the provider") 62 | completionHandler(true) 63 | return 64 | } 65 | 66 | let machServiceName = extensionMachServiceName(from: bundle) 67 | let newConnection = NSXPCConnection(machServiceName: machServiceName, options: []) 68 | 69 | // The remote object is the provider's IPCConnection instance. 70 | newConnection.remoteObjectInterface = NSXPCInterface(with: ProviderCommunication.self) 71 | 72 | currentConnection = newConnection 73 | newConnection.resume() 74 | 75 | guard let providerProxy = newConnection.remoteObjectProxyWithErrorHandler({ registerError in 76 | os_log("Failed to register with the provider: %@", registerError.localizedDescription) 77 | self.currentConnection?.invalidate() 78 | self.currentConnection = nil 79 | completionHandler(false) 80 | }) as? ProviderCommunication else { 81 | fatalError("Failed to create a remote object proxy for the provider") 82 | } 83 | 84 | providerProxy.register(completionHandler) 85 | } 86 | 87 | func queryFullDiskAccessFromSystemExtension(completionHandler: @escaping (Bool) -> Void) { 88 | 89 | // Guard nil connection 90 | guard self.currentConnection != nil else { 91 | completionHandler(false) 92 | return 93 | } 94 | 95 | guard let providerProxy = self.currentConnection?.remoteObjectProxyWithErrorHandler({ 96 | error in 97 | os_log("Unable to communicate with system extension: %@", error.localizedDescription) 98 | self.currentConnection?.invalidate() 99 | self.currentConnection = nil 100 | completionHandler(false) 101 | }) as? ProviderCommunication else { 102 | os_log("Unable to communicate with system extension") 103 | completionHandler(false) 104 | return 105 | } 106 | 107 | providerProxy.attemptFullDiskAccess(completionHandler) 108 | 109 | } 110 | } 111 | 112 | extension IPCConnection: NSXPCListenerDelegate { 113 | 114 | // MARK: NSXPCListenerDelegate 115 | 116 | func listener(_ listener: NSXPCListener, shouldAcceptNewConnection newConnection: NSXPCConnection) -> Bool { 117 | 118 | // The exported object is this IPCConnection instance. 119 | newConnection.exportedInterface = NSXPCInterface(with: ProviderCommunication.self) 120 | newConnection.exportedObject = self 121 | 122 | newConnection.invalidationHandler = { 123 | self.currentConnection = nil 124 | } 125 | 126 | newConnection.interruptionHandler = { 127 | self.currentConnection = nil 128 | } 129 | 130 | currentConnection = newConnection 131 | newConnection.resume() 132 | 133 | return true 134 | } 135 | } 136 | 137 | extension IPCConnection: ProviderCommunication { 138 | // MARK: ProviderCommunication 139 | 140 | func register(_ completionHandler: @escaping (Bool) -> Void) { 141 | 142 | os_log("App registered") 143 | completionHandler(true) 144 | } 145 | 146 | func attemptFullDiskAccess(_ completionHandler: @escaping (Bool) -> Void) { 147 | 148 | var client: OpaquePointer? 149 | 150 | guard (es_new_client(&client) { (client, message) in 151 | 152 | os_log("ES Message received") 153 | 154 | }) == ES_NEW_CLIENT_RESULT_SUCCESS else { 155 | completionHandler(false) 156 | return 157 | } 158 | 159 | es_delete_client(client!) 160 | completionHandler(true) 161 | } 162 | } 163 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/TestSystemExtension/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleDisplayName 8 | DiagnosticSystemExtension 9 | CFBundleExecutable 10 | $(EXECUTABLE_NAME) 11 | CFBundleIdentifier 12 | $(PRODUCT_BUNDLE_IDENTIFIER) 13 | CFBundleInfoDictionaryVersion 14 | 6.0 15 | CFBundleName 16 | $(PRODUCT_NAME) 17 | CFBundlePackageType 18 | $(PRODUCT_BUNDLE_PACKAGE_TYPE) 19 | CFBundleShortVersionString 20 | 1.0 21 | CFBundleVersion 22 | 1 23 | LSMinimumSystemVersion 24 | $(MACOSX_DEPLOYMENT_TARGET) 25 | NSHumanReadableCopyright 26 | Copyright © 2021 Elastic N.V. All rights reserved. 27 | NSSystemExtensionUsageDescription 28 | This diagnostic system extension loads a Network Extension Content Filter and queries for Full Disk Access 29 | NetworkExtension 30 | 31 | NEMachServiceName 32 | $(TeamIdentifierPrefix)app-group.co.elastic.TestSystemExtension 33 | NEProviderClasses 34 | 35 | com.apple.networkextension.filter-data 36 | $(PRODUCT_MODULE_NAME).FilterDataProvider 37 | com.apple.networkextension.filter-packet 38 | $(PRODUCT_MODULE_NAME).FilterPacketProvider 39 | 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/TestSystemExtension/TestSystemExtension-DeveloperID.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.developer.endpoint-security.client 6 | 7 | com.apple.developer.networking.networkextension 8 | 9 | content-filter-provider-systemextension 10 | 11 | com.apple.security.application-groups 12 | 13 | $(TeamIdentifierPrefix)app-group.co.elastic 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/TestSystemExtension/TestSystemExtension.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.developer.endpoint-security.client 6 | 7 | com.apple.developer.networking.networkextension 8 | 9 | content-filter-provider 10 | 11 | com.apple.security.application-groups 12 | 13 | $(TeamIdentifierPrefix)app-group.co.elastic 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /deployment/macos/diagnostic/SystemExtensionTester/TestSystemExtension/main.swift: -------------------------------------------------------------------------------- 1 | /* 2 | See LICENSE folder for this project's licensing information. 3 | 4 | Abstract: 5 | This file contains initialization code for the system extension. 6 | */ 7 | 8 | import Foundation 9 | import NetworkExtension 10 | 11 | autoreleasepool { 12 | NEProvider.startSystemExtensionMode() 13 | IPCConnection.shared.startListener() 14 | } 15 | 16 | dispatchMain() 17 | -------------------------------------------------------------------------------- /deployment/macos/mobiledevicemanagement/README.md: -------------------------------------------------------------------------------- 1 | This script will generate a .mobileconfig file that you can use with your particular MDM provider to deploy Elastic Endpoint throughout your organization silently. This MDM profile will automatically grant all permissions and approvals nessecary to run Elastic Endpoint 2 | 3 | Requires Python3 4 | 5 | usage: mobile_config_gen.py [-h] -n \ -o \ -------------------------------------------------------------------------------- /deployment/macos/mobiledevicemanagement/mobile_config_gen.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 4 | # or more contributor license agreements. Licensed under the Elastic License 5 | # 2.0; you may not use this file except in compliance with the Elastic License 6 | # 2.0. 7 | 8 | import sys 9 | import uuid 10 | import argparse 11 | import os 12 | 13 | template = """ 14 | 15 | 16 | 17 | PayloadContent 18 | 19 | 20 | PayloadDescription 21 | 22 | PayloadDisplayName 23 | Privacy Preferences Policy Control 24 | PayloadEnabled 25 | 26 | PayloadIdentifier 27 | com.apple.TCC.configuration-profile-policy.{0} 28 | PayloadOrganization 29 | {6} 30 | PayloadType 31 | com.apple.TCC.configuration-profile-policy 32 | PayloadUUID 33 | {0} 34 | PayloadVersion 35 | 1 36 | Services 37 | 38 | SystemPolicyAllFiles 39 | 40 | 41 | Allowed 42 | 1 43 | CodeRequirement 44 | identifier "co.elastic.elastic-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" 45 | Identifier 46 | co.elastic.elastic-agent 47 | IdentifierType 48 | bundleID 49 | StaticCode 50 | 1 51 | 52 | 53 | Allowed 54 | 1 55 | CodeRequirement 56 | identifier "64_Bit_Endpoint_Macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" 57 | Identifier 58 | /Library/Elastic/Endpoint/elastic-endpoint 59 | IdentifierType 60 | path 61 | StaticCode 62 | 1 63 | 64 | 65 | Allowed 66 | 1 67 | CodeRequirement 68 | identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" 69 | Identifier 70 | co.elastic.systemextension 71 | IdentifierType 72 | bundleID 73 | StaticCode 74 | 1 75 | 76 | 77 | Allowed 78 | 1 79 | CodeRequirement 80 | identifier "co.elastic.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" 81 | Identifier 82 | co.elastic.endpoint 83 | IdentifierType 84 | bundleID 85 | StaticCode 86 | 1 87 | 88 | 89 | 90 | 91 | 92 | FilterBrowsers 93 | 94 | FilterDataProviderBundleIdentifier 95 | co.elastic.systemextension 96 | FilterDataProviderDesignatedRequirement 97 | identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" 98 | FilterPacketProviderBundleIdentifier 99 | co.elastic.systemextension 100 | FilterPacketProviderDesignatedRequirement 101 | identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" 102 | FilterPackets 103 | 104 | FilterSockets 105 | 106 | FilterType 107 | Plugin 108 | PayloadDisplayName 109 | Web Content Filter Payload 110 | PayloadIdentifier 111 | com.apple.webcontent-filter.{1} 112 | PayloadOrganization 113 | {6} 114 | PayloadType 115 | com.apple.webcontent-filter 116 | PayloadUUID 117 | {1} 118 | PayloadVersion 119 | 1 120 | PluginBundleID 121 | co.elastic.endpoint 122 | UserDefinedName 123 | ElasticEndpoint 124 | 125 | 126 | AllowUserOverrides 127 | 128 | AllowedSystemExtensions 129 | 130 | 2BT3HPN62Z 131 | 132 | co.elastic.systemextension 133 | 134 | 135 | PayloadDescription 136 | 137 | PayloadDisplayName 138 | System Extensions 139 | PayloadEnabled 140 | 141 | PayloadIdentifier 142 | com.apple.system-extension-policy.{2} 143 | PayloadOrganization 144 | {6} 145 | PayloadType 146 | com.apple.system-extension-policy 147 | PayloadUUID 148 | {2} 149 | PayloadVersion 150 | 1 151 | 152 | 153 | NotificationSettings 154 | 155 | 156 | AlertType 157 | 2 158 | BadgesEnabled 159 | 160 | BundleIdentifier 161 | co.elastic.alert 162 | CriticalAlertEnabled 163 | 164 | NotificationsEnabled 165 | 166 | ShowInLockScreen 167 | 168 | ShowInNotificationCenter 169 | 170 | SoundsEnabled 171 | 172 | 173 | 174 | PayloadDisplayName 175 | Notifications Payload 176 | PayloadIdentifier 177 | com.apple.notificationsettings.{3} 178 | PayloadOrganization 179 | {6} 180 | PayloadType 181 | com.apple.notificationsettings 182 | PayloadUUID 183 | {3} 184 | PayloadVersion 185 | 1 186 | 187 | 188 | PayloadDescription 189 | Grants Elastic Agent the necessary permissions to secure your Mac 190 | PayloadDisplayName 191 | Elastic Agent Endpoint Configuration 192 | PayloadEnabled 193 | 194 | PayloadIdentifier 195 | {4} 196 | PayloadOrganization 197 | {6} 198 | PayloadRemovalDisallowed 199 | 200 | PayloadScope 201 | System 202 | PayloadType 203 | Configuration 204 | PayloadUUID 205 | {5} 206 | PayloadVersion 207 | 1 208 | 209 | 210 | 211 | """ 212 | 213 | def main(argv): 214 | 215 | output_file = str() 216 | 217 | parser = argparse.ArgumentParser() 218 | parser.add_argument("-n", "--name", help="The name of your company", action="store", required=True, type=str, dest="name") 219 | parser.add_argument("-o", "--output", help="The absolute path to the mobileconfig that will be written out by this script", action="store", required=True, type=str, dest="output_file_path") 220 | 221 | args = parser.parse_args() 222 | 223 | output_file = args.output_file_path 224 | 225 | # Ensure a directory is not specified 226 | if os.path.isdir(output_file): 227 | print("Please specify a file name in the output path") 228 | exit(-1) 229 | 230 | # Ensure the file ends with .mobileconfig extension 231 | if output_file.endswith(".mobileconfig") == False: 232 | output_file += ".mobileconfig" 233 | 234 | 235 | with open(output_file, 'w', encoding='utf-8') as output_config_file: 236 | 237 | pos_args = [str(uuid.uuid4()).upper() for _ in range ( 6)] 238 | 239 | output_data = template.format(*pos_args, args.name) 240 | output_config_file.write(output_data) 241 | 242 | if __name__ == "__main__": 243 | main(sys.argv[1:]) 244 | 245 | -------------------------------------------------------------------------------- /releases/8.4.0/kubernetes/deploy/elastic-endpoint-security.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # For more information refer to https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html 3 | apiVersion: apps/v1 4 | kind: DaemonSet 5 | metadata: 6 | name: elastic-agent 7 | namespace: kube-system 8 | labels: 9 | app: elastic-agent 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: elastic-agent 14 | template: 15 | metadata: 16 | labels: 17 | app: elastic-agent 18 | spec: 19 | # Tolerations are needed to run Elastic Agent on Kubernetes master nodes. 20 | # Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes 21 | tolerations: 22 | - key: node-role.kubernetes.io/master 23 | effect: NoSchedule 24 | serviceAccountName: elastic-agent 25 | hostNetwork: true 26 | # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host. 27 | # Sharing the host process ID namespace gives visibility of all processes running on the same host. 28 | hostPID: true 29 | dnsPolicy: ClusterFirstWithHostNet 30 | containers: 31 | - name: k8smd 32 | image: docker.elastic.co/endpoint/k8smd:8.4.0 33 | - name: endpoint-security 34 | image: docker.elastic.co/endpoint/endpoint-security:8.4.0 35 | securityContext: 36 | runAsUser: 0 37 | privileged: true 38 | volumeMounts: 39 | - name: boot 40 | mountPath: /boot 41 | - name: debug 42 | mountPath: /sys/kernel/debug 43 | - name: bpf 44 | mountPath: /sys/fs/bpf 45 | - name: etc-passwd 46 | mountPath: /mnt/host/etc/passwd 47 | readOnly: true 48 | - name: etc-group 49 | mountPath: /mnt/host/etc/group 50 | readOnly: true 51 | env: 52 | - name: ELASTIC_ENDPOINT_K8S 53 | value: "true" 54 | - name: elastic-agent 55 | image: docker.elastic.co/beats/elastic-agent:8.4.0 56 | env: 57 | - name: ELASTIC_ENDPOINT_K8S 58 | value: "true" 59 | # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode 60 | - name: FLEET_ENROLL 61 | value: "1" 62 | # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS 63 | - name: FLEET_INSECURE 64 | value: "true" 65 | # Fleet Server URL to enroll the Elastic Agent into 66 | # FLEET_URL can be found in Kibana, go to Management > Fleet > Settings 67 | - name: FLEET_URL 68 | value: "" 69 | # Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens) 70 | # If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed 71 | - name: FLEET_ENROLLMENT_TOKEN 72 | value: "" 73 | - name: KIBANA_HOST 74 | value: "" 75 | # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet 76 | - name: KIBANA_FLEET_USERNAME 77 | value: "" # elastic 78 | # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet 79 | - name: KIBANA_FLEET_PASSWORD 80 | value: "" # changeme 81 | - name: NODE_NAME 82 | valueFrom: 83 | fieldRef: 84 | fieldPath: spec.nodeName 85 | - name: POD_NAME 86 | valueFrom: 87 | fieldRef: 88 | fieldPath: metadata.name 89 | securityContext: 90 | runAsUser: 0 91 | resources: 92 | limits: 93 | memory: 700Mi 94 | requests: 95 | cpu: 100m 96 | memory: 400Mi 97 | volumeMounts: 98 | - name: proc 99 | mountPath: /hostfs/proc 100 | readOnly: true 101 | - name: etc-kubernetes 102 | mountPath: /hostfs/etc/kubernetes 103 | readOnly: true 104 | - name: var-lib 105 | mountPath: /hostfs/var/lib 106 | readOnly: true 107 | - name: cgroup 108 | mountPath: /hostfs/sys/fs/cgroup 109 | readOnly: true 110 | - name: varlibdockercontainers 111 | mountPath: /var/lib/docker/containers 112 | readOnly: true 113 | - name: varlog 114 | mountPath: /var/log 115 | readOnly: true 116 | - name: passwd 117 | mountPath: /hostfs/etc/passwd 118 | readOnly: true 119 | - name: group 120 | mountPath: /hostfs/etc/group 121 | readOnly: true 122 | - name: etcsysmd 123 | mountPath: /hostfs/etc/systemd 124 | readOnly: true 125 | - name: etc-mid 126 | mountPath: /etc/machine-id 127 | readOnly: true 128 | volumes: 129 | - name: proc 130 | hostPath: 131 | path: /proc 132 | - name: cgroup 133 | hostPath: 134 | path: /sys/fs/cgroup 135 | - name: varlibdockercontainers 136 | hostPath: 137 | path: /var/lib/docker/containers 138 | - name: varlog 139 | hostPath: 140 | path: /var/log 141 | # Needed for cloudbeat 142 | - name: etc-kubernetes 143 | hostPath: 144 | path: /etc/kubernetes 145 | # Needed for cloudbeat 146 | - name: var-lib 147 | hostPath: 148 | path: /var/lib 149 | # Needed for cloudbeat 150 | - name: passwd 151 | hostPath: 152 | path: /etc/passwd 153 | # Needed for cloudbeat 154 | - name: group 155 | hostPath: 156 | path: /etc/group 157 | # Needed for cloudbeat 158 | - name: etcsysmd 159 | hostPath: 160 | path: /etc/systemd 161 | # Mount /etc/machine-id from the host to determine host ID 162 | # Needed for Elastic Security integration 163 | - name: etc-mid 164 | hostPath: 165 | path: /etc/machine-id 166 | type: File 167 | - name: etc-passwd 168 | hostPath: 169 | path: /etc/passwd 170 | type: File 171 | - name: etc-group 172 | hostPath: 173 | path: /etc/group 174 | type: File 175 | - name: boot 176 | hostPath: 177 | path: /boot 178 | - name: debug 179 | hostPath: 180 | path: /sys/kernel/debug 181 | - name: bpf 182 | hostPath: 183 | path: /sys/fs/bpf 184 | --- 185 | apiVersion: rbac.authorization.k8s.io/v1 186 | kind: ClusterRoleBinding 187 | metadata: 188 | name: elastic-agent 189 | subjects: 190 | - kind: ServiceAccount 191 | name: elastic-agent 192 | namespace: kube-system 193 | roleRef: 194 | kind: ClusterRole 195 | name: elastic-agent 196 | apiGroup: rbac.authorization.k8s.io 197 | --- 198 | apiVersion: rbac.authorization.k8s.io/v1 199 | kind: RoleBinding 200 | metadata: 201 | namespace: kube-system 202 | name: elastic-agent 203 | subjects: 204 | - kind: ServiceAccount 205 | name: elastic-agent 206 | namespace: kube-system 207 | roleRef: 208 | kind: Role 209 | name: elastic-agent 210 | apiGroup: rbac.authorization.k8s.io 211 | --- 212 | apiVersion: rbac.authorization.k8s.io/v1 213 | kind: RoleBinding 214 | metadata: 215 | name: elastic-agent-kubeadm-config 216 | namespace: kube-system 217 | subjects: 218 | - kind: ServiceAccount 219 | name: elastic-agent 220 | namespace: kube-system 221 | roleRef: 222 | kind: Role 223 | name: elastic-agent-kubeadm-config 224 | apiGroup: rbac.authorization.k8s.io 225 | --- 226 | apiVersion: rbac.authorization.k8s.io/v1 227 | kind: ClusterRole 228 | metadata: 229 | name: elastic-agent 230 | labels: 231 | k8s-app: elastic-agent 232 | rules: 233 | - apiGroups: [""] 234 | resources: 235 | - nodes 236 | - namespaces 237 | - events 238 | - pods 239 | - services 240 | - configmaps 241 | # Needed for cloudbeat 242 | - serviceaccounts 243 | - persistentvolumes 244 | - persistentvolumeclaims 245 | verbs: ["get", "list", "watch"] 246 | # Enable this rule only if planing to use kubernetes_secrets provider 247 | #- apiGroups: [""] 248 | # resources: 249 | # - secrets 250 | # verbs: ["get"] 251 | - apiGroups: ["extensions"] 252 | resources: 253 | - replicasets 254 | verbs: ["get", "list", "watch"] 255 | - apiGroups: ["apps"] 256 | resources: 257 | - statefulsets 258 | - deployments 259 | - replicasets 260 | - daemonsets 261 | verbs: ["get", "list", "watch"] 262 | - apiGroups: 263 | - "" 264 | resources: 265 | - nodes/stats 266 | verbs: 267 | - get 268 | - apiGroups: [ "batch" ] 269 | resources: 270 | - jobs 271 | - cronjobs 272 | verbs: [ "get", "list", "watch" ] 273 | # Needed for apiserver 274 | - nonResourceURLs: 275 | - "/metrics" 276 | verbs: 277 | - get 278 | # Needed for cloudbeat 279 | - apiGroups: ["rbac.authorization.k8s.io"] 280 | resources: 281 | - clusterrolebindings 282 | - clusterroles 283 | - rolebindings 284 | - roles 285 | verbs: ["get", "list", "watch"] 286 | # Needed for cloudbeat 287 | - apiGroups: ["policy"] 288 | resources: 289 | - podsecuritypolicies 290 | verbs: ["get", "list", "watch"] 291 | --- 292 | apiVersion: rbac.authorization.k8s.io/v1 293 | kind: Role 294 | metadata: 295 | name: elastic-agent 296 | # Should be the namespace where elastic-agent is running 297 | namespace: kube-system 298 | labels: 299 | k8s-app: elastic-agent 300 | rules: 301 | - apiGroups: 302 | - coordination.k8s.io 303 | resources: 304 | - leases 305 | verbs: ["get", "create", "update"] 306 | --- 307 | apiVersion: rbac.authorization.k8s.io/v1 308 | kind: Role 309 | metadata: 310 | name: elastic-agent-kubeadm-config 311 | namespace: kube-system 312 | labels: 313 | k8s-app: elastic-agent 314 | rules: 315 | - apiGroups: [""] 316 | resources: 317 | - configmaps 318 | resourceNames: 319 | - kubeadm-config 320 | verbs: ["get"] 321 | --- 322 | apiVersion: v1 323 | kind: ServiceAccount 324 | metadata: 325 | name: elastic-agent 326 | namespace: kube-system 327 | labels: 328 | k8s-app: elastic-agent 329 | --- 330 | -------------------------------------------------------------------------------- /releases/8.5.0/kubernetes/deploy/elastic-defend.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # For more information refer to https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html 3 | apiVersion: apps/v1 4 | kind: DaemonSet 5 | metadata: 6 | name: elastic-agent 7 | namespace: kube-system 8 | labels: 9 | app: elastic-agent 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: elastic-agent 14 | template: 15 | metadata: 16 | labels: 17 | app: elastic-agent 18 | spec: 19 | # Tolerations are needed to run Elastic Agent on Kubernetes master nodes. 20 | # Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes 21 | tolerations: 22 | - key: node-role.kubernetes.io/master 23 | effect: NoSchedule 24 | - key: node-role.kubernetes.io/control-plane 25 | effect: NoSchedule 26 | serviceAccountName: elastic-agent 27 | hostNetwork: true 28 | # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host. 29 | # Sharing the host process ID namespace gives visibility of all processes running on the same host. 30 | hostPID: true 31 | dnsPolicy: ClusterFirstWithHostNet 32 | containers: 33 | - name: elastic-sec-attendant 34 | image: docker.elastic.co/elastic-security/elastic-sec-attendant:8.5.0 35 | - name: elastic-sec-endpoint 36 | image: docker.elastic.co/elastic-security/elastic-sec-endpoint:8.5.0 37 | securityContext: 38 | runAsUser: 0 39 | privileged: true 40 | volumeMounts: 41 | - name: boot 42 | mountPath: /boot 43 | - name: debug 44 | mountPath: /sys/kernel/debug 45 | - name: bpf 46 | mountPath: /sys/fs/bpf 47 | - name: etc-passwd 48 | mountPath: /mnt/host/etc/passwd 49 | readOnly: true 50 | - name: etc-group 51 | mountPath: /mnt/host/etc/group 52 | readOnly: true 53 | env: 54 | - name: ELASTIC_ENDPOINT_K8S 55 | value: "true" 56 | - name: elastic-agent 57 | image: docker.elastic.co/beats/elastic-agent:8.5.0 58 | env: 59 | - name: ELASTIC_ENDPOINT_K8S 60 | value: "true" 61 | # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode 62 | - name: FLEET_ENROLL 63 | value: "1" 64 | # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS 65 | - name: FLEET_INSECURE 66 | value: "true" 67 | # Fleet Server URL to enroll the Elastic Agent into 68 | # FLEET_URL can be found in Kibana, go to Management > Fleet > Settings 69 | - name: FLEET_URL 70 | value: "" 71 | # Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens) 72 | # If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed 73 | - name: FLEET_ENROLLMENT_TOKEN 74 | value: "" 75 | - name: KIBANA_HOST 76 | value: "" 77 | # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet 78 | - name: KIBANA_FLEET_USERNAME 79 | value: "" # elastic 80 | # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet 81 | - name: KIBANA_FLEET_PASSWORD 82 | value: "" # changeme 83 | - name: NODE_NAME 84 | valueFrom: 85 | fieldRef: 86 | fieldPath: spec.nodeName 87 | - name: POD_NAME 88 | valueFrom: 89 | fieldRef: 90 | fieldPath: metadata.name 91 | securityContext: 92 | runAsUser: 0 93 | resources: 94 | limits: 95 | memory: 700Mi 96 | requests: 97 | cpu: 100m 98 | memory: 400Mi 99 | volumeMounts: 100 | - name: proc 101 | mountPath: /hostfs/proc 102 | readOnly: true 103 | - name: etc-kubernetes 104 | mountPath: /hostfs/etc/kubernetes 105 | readOnly: true 106 | - name: var-lib 107 | mountPath: /hostfs/var/lib 108 | readOnly: true 109 | - name: cgroup 110 | mountPath: /hostfs/sys/fs/cgroup 111 | readOnly: true 112 | - name: varlibdockercontainers 113 | mountPath: /var/lib/docker/containers 114 | readOnly: true 115 | - name: varlog 116 | mountPath: /var/log 117 | readOnly: true 118 | - name: passwd 119 | mountPath: /hostfs/etc/passwd 120 | readOnly: true 121 | - name: group 122 | mountPath: /hostfs/etc/group 123 | readOnly: true 124 | - name: etcsysmd 125 | mountPath: /hostfs/etc/systemd 126 | readOnly: true 127 | - name: etc-mid 128 | mountPath: /etc/machine-id 129 | readOnly: true 130 | volumes: 131 | - name: proc 132 | hostPath: 133 | path: /proc 134 | - name: cgroup 135 | hostPath: 136 | path: /sys/fs/cgroup 137 | - name: varlibdockercontainers 138 | hostPath: 139 | path: /var/lib/docker/containers 140 | - name: varlog 141 | hostPath: 142 | path: /var/log 143 | # Needed for cloudbeat 144 | - name: etc-kubernetes 145 | hostPath: 146 | path: /etc/kubernetes 147 | # Needed for cloudbeat 148 | - name: var-lib 149 | hostPath: 150 | path: /var/lib 151 | # Needed for cloudbeat 152 | - name: passwd 153 | hostPath: 154 | path: /etc/passwd 155 | # Needed for cloudbeat 156 | - name: group 157 | hostPath: 158 | path: /etc/group 159 | # Needed for cloudbeat 160 | - name: etcsysmd 161 | hostPath: 162 | path: /etc/systemd 163 | # Mount /etc/machine-id from the host to determine host ID 164 | # Needed for Elastic Security integration 165 | - name: etc-mid 166 | hostPath: 167 | path: /etc/machine-id 168 | type: File 169 | - name: etc-passwd 170 | hostPath: 171 | path: /etc/passwd 172 | type: File 173 | - name: etc-group 174 | hostPath: 175 | path: /etc/group 176 | type: File 177 | - name: boot 178 | hostPath: 179 | path: /boot 180 | - name: debug 181 | hostPath: 182 | path: /sys/kernel/debug 183 | - name: bpf 184 | hostPath: 185 | path: /sys/fs/bpf 186 | --- 187 | apiVersion: rbac.authorization.k8s.io/v1 188 | kind: ClusterRoleBinding 189 | metadata: 190 | name: elastic-agent 191 | subjects: 192 | - kind: ServiceAccount 193 | name: elastic-agent 194 | namespace: kube-system 195 | roleRef: 196 | kind: ClusterRole 197 | name: elastic-agent 198 | apiGroup: rbac.authorization.k8s.io 199 | --- 200 | apiVersion: rbac.authorization.k8s.io/v1 201 | kind: RoleBinding 202 | metadata: 203 | namespace: kube-system 204 | name: elastic-agent 205 | subjects: 206 | - kind: ServiceAccount 207 | name: elastic-agent 208 | namespace: kube-system 209 | roleRef: 210 | kind: Role 211 | name: elastic-agent 212 | apiGroup: rbac.authorization.k8s.io 213 | --- 214 | apiVersion: rbac.authorization.k8s.io/v1 215 | kind: RoleBinding 216 | metadata: 217 | name: elastic-agent-kubeadm-config 218 | namespace: kube-system 219 | subjects: 220 | - kind: ServiceAccount 221 | name: elastic-agent 222 | namespace: kube-system 223 | roleRef: 224 | kind: Role 225 | name: elastic-agent-kubeadm-config 226 | apiGroup: rbac.authorization.k8s.io 227 | --- 228 | apiVersion: rbac.authorization.k8s.io/v1 229 | kind: ClusterRole 230 | metadata: 231 | name: elastic-agent 232 | labels: 233 | k8s-app: elastic-agent 234 | rules: 235 | - apiGroups: [""] 236 | resources: 237 | - nodes 238 | - namespaces 239 | - events 240 | - pods 241 | - services 242 | - configmaps 243 | # Needed for cloudbeat 244 | - serviceaccounts 245 | - persistentvolumes 246 | - persistentvolumeclaims 247 | verbs: ["get", "list", "watch"] 248 | # Enable this rule only if planing to use kubernetes_secrets provider 249 | #- apiGroups: [""] 250 | # resources: 251 | # - secrets 252 | # verbs: ["get"] 253 | - apiGroups: ["extensions"] 254 | resources: 255 | - replicasets 256 | verbs: ["get", "list", "watch"] 257 | - apiGroups: ["apps"] 258 | resources: 259 | - statefulsets 260 | - deployments 261 | - replicasets 262 | - daemonsets 263 | verbs: ["get", "list", "watch"] 264 | - apiGroups: 265 | - "" 266 | resources: 267 | - nodes/stats 268 | verbs: 269 | - get 270 | - apiGroups: [ "batch" ] 271 | resources: 272 | - jobs 273 | - cronjobs 274 | verbs: [ "get", "list", "watch" ] 275 | # Needed for apiserver 276 | - nonResourceURLs: 277 | - "/metrics" 278 | verbs: 279 | - get 280 | # Needed for cloudbeat 281 | - apiGroups: ["rbac.authorization.k8s.io"] 282 | resources: 283 | - clusterrolebindings 284 | - clusterroles 285 | - rolebindings 286 | - roles 287 | verbs: ["get", "list", "watch"] 288 | # Needed for cloudbeat 289 | - apiGroups: ["policy"] 290 | resources: 291 | - podsecuritypolicies 292 | verbs: ["get", "list", "watch"] 293 | - apiGroups: [ "storage.k8s.io" ] 294 | resources: 295 | - storageclasses 296 | verbs: [ "get", "list", "watch" ] 297 | --- 298 | apiVersion: rbac.authorization.k8s.io/v1 299 | kind: Role 300 | metadata: 301 | name: elastic-agent 302 | # Should be the namespace where elastic-agent is running 303 | namespace: kube-system 304 | labels: 305 | k8s-app: elastic-agent 306 | rules: 307 | - apiGroups: 308 | - coordination.k8s.io 309 | resources: 310 | - leases 311 | verbs: ["get", "create", "update"] 312 | --- 313 | apiVersion: rbac.authorization.k8s.io/v1 314 | kind: Role 315 | metadata: 316 | name: elastic-agent-kubeadm-config 317 | namespace: kube-system 318 | labels: 319 | k8s-app: elastic-agent 320 | rules: 321 | - apiGroups: [""] 322 | resources: 323 | - configmaps 324 | resourceNames: 325 | - kubeadm-config 326 | verbs: ["get"] 327 | --- 328 | apiVersion: v1 329 | kind: ServiceAccount 330 | metadata: 331 | name: elastic-agent 332 | namespace: kube-system 333 | labels: 334 | k8s-app: elastic-agent 335 | --- 336 | -------------------------------------------------------------------------------- /releases/8.6.0/kubernetes/deploy/elastic-defend.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # For more information refer to https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html 3 | apiVersion: apps/v1 4 | kind: DaemonSet 5 | metadata: 6 | name: elastic-agent 7 | namespace: kube-system 8 | labels: 9 | app: elastic-agent 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: elastic-agent 14 | template: 15 | metadata: 16 | labels: 17 | app: elastic-agent 18 | spec: 19 | # Tolerations are needed to run Elastic Agent on Kubernetes master nodes. 20 | # Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes 21 | tolerations: 22 | - key: node-role.kubernetes.io/master 23 | effect: NoSchedule 24 | - key: node-role.kubernetes.io/control-plane 25 | effect: NoSchedule 26 | serviceAccountName: elastic-agent 27 | hostNetwork: true 28 | # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host. 29 | # Sharing the host process ID namespace gives visibility of all processes running on the same host. 30 | hostPID: true 31 | dnsPolicy: ClusterFirstWithHostNet 32 | containers: 33 | - name: elastic-sec-attendant 34 | image: docker.elastic.co/elastic-security/elastic-sec-attendant:8.6.0 35 | resources: 36 | limits: 37 | memory: 1000Mi 38 | requests: 39 | cpu: 50m 40 | memory: 100Mi 41 | - name: elastic-sec-endpoint 42 | image: docker.elastic.co/elastic-security/elastic-sec-endpoint:8.6.0 43 | resources: 44 | limits: 45 | memory: 4000Mi 46 | requests: 47 | cpu: 200m 48 | memory: 500Mi 49 | securityContext: 50 | runAsUser: 0 51 | privileged: true 52 | volumeMounts: 53 | - name: boot 54 | mountPath: /boot 55 | - name: debug 56 | mountPath: /sys/kernel/debug 57 | - name: bpf 58 | mountPath: /sys/fs/bpf 59 | - name: etc-passwd 60 | mountPath: /mnt/host/etc/passwd 61 | readOnly: true 62 | - name: etc-group 63 | mountPath: /mnt/host/etc/group 64 | readOnly: true 65 | env: 66 | - name: ELASTIC_ENDPOINT_K8S 67 | value: "true" 68 | - name: elastic-agent 69 | image: docker.elastic.co/beats/elastic-agent:8.6.0 70 | env: 71 | - name: ELASTIC_ENDPOINT_K8S 72 | value: "true" 73 | # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode 74 | - name: FLEET_ENROLL 75 | value: "1" 76 | # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS 77 | - name: FLEET_INSECURE 78 | value: "true" 79 | # Fleet Server URL to enroll the Elastic Agent into 80 | # FLEET_URL can be found in Kibana, go to Management > Fleet > Settings 81 | - name: FLEET_URL 82 | value: "" 83 | # Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens) 84 | # If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed 85 | - name: FLEET_ENROLLMENT_TOKEN 86 | value: "" 87 | - name: KIBANA_HOST 88 | value: "" 89 | # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet 90 | - name: KIBANA_FLEET_USERNAME 91 | value: "" # elastic 92 | # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet 93 | - name: KIBANA_FLEET_PASSWORD 94 | value: "" # changeme 95 | - name: NODE_NAME 96 | valueFrom: 97 | fieldRef: 98 | fieldPath: spec.nodeName 99 | - name: POD_NAME 100 | valueFrom: 101 | fieldRef: 102 | fieldPath: metadata.name 103 | securityContext: 104 | runAsUser: 0 105 | resources: 106 | limits: 107 | memory: 700Mi 108 | requests: 109 | cpu: 100m 110 | memory: 400Mi 111 | volumeMounts: 112 | - name: proc 113 | mountPath: /hostfs/proc 114 | readOnly: true 115 | - name: etc-kubernetes 116 | mountPath: /hostfs/etc/kubernetes 117 | readOnly: true 118 | - name: var-lib 119 | mountPath: /hostfs/var/lib 120 | readOnly: true 121 | - name: cgroup 122 | mountPath: /hostfs/sys/fs/cgroup 123 | readOnly: true 124 | - name: varlibdockercontainers 125 | mountPath: /var/lib/docker/containers 126 | readOnly: true 127 | - name: varlog 128 | mountPath: /var/log 129 | readOnly: true 130 | - name: passwd 131 | mountPath: /hostfs/etc/passwd 132 | readOnly: true 133 | - name: group 134 | mountPath: /hostfs/etc/group 135 | readOnly: true 136 | - name: etcsysmd 137 | mountPath: /hostfs/etc/systemd 138 | readOnly: true 139 | - name: etc-mid 140 | mountPath: /etc/machine-id 141 | readOnly: true 142 | volumes: 143 | - name: proc 144 | hostPath: 145 | path: /proc 146 | - name: cgroup 147 | hostPath: 148 | path: /sys/fs/cgroup 149 | - name: varlibdockercontainers 150 | hostPath: 151 | path: /var/lib/docker/containers 152 | - name: varlog 153 | hostPath: 154 | path: /var/log 155 | # Needed for cloudbeat 156 | - name: etc-kubernetes 157 | hostPath: 158 | path: /etc/kubernetes 159 | # Needed for cloudbeat 160 | - name: var-lib 161 | hostPath: 162 | path: /var/lib 163 | # Needed for cloudbeat 164 | - name: passwd 165 | hostPath: 166 | path: /etc/passwd 167 | # Needed for cloudbeat 168 | - name: group 169 | hostPath: 170 | path: /etc/group 171 | # Needed for cloudbeat 172 | - name: etcsysmd 173 | hostPath: 174 | path: /etc/systemd 175 | # Mount /etc/machine-id from the host to determine host ID 176 | # Needed for Elastic Security integration 177 | - name: etc-mid 178 | hostPath: 179 | path: /etc/machine-id 180 | type: File 181 | - name: etc-passwd 182 | hostPath: 183 | path: /etc/passwd 184 | type: File 185 | - name: etc-group 186 | hostPath: 187 | path: /etc/group 188 | type: File 189 | - name: boot 190 | hostPath: 191 | path: /boot 192 | - name: debug 193 | hostPath: 194 | path: /sys/kernel/debug 195 | - name: bpf 196 | hostPath: 197 | path: /sys/fs/bpf 198 | --- 199 | apiVersion: rbac.authorization.k8s.io/v1 200 | kind: ClusterRoleBinding 201 | metadata: 202 | name: elastic-agent 203 | subjects: 204 | - kind: ServiceAccount 205 | name: elastic-agent 206 | namespace: kube-system 207 | roleRef: 208 | kind: ClusterRole 209 | name: elastic-agent 210 | apiGroup: rbac.authorization.k8s.io 211 | --- 212 | apiVersion: rbac.authorization.k8s.io/v1 213 | kind: RoleBinding 214 | metadata: 215 | namespace: kube-system 216 | name: elastic-agent 217 | subjects: 218 | - kind: ServiceAccount 219 | name: elastic-agent 220 | namespace: kube-system 221 | roleRef: 222 | kind: Role 223 | name: elastic-agent 224 | apiGroup: rbac.authorization.k8s.io 225 | --- 226 | apiVersion: rbac.authorization.k8s.io/v1 227 | kind: RoleBinding 228 | metadata: 229 | name: elastic-agent-kubeadm-config 230 | namespace: kube-system 231 | subjects: 232 | - kind: ServiceAccount 233 | name: elastic-agent 234 | namespace: kube-system 235 | roleRef: 236 | kind: Role 237 | name: elastic-agent-kubeadm-config 238 | apiGroup: rbac.authorization.k8s.io 239 | --- 240 | apiVersion: rbac.authorization.k8s.io/v1 241 | kind: ClusterRole 242 | metadata: 243 | name: elastic-agent 244 | labels: 245 | k8s-app: elastic-agent 246 | rules: 247 | - apiGroups: [""] 248 | resources: 249 | - nodes 250 | - namespaces 251 | - events 252 | - pods 253 | - services 254 | - configmaps 255 | # Needed for cloudbeat 256 | - serviceaccounts 257 | - persistentvolumes 258 | - persistentvolumeclaims 259 | verbs: ["get", "list", "watch"] 260 | # Enable this rule only if planing to use kubernetes_secrets provider 261 | #- apiGroups: [""] 262 | # resources: 263 | # - secrets 264 | # verbs: ["get"] 265 | - apiGroups: ["extensions"] 266 | resources: 267 | - replicasets 268 | verbs: ["get", "list", "watch"] 269 | - apiGroups: ["apps"] 270 | resources: 271 | - statefulsets 272 | - deployments 273 | - replicasets 274 | - daemonsets 275 | verbs: ["get", "list", "watch"] 276 | - apiGroups: 277 | - "" 278 | resources: 279 | - nodes/stats 280 | verbs: 281 | - get 282 | - apiGroups: [ "batch" ] 283 | resources: 284 | - jobs 285 | - cronjobs 286 | verbs: [ "get", "list", "watch" ] 287 | # Needed for apiserver 288 | - nonResourceURLs: 289 | - "/metrics" 290 | verbs: 291 | - get 292 | # Needed for cloudbeat 293 | - apiGroups: ["rbac.authorization.k8s.io"] 294 | resources: 295 | - clusterrolebindings 296 | - clusterroles 297 | - rolebindings 298 | - roles 299 | verbs: ["get", "list", "watch"] 300 | # Needed for cloudbeat 301 | - apiGroups: ["policy"] 302 | resources: 303 | - podsecuritypolicies 304 | verbs: ["get", "list", "watch"] 305 | - apiGroups: [ "storage.k8s.io" ] 306 | resources: 307 | - storageclasses 308 | verbs: [ "get", "list", "watch" ] 309 | --- 310 | apiVersion: rbac.authorization.k8s.io/v1 311 | kind: Role 312 | metadata: 313 | name: elastic-agent 314 | # Should be the namespace where elastic-agent is running 315 | namespace: kube-system 316 | labels: 317 | k8s-app: elastic-agent 318 | rules: 319 | - apiGroups: 320 | - coordination.k8s.io 321 | resources: 322 | - leases 323 | verbs: ["get", "create", "update"] 324 | --- 325 | apiVersion: rbac.authorization.k8s.io/v1 326 | kind: Role 327 | metadata: 328 | name: elastic-agent-kubeadm-config 329 | namespace: kube-system 330 | labels: 331 | k8s-app: elastic-agent 332 | rules: 333 | - apiGroups: [""] 334 | resources: 335 | - configmaps 336 | resourceNames: 337 | - kubeadm-config 338 | verbs: ["get"] 339 | --- 340 | apiVersion: v1 341 | kind: ServiceAccount 342 | metadata: 343 | name: elastic-agent 344 | namespace: kube-system 345 | labels: 346 | k8s-app: elastic-agent 347 | --- 348 | -------------------------------------------------------------------------------- /releases/8.7.0/kubernetes/deploy/elastic-defend.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # For more information refer to https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html 3 | apiVersion: apps/v1 4 | kind: DaemonSet 5 | metadata: 6 | name: elastic-agent 7 | namespace: kube-system 8 | labels: 9 | app: elastic-agent 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: elastic-agent 14 | template: 15 | metadata: 16 | labels: 17 | app: elastic-agent 18 | spec: 19 | # Tolerations are needed to run Elastic Agent on Kubernetes master nodes. 20 | # Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes 21 | tolerations: 22 | - key: node-role.kubernetes.io/master 23 | effect: NoSchedule 24 | - key: node-role.kubernetes.io/control-plane 25 | effect: NoSchedule 26 | serviceAccountName: elastic-agent 27 | hostNetwork: true 28 | # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host. 29 | # Sharing the host process ID namespace gives visibility of all processes running on the same host. 30 | hostPID: true 31 | dnsPolicy: ClusterFirstWithHostNet 32 | containers: 33 | - name: elastic-sec-attendant 34 | image: docker.elastic.co/elastic-security/elastic-sec-attendant:8.7.0 35 | resources: 36 | limits: 37 | memory: 1000Mi 38 | requests: 39 | cpu: 50m 40 | memory: 100Mi 41 | - name: elastic-sec-endpoint 42 | image: docker.elastic.co/elastic-security/elastic-sec-endpoint:8.7.0 43 | resources: 44 | limits: 45 | memory: 4000Mi 46 | requests: 47 | cpu: 200m 48 | memory: 500Mi 49 | securityContext: 50 | runAsUser: 0 51 | privileged: true 52 | volumeMounts: 53 | - name: boot 54 | mountPath: /boot 55 | - name: debug 56 | mountPath: /sys/kernel/debug 57 | - name: bpf 58 | mountPath: /sys/fs/bpf 59 | - name: etc-passwd 60 | mountPath: /mnt/host/etc/passwd 61 | readOnly: true 62 | - name: etc-group 63 | mountPath: /mnt/host/etc/group 64 | readOnly: true 65 | env: 66 | - name: ELASTIC_ENDPOINT_K8S 67 | value: "true" 68 | - name: elastic-agent 69 | image: docker.elastic.co/beats/elastic-agent:8.7.0 70 | env: 71 | - name: ELASTIC_ENDPOINT_K8S 72 | value: "true" 73 | # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode 74 | - name: FLEET_ENROLL 75 | value: "1" 76 | # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS 77 | - name: FLEET_INSECURE 78 | value: "true" 79 | # Fleet Server URL to enroll the Elastic Agent into 80 | # FLEET_URL can be found in Kibana, go to Management > Fleet > Settings 81 | - name: FLEET_URL 82 | value: "" 83 | # Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens) 84 | # If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed 85 | - name: FLEET_ENROLLMENT_TOKEN 86 | value: "" 87 | - name: KIBANA_HOST 88 | value: "" 89 | # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet 90 | - name: KIBANA_FLEET_USERNAME 91 | value: "" # elastic 92 | # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet 93 | - name: KIBANA_FLEET_PASSWORD 94 | value: "" # changeme 95 | - name: NODE_NAME 96 | valueFrom: 97 | fieldRef: 98 | fieldPath: spec.nodeName 99 | - name: POD_NAME 100 | valueFrom: 101 | fieldRef: 102 | fieldPath: metadata.name 103 | securityContext: 104 | runAsUser: 0 105 | resources: 106 | limits: 107 | memory: 700Mi 108 | requests: 109 | cpu: 100m 110 | memory: 400Mi 111 | volumeMounts: 112 | - name: proc 113 | mountPath: /hostfs/proc 114 | readOnly: true 115 | - name: etc-kubernetes 116 | mountPath: /hostfs/etc/kubernetes 117 | readOnly: true 118 | - name: var-lib 119 | mountPath: /hostfs/var/lib 120 | readOnly: true 121 | - name: cgroup 122 | mountPath: /hostfs/sys/fs/cgroup 123 | readOnly: true 124 | - name: varlibdockercontainers 125 | mountPath: /var/lib/docker/containers 126 | readOnly: true 127 | - name: varlog 128 | mountPath: /var/log 129 | readOnly: true 130 | - name: passwd 131 | mountPath: /hostfs/etc/passwd 132 | readOnly: true 133 | - name: group 134 | mountPath: /hostfs/etc/group 135 | readOnly: true 136 | - name: etcsysmd 137 | mountPath: /hostfs/etc/systemd 138 | readOnly: true 139 | - name: etc-mid 140 | mountPath: /etc/machine-id 141 | readOnly: true 142 | volumes: 143 | - name: proc 144 | hostPath: 145 | path: /proc 146 | - name: cgroup 147 | hostPath: 148 | path: /sys/fs/cgroup 149 | - name: varlibdockercontainers 150 | hostPath: 151 | path: /var/lib/docker/containers 152 | - name: varlog 153 | hostPath: 154 | path: /var/log 155 | # Needed for cloudbeat 156 | - name: etc-kubernetes 157 | hostPath: 158 | path: /etc/kubernetes 159 | # Needed for cloudbeat 160 | - name: var-lib 161 | hostPath: 162 | path: /var/lib 163 | # Needed for cloudbeat 164 | - name: passwd 165 | hostPath: 166 | path: /etc/passwd 167 | # Needed for cloudbeat 168 | - name: group 169 | hostPath: 170 | path: /etc/group 171 | # Needed for cloudbeat 172 | - name: etcsysmd 173 | hostPath: 174 | path: /etc/systemd 175 | # Mount /etc/machine-id from the host to determine host ID 176 | # Needed for Elastic Security integration 177 | - name: etc-mid 178 | hostPath: 179 | path: /etc/machine-id 180 | type: File 181 | - name: etc-passwd 182 | hostPath: 183 | path: /etc/passwd 184 | type: File 185 | - name: etc-group 186 | hostPath: 187 | path: /etc/group 188 | type: File 189 | - name: boot 190 | hostPath: 191 | path: /boot 192 | - name: debug 193 | hostPath: 194 | path: /sys/kernel/debug 195 | - name: bpf 196 | hostPath: 197 | path: /sys/fs/bpf 198 | --- 199 | apiVersion: rbac.authorization.k8s.io/v1 200 | kind: ClusterRoleBinding 201 | metadata: 202 | name: elastic-agent 203 | subjects: 204 | - kind: ServiceAccount 205 | name: elastic-agent 206 | namespace: kube-system 207 | roleRef: 208 | kind: ClusterRole 209 | name: elastic-agent 210 | apiGroup: rbac.authorization.k8s.io 211 | --- 212 | apiVersion: rbac.authorization.k8s.io/v1 213 | kind: RoleBinding 214 | metadata: 215 | namespace: kube-system 216 | name: elastic-agent 217 | subjects: 218 | - kind: ServiceAccount 219 | name: elastic-agent 220 | namespace: kube-system 221 | roleRef: 222 | kind: Role 223 | name: elastic-agent 224 | apiGroup: rbac.authorization.k8s.io 225 | --- 226 | apiVersion: rbac.authorization.k8s.io/v1 227 | kind: RoleBinding 228 | metadata: 229 | name: elastic-agent-kubeadm-config 230 | namespace: kube-system 231 | subjects: 232 | - kind: ServiceAccount 233 | name: elastic-agent 234 | namespace: kube-system 235 | roleRef: 236 | kind: Role 237 | name: elastic-agent-kubeadm-config 238 | apiGroup: rbac.authorization.k8s.io 239 | --- 240 | apiVersion: rbac.authorization.k8s.io/v1 241 | kind: ClusterRole 242 | metadata: 243 | name: elastic-agent 244 | labels: 245 | k8s-app: elastic-agent 246 | rules: 247 | - apiGroups: [""] 248 | resources: 249 | - nodes 250 | - namespaces 251 | - events 252 | - pods 253 | - services 254 | - configmaps 255 | # Needed for cloudbeat 256 | - serviceaccounts 257 | - persistentvolumes 258 | - persistentvolumeclaims 259 | verbs: ["get", "list", "watch"] 260 | # Enable this rule only if planing to use kubernetes_secrets provider 261 | #- apiGroups: [""] 262 | # resources: 263 | # - secrets 264 | # verbs: ["get"] 265 | - apiGroups: ["extensions"] 266 | resources: 267 | - replicasets 268 | verbs: ["get", "list", "watch"] 269 | - apiGroups: ["apps"] 270 | resources: 271 | - statefulsets 272 | - deployments 273 | - replicasets 274 | - daemonsets 275 | verbs: ["get", "list", "watch"] 276 | - apiGroups: 277 | - "" 278 | resources: 279 | - nodes/stats 280 | verbs: 281 | - get 282 | - apiGroups: [ "batch" ] 283 | resources: 284 | - jobs 285 | - cronjobs 286 | verbs: [ "get", "list", "watch" ] 287 | # Needed for apiserver 288 | - nonResourceURLs: 289 | - "/metrics" 290 | verbs: 291 | - get 292 | # Needed for cloudbeat 293 | - apiGroups: ["rbac.authorization.k8s.io"] 294 | resources: 295 | - clusterrolebindings 296 | - clusterroles 297 | - rolebindings 298 | - roles 299 | verbs: ["get", "list", "watch"] 300 | # Needed for cloudbeat 301 | - apiGroups: ["policy"] 302 | resources: 303 | - podsecuritypolicies 304 | verbs: ["get", "list", "watch"] 305 | - apiGroups: [ "storage.k8s.io" ] 306 | resources: 307 | - storageclasses 308 | verbs: [ "get", "list", "watch" ] 309 | --- 310 | apiVersion: rbac.authorization.k8s.io/v1 311 | kind: Role 312 | metadata: 313 | name: elastic-agent 314 | # Should be the namespace where elastic-agent is running 315 | namespace: kube-system 316 | labels: 317 | k8s-app: elastic-agent 318 | rules: 319 | - apiGroups: 320 | - coordination.k8s.io 321 | resources: 322 | - leases 323 | verbs: ["get", "create", "update"] 324 | --- 325 | apiVersion: rbac.authorization.k8s.io/v1 326 | kind: Role 327 | metadata: 328 | name: elastic-agent-kubeadm-config 329 | namespace: kube-system 330 | labels: 331 | k8s-app: elastic-agent 332 | rules: 333 | - apiGroups: [""] 334 | resources: 335 | - configmaps 336 | resourceNames: 337 | - kubeadm-config 338 | verbs: ["get"] 339 | --- 340 | apiVersion: v1 341 | kind: ServiceAccount 342 | metadata: 343 | name: elastic-agent 344 | namespace: kube-system 345 | labels: 346 | k8s-app: elastic-agent 347 | --- 348 | -------------------------------------------------------------------------------- /releases/8.8.0/kubernetes/deploy/elastic-defend.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # For more information https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html 3 | apiVersion: apps/v1 4 | kind: DaemonSet 5 | metadata: 6 | name: elastic-agent 7 | namespace: kube-system 8 | labels: 9 | app: elastic-agent 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: elastic-agent 14 | template: 15 | metadata: 16 | labels: 17 | app: elastic-agent 18 | spec: 19 | # Tolerations are needed to run Elastic Agent on Kubernetes control-plane nodes. 20 | # Agents running on control-plane nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes 21 | tolerations: 22 | - key: node-role.kubernetes.io/control-plane 23 | effect: NoSchedule 24 | - key: node-role.kubernetes.io/master 25 | effect: NoSchedule 26 | serviceAccountName: elastic-agent 27 | hostNetwork: true 28 | # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host. 29 | # Sharing the host process ID namespace gives visibility of all processes running on the same host. 30 | hostPID: true 31 | dnsPolicy: ClusterFirstWithHostNet 32 | containers: 33 | - name: elastic-sec-attendant 34 | image: docker.elastic.co/elastic-security/elastic-sec-attendant:8.8.0 35 | resources: 36 | limits: 37 | memory: 1000Mi 38 | requests: 39 | cpu: 50m 40 | memory: 100Mi 41 | - name: elastic-sec-endpoint 42 | image: docker.elastic.co/elastic-security/elastic-sec-endpoint:8.8.0 43 | resources: 44 | limits: 45 | memory: 4000Mi 46 | requests: 47 | cpu: 200m 48 | memory: 500Mi 49 | securityContext: 50 | runAsUser: 0 51 | privileged: true 52 | volumeMounts: 53 | - name: boot 54 | mountPath: /boot 55 | - name: debug 56 | mountPath: /sys/kernel/debug 57 | - name: bpf 58 | mountPath: /sys/fs/bpf 59 | - name: etc-passwd 60 | mountPath: /mnt/host/etc/passwd 61 | readOnly: true 62 | - name: etc-group 63 | mountPath: /mnt/host/etc/group 64 | readOnly: true 65 | env: 66 | - name: ELASTIC_ENDPOINT_K8S 67 | value: "true" 68 | - name: elastic-agent 69 | image: docker.elastic.co/beats/elastic-agent:8.8.0 70 | env: 71 | # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode 72 | - name: FLEET_ENROLL 73 | value: "1" 74 | # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS 75 | - name: FLEET_INSECURE 76 | value: "true" 77 | # Fleet Server URL to enroll the Elastic Agent into 78 | # FLEET_URL can be found in Kibana, go to Management > Fleet > Settings 79 | - name: FLEET_URL 80 | value: "https://fleet-server:8220" 81 | # Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens) 82 | # If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed 83 | - name: FLEET_ENROLLMENT_TOKEN 84 | value: "token-id" 85 | - name: KIBANA_HOST 86 | value: "http://kibana:5601" 87 | # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet 88 | - name: KIBANA_FLEET_USERNAME 89 | value: "elastic" 90 | # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet 91 | - name: KIBANA_FLEET_PASSWORD 92 | value: "changeme" 93 | - name: NODE_NAME 94 | valueFrom: 95 | fieldRef: 96 | fieldPath: spec.nodeName 97 | - name: POD_NAME 98 | valueFrom: 99 | fieldRef: 100 | fieldPath: metadata.name 101 | - name: ELASTIC_ENDPOINT_K8S 102 | value: "true" 103 | securityContext: 104 | runAsUser: 0 105 | resources: 106 | limits: 107 | memory: 700Mi 108 | requests: 109 | cpu: 100m 110 | memory: 400Mi 111 | volumeMounts: 112 | - name: proc 113 | mountPath: /hostfs/proc 114 | readOnly: true 115 | - name: cgroup 116 | mountPath: /hostfs/sys/fs/cgroup 117 | readOnly: true 118 | - name: varlibdockercontainers 119 | mountPath: /var/lib/docker/containers 120 | readOnly: true 121 | - name: varlog 122 | mountPath: /var/log 123 | readOnly: true 124 | - name: etc-full 125 | mountPath: /hostfs/etc 126 | readOnly: true 127 | - name: var-lib 128 | mountPath: /hostfs/var/lib 129 | readOnly: true 130 | - name: etc-mid 131 | mountPath: /etc/machine-id 132 | readOnly: true 133 | - name: sys-kernel-debug 134 | mountPath: /sys/kernel/debug 135 | - name: elastic-agent-state 136 | mountPath: /usr/share/elastic-agent/state 137 | volumes: 138 | - name: proc 139 | hostPath: 140 | path: /proc 141 | - name: cgroup 142 | hostPath: 143 | path: /sys/fs/cgroup 144 | - name: varlibdockercontainers 145 | hostPath: 146 | path: /var/lib/docker/containers 147 | - name: varlog 148 | hostPath: 149 | path: /var/log 150 | - name: etc-full 151 | hostPath: 152 | path: /etc 153 | - name: var-lib 154 | hostPath: 155 | path: /var/lib 156 | - name: etc-mid 157 | hostPath: 158 | path: /etc/machine-id 159 | type: File 160 | - name: sys-kernel-debug 161 | hostPath: 162 | path: /sys/kernel/debug 163 | - name: elastic-agent-state 164 | hostPath: 165 | path: /var/lib/elastic-agent-managed/kube-system/state 166 | type: DirectoryOrCreate 167 | - name: etc-passwd 168 | hostPath: 169 | path: /etc/passwd 170 | type: File 171 | - name: etc-group 172 | hostPath: 173 | path: /etc/group 174 | type: File 175 | - name: boot 176 | hostPath: 177 | path: /boot 178 | - name: debug 179 | hostPath: 180 | path: /sys/kernel/debug 181 | - name: bpf 182 | hostPath: 183 | path: /sys/fs/bpf 184 | --- 185 | apiVersion: rbac.authorization.k8s.io/v1 186 | kind: ClusterRoleBinding 187 | metadata: 188 | name: elastic-agent 189 | subjects: 190 | - kind: ServiceAccount 191 | name: elastic-agent 192 | namespace: kube-system 193 | roleRef: 194 | kind: ClusterRole 195 | name: elastic-agent 196 | apiGroup: rbac.authorization.k8s.io 197 | --- 198 | apiVersion: rbac.authorization.k8s.io/v1 199 | kind: RoleBinding 200 | metadata: 201 | namespace: kube-system 202 | name: elastic-agent 203 | subjects: 204 | - kind: ServiceAccount 205 | name: elastic-agent 206 | namespace: kube-system 207 | roleRef: 208 | kind: Role 209 | name: elastic-agent 210 | apiGroup: rbac.authorization.k8s.io 211 | --- 212 | apiVersion: rbac.authorization.k8s.io/v1 213 | kind: RoleBinding 214 | metadata: 215 | name: elastic-agent-kubeadm-config 216 | namespace: kube-system 217 | subjects: 218 | - kind: ServiceAccount 219 | name: elastic-agent 220 | namespace: kube-system 221 | roleRef: 222 | kind: Role 223 | name: elastic-agent-kubeadm-config 224 | apiGroup: rbac.authorization.k8s.io 225 | --- 226 | apiVersion: rbac.authorization.k8s.io/v1 227 | kind: ClusterRole 228 | metadata: 229 | name: elastic-agent 230 | labels: 231 | k8s-app: elastic-agent 232 | rules: 233 | - apiGroups: [""] 234 | resources: 235 | - nodes 236 | - namespaces 237 | - events 238 | - pods 239 | - services 240 | - configmaps 241 | # Needed for cloudbeat 242 | - serviceaccounts 243 | - persistentvolumes 244 | - persistentvolumeclaims 245 | verbs: ["get", "list", "watch"] 246 | # Enable this rule only if planing to use kubernetes_secrets provider 247 | #- apiGroups: [""] 248 | # resources: 249 | # - secrets 250 | # verbs: ["get"] 251 | - apiGroups: ["extensions"] 252 | resources: 253 | - replicasets 254 | verbs: ["get", "list", "watch"] 255 | - apiGroups: ["apps"] 256 | resources: 257 | - statefulsets 258 | - deployments 259 | - replicasets 260 | - daemonsets 261 | verbs: ["get", "list", "watch"] 262 | - apiGroups: 263 | - "" 264 | resources: 265 | - nodes/stats 266 | verbs: 267 | - get 268 | - apiGroups: [ "batch" ] 269 | resources: 270 | - jobs 271 | - cronjobs 272 | verbs: [ "get", "list", "watch" ] 273 | # Needed for apiserver 274 | - nonResourceURLs: 275 | - "/metrics" 276 | verbs: 277 | - get 278 | # Needed for cloudbeat 279 | - apiGroups: ["rbac.authorization.k8s.io"] 280 | resources: 281 | - clusterrolebindings 282 | - clusterroles 283 | - rolebindings 284 | - roles 285 | verbs: ["get", "list", "watch"] 286 | # Needed for cloudbeat 287 | - apiGroups: ["policy"] 288 | resources: 289 | - podsecuritypolicies 290 | verbs: ["get", "list", "watch"] 291 | - apiGroups: [ "storage.k8s.io" ] 292 | resources: 293 | - storageclasses 294 | verbs: [ "get", "list", "watch" ] 295 | --- 296 | apiVersion: rbac.authorization.k8s.io/v1 297 | kind: Role 298 | metadata: 299 | name: elastic-agent 300 | # Should be the namespace where elastic-agent is running 301 | namespace: kube-system 302 | labels: 303 | k8s-app: elastic-agent 304 | rules: 305 | - apiGroups: 306 | - coordination.k8s.io 307 | resources: 308 | - leases 309 | verbs: ["get", "create", "update"] 310 | --- 311 | apiVersion: rbac.authorization.k8s.io/v1 312 | kind: Role 313 | metadata: 314 | name: elastic-agent-kubeadm-config 315 | namespace: kube-system 316 | labels: 317 | k8s-app: elastic-agent 318 | rules: 319 | - apiGroups: [""] 320 | resources: 321 | - configmaps 322 | resourceNames: 323 | - kubeadm-config 324 | verbs: ["get"] 325 | --- 326 | apiVersion: v1 327 | kind: ServiceAccount 328 | metadata: 329 | name: elastic-agent 330 | namespace: kube-system 331 | labels: 332 | k8s-app: elastic-agent 333 | --- 334 | -------------------------------------------------------------------------------- /releases/8.9.0/kubernetes/deploy/elastic-defend.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # For more information https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html 3 | apiVersion: apps/v1 4 | kind: DaemonSet 5 | metadata: 6 | name: elastic-agent 7 | namespace: kube-system 8 | labels: 9 | app: elastic-agent 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: elastic-agent 14 | template: 15 | metadata: 16 | labels: 17 | app: elastic-agent 18 | spec: 19 | # Tolerations are needed to run Elastic Agent on Kubernetes control-plane nodes. 20 | # Agents running on control-plane nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes 21 | tolerations: 22 | - key: node-role.kubernetes.io/control-plane 23 | effect: NoSchedule 24 | - key: node-role.kubernetes.io/master 25 | effect: NoSchedule 26 | serviceAccountName: elastic-agent 27 | hostNetwork: true 28 | # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host. 29 | # Sharing the host process ID namespace gives visibility of all processes running on the same host. 30 | hostPID: true 31 | dnsPolicy: ClusterFirstWithHostNet 32 | containers: 33 | - name: elastic-sec-attendant 34 | image: docker.elastic.co/elastic-security/elastic-sec-attendant:8.9.0 35 | resources: 36 | limits: 37 | memory: 1000Mi 38 | requests: 39 | cpu: 50m 40 | memory: 100Mi 41 | - name: elastic-sec-endpoint 42 | image: docker.elastic.co/elastic-security/elastic-sec-endpoint:8.9.0 43 | resources: 44 | limits: 45 | memory: 4000Mi 46 | requests: 47 | cpu: 200m 48 | memory: 500Mi 49 | securityContext: 50 | runAsUser: 0 51 | privileged: true 52 | volumeMounts: 53 | - name: boot 54 | mountPath: /boot 55 | - name: sys-kernel-debug 56 | mountPath: /sys/kernel/debug 57 | - name: bpf 58 | mountPath: /sys/fs/bpf 59 | - name: etc-passwd 60 | mountPath: /mnt/host/etc/passwd 61 | readOnly: true 62 | - name: etc-group 63 | mountPath: /mnt/host/etc/group 64 | readOnly: true 65 | env: 66 | - name: ELASTIC_ENDPOINT_K8S 67 | value: "true" 68 | - name: elastic-agent 69 | image: docker.elastic.co/beats/elastic-agent:8.9.0 70 | env: 71 | # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode 72 | - name: FLEET_ENROLL 73 | value: "1" 74 | # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS 75 | - name: FLEET_INSECURE 76 | value: "true" 77 | # Fleet Server URL to enroll the Elastic Agent into 78 | # FLEET_URL can be found in Kibana, go to Management > Fleet > Settings 79 | - name: FLEET_URL 80 | value: "https://fleet-server:8220" 81 | # Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens) 82 | # If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed 83 | - name: FLEET_ENROLLMENT_TOKEN 84 | value: "token-id" 85 | - name: KIBANA_HOST 86 | value: "http://kibana:5601" 87 | # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet 88 | - name: KIBANA_FLEET_USERNAME 89 | value: "elastic" 90 | # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet 91 | - name: KIBANA_FLEET_PASSWORD 92 | value: "changeme" 93 | - name: NODE_NAME 94 | valueFrom: 95 | fieldRef: 96 | fieldPath: spec.nodeName 97 | - name: POD_NAME 98 | valueFrom: 99 | fieldRef: 100 | fieldPath: metadata.name 101 | - name: ELASTIC_ENDPOINT_K8S 102 | value: "true" 103 | securityContext: 104 | runAsUser: 0 105 | resources: 106 | limits: 107 | memory: 700Mi 108 | requests: 109 | cpu: 100m 110 | memory: 400Mi 111 | volumeMounts: 112 | - name: proc 113 | mountPath: /hostfs/proc 114 | readOnly: true 115 | - name: cgroup 116 | mountPath: /hostfs/sys/fs/cgroup 117 | readOnly: true 118 | - name: varlibdockercontainers 119 | mountPath: /var/lib/docker/containers 120 | readOnly: true 121 | - name: varlog 122 | mountPath: /var/log 123 | readOnly: true 124 | - name: etc-full 125 | mountPath: /hostfs/etc 126 | readOnly: true 127 | - name: var-lib 128 | mountPath: /hostfs/var/lib 129 | readOnly: true 130 | - name: etc-mid 131 | mountPath: /etc/machine-id 132 | readOnly: true 133 | - name: sys-kernel-debug 134 | mountPath: /sys/kernel/debug 135 | - name: elastic-agent-state 136 | mountPath: /usr/share/elastic-agent/state 137 | volumes: 138 | - name: proc 139 | hostPath: 140 | path: /proc 141 | - name: cgroup 142 | hostPath: 143 | path: /sys/fs/cgroup 144 | - name: varlibdockercontainers 145 | hostPath: 146 | path: /var/lib/docker/containers 147 | - name: varlog 148 | hostPath: 149 | path: /var/log 150 | - name: etc-full 151 | hostPath: 152 | path: /etc 153 | - name: var-lib 154 | hostPath: 155 | path: /var/lib 156 | - name: etc-mid 157 | hostPath: 158 | path: /etc/machine-id 159 | type: File 160 | - name: elastic-agent-state 161 | hostPath: 162 | path: /var/lib/elastic-agent-managed/kube-system/state 163 | type: DirectoryOrCreate 164 | - name: boot 165 | hostPath: 166 | path: /boot 167 | - name: bpf 168 | hostPath: 169 | path: /sys/fs/bpf 170 | - name: etc-passwd 171 | hostPath: 172 | path: /etc/passwd 173 | type: File 174 | - name: etc-group 175 | hostPath: 176 | path: /etc/group 177 | type: File 178 | - name: sys-kernel-debug 179 | hostPath: 180 | path: /sys/kernel/debug 181 | --- 182 | apiVersion: rbac.authorization.k8s.io/v1 183 | kind: ClusterRoleBinding 184 | metadata: 185 | name: elastic-agent 186 | subjects: 187 | - kind: ServiceAccount 188 | name: elastic-agent 189 | namespace: kube-system 190 | roleRef: 191 | kind: ClusterRole 192 | name: elastic-agent 193 | apiGroup: rbac.authorization.k8s.io 194 | --- 195 | apiVersion: rbac.authorization.k8s.io/v1 196 | kind: RoleBinding 197 | metadata: 198 | namespace: kube-system 199 | name: elastic-agent 200 | subjects: 201 | - kind: ServiceAccount 202 | name: elastic-agent 203 | namespace: kube-system 204 | roleRef: 205 | kind: Role 206 | name: elastic-agent 207 | apiGroup: rbac.authorization.k8s.io 208 | --- 209 | apiVersion: rbac.authorization.k8s.io/v1 210 | kind: RoleBinding 211 | metadata: 212 | name: elastic-agent-kubeadm-config 213 | namespace: kube-system 214 | subjects: 215 | - kind: ServiceAccount 216 | name: elastic-agent 217 | namespace: kube-system 218 | roleRef: 219 | kind: Role 220 | name: elastic-agent-kubeadm-config 221 | apiGroup: rbac.authorization.k8s.io 222 | --- 223 | apiVersion: rbac.authorization.k8s.io/v1 224 | kind: ClusterRole 225 | metadata: 226 | name: elastic-agent 227 | labels: 228 | k8s-app: elastic-agent 229 | rules: 230 | - apiGroups: [""] 231 | resources: 232 | - nodes 233 | - namespaces 234 | - events 235 | - pods 236 | - services 237 | - configmaps 238 | # Needed for cloudbeat 239 | - serviceaccounts 240 | - persistentvolumes 241 | - persistentvolumeclaims 242 | verbs: ["get", "list", "watch"] 243 | # Enable this rule only if planing to use kubernetes_secrets provider 244 | #- apiGroups: [""] 245 | # resources: 246 | # - secrets 247 | # verbs: ["get"] 248 | - apiGroups: ["extensions"] 249 | resources: 250 | - replicasets 251 | verbs: ["get", "list", "watch"] 252 | - apiGroups: ["apps"] 253 | resources: 254 | - statefulsets 255 | - deployments 256 | - replicasets 257 | - daemonsets 258 | verbs: ["get", "list", "watch"] 259 | - apiGroups: 260 | - "" 261 | resources: 262 | - nodes/stats 263 | verbs: 264 | - get 265 | - apiGroups: [ "batch" ] 266 | resources: 267 | - jobs 268 | - cronjobs 269 | verbs: [ "get", "list", "watch" ] 270 | # Needed for apiserver 271 | - nonResourceURLs: 272 | - "/metrics" 273 | verbs: 274 | - get 275 | # Needed for cloudbeat 276 | - apiGroups: ["rbac.authorization.k8s.io"] 277 | resources: 278 | - clusterrolebindings 279 | - clusterroles 280 | - rolebindings 281 | - roles 282 | verbs: ["get", "list", "watch"] 283 | # Needed for cloudbeat 284 | - apiGroups: ["policy"] 285 | resources: 286 | - podsecuritypolicies 287 | verbs: ["get", "list", "watch"] 288 | - apiGroups: [ "storage.k8s.io" ] 289 | resources: 290 | - storageclasses 291 | verbs: [ "get", "list", "watch" ] 292 | --- 293 | apiVersion: rbac.authorization.k8s.io/v1 294 | kind: Role 295 | metadata: 296 | name: elastic-agent 297 | # Should be the namespace where elastic-agent is running 298 | namespace: kube-system 299 | labels: 300 | k8s-app: elastic-agent 301 | rules: 302 | - apiGroups: 303 | - coordination.k8s.io 304 | resources: 305 | - leases 306 | verbs: ["get", "create", "update"] 307 | --- 308 | apiVersion: rbac.authorization.k8s.io/v1 309 | kind: Role 310 | metadata: 311 | name: elastic-agent-kubeadm-config 312 | namespace: kube-system 313 | labels: 314 | k8s-app: elastic-agent 315 | rules: 316 | - apiGroups: [""] 317 | resources: 318 | - configmaps 319 | resourceNames: 320 | - kubeadm-config 321 | verbs: ["get"] 322 | --- 323 | apiVersion: v1 324 | kind: ServiceAccount 325 | metadata: 326 | name: elastic-agent 327 | namespace: kube-system 328 | labels: 329 | k8s-app: elastic-agent 330 | --- 331 | --------------------------------------------------------------------------------