Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Osquery] Add support for osquery pack integration assets #128109

Conversation

patrykkopycinski
Copy link
Contributor

Summary

Add prebuilt packs from https://github.com/osquery/osquery/tree/master/packs
Migrate Filebeat Osquery module dashboard to fit into the new integration data structure
Integration PR elastic/integrations#2851

image

image

@patrykkopycinski patrykkopycinski added release_note:enhancement Team:Asset Management Security Asset Management Team Feature:Osquery Security Solution Osquery feature v8.2.0 labels Mar 18, 2022
@patrykkopycinski patrykkopycinski requested review from a team as code owners March 18, 2022 22:00
@patrykkopycinski patrykkopycinski self-assigned this Mar 18, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-asset-management (Team:Asset Management)

@botelastic botelastic bot added the Team:Fleet Team label for Observability Data Collection Fleet team label Mar 18, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

Copy link
Member

@Bamieh Bamieh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Core changes are only 1 file related to testing. LGTM 👍 Thanks for using i18n across the whole PR :)

Copy link

@james-elastic james-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🌞 👍

Copy link
Contributor

@joshdover joshdover left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to update Fleet's API integration tests to ensure that these asset types are correctly installed. Changes needed:

  • Add some osquery-pack-asset objects to the "all_assets" test package: x-pack/test/fleet_api_integration/apis/fixtures/test_packages/all_assets
  • Update the test file with assertions that the expected packs are installed and uninstalled in x-pack/test/fleet_api_integration/apis/epm/install_remove_assets.ts

@patrykkopycinski
Copy link
Contributor Author

@elasticmachine merge upstream

@patrykkopycinski patrykkopycinski requested a review from a team as a code owner March 23, 2022 15:11
@patrykkopycinski patrykkopycinski requested review from a team as code owners March 23, 2022 15:11
Copy link
Member

@jbudz jbudz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kibana-docker LGTM

@patrykkopycinski patrykkopycinski force-pushed the feat/osquery-manager-prebuilt-packs branch from 022ae12 to 19d3808 Compare March 23, 2022 15:14
@patrykkopycinski patrykkopycinski removed request for a team March 23, 2022 15:14
@patrykkopycinski
Copy link
Contributor Author

@elasticmachine merge upstream

@patrykkopycinski
Copy link
Contributor Author

Thank you for the review @joshdover. Please let me know if I have followed that properly 🙂

Copy link
Contributor

@joshdover joshdover left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making those changes. I think we still need one more assertion in install_remove_assets.ts. Specifically there should be an assertion that the objects are deleted around here: https://github.com/elastic/kibana/blob/35775c91572ac434f22e9e23d166f48f6f46a7ed/x-pack/test/fleet_api_integration/apis/epm/install_remove_assets.ts#L205

After that this should be good to go.

@patrykkopycinski
Copy link
Contributor Author

@joshdover 🟢 ? :)

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Test Failures

  • [job] [logs] Default CI Group #18 / apis Machine Learning filters get_filters should return 400 if filterId does not exist

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
osquery 253 260 +7

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
osquery 951.8KB 954.9KB +3.1KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
fleet 110.2KB 110.4KB +197.0B

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/development-plugin-saved-objects.html#_mappings

id before after diff
osquery-pack 14 15 +1
osquery-pack-asset - 10 +10
total +11
Unknown metric groups

ESLint disabled line counts

id before after diff
osquery 121 122 +1

Total ESLint disabled count

id before after diff
osquery 126 127 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @patrykkopycinski

@patrykkopycinski patrykkopycinski merged commit 5a3faca into elastic:main Mar 24, 2022
@patrykkopycinski patrykkopycinski deleted the feat/osquery-manager-prebuilt-packs branch March 28, 2022 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Osquery Security Solution Osquery feature release_note:enhancement Team:Asset Management Security Asset Management Team Team:Fleet Team label for Observability Data Collection Fleet team v8.2.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants