Skip to content

NM-304,362: MDM & EDR posture check integration#4064

Merged
abhishek9686 merged 24 commits into
developfrom
NM-304
Jun 29, 2026
Merged

NM-304,362: MDM & EDR posture check integration#4064
abhishek9686 merged 24 commits into
developfrom
NM-304

Conversation

@abhishek9686

Copy link
Copy Markdown
Member

Describe your changes

Provide Issue ticket number if applicable/not in title

Provide testing steps

Checklist before requesting a review

  • My changes affect only 10 files or less.
  • I have performed a self-review of my code and tested it.
  • If it is a new feature, I have added thorough tests, my code is <= 1450 lines.
  • If it is a bugfix, my code is <= 200 lines.
  • My functions are <= 80 lines.
  • I have had my code reviewed by a peer.
  • My unit tests pass locally.
  • Netmaker is awesome.

@tenki-reviewer

tenki-reviewer Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Review Complete

Files Reviewed: 43
Findings: 10

By Severity:

  • 🟠 High: 2
  • 🟡 Medium: 8

PR introduces MDM integration providers (Intune, Jamf, JumpCloud, Iru), SIEM refactoring, and device posture checks. 12 findings identified including 3 high-severity issues: stale compliance state never cleared, host update path wipes MDM identifiers, and wrong provider snapshot used for posture evaluation.

Files Reviewed (43 files)
controllers/hosts.go
controllers/server.go
logic/hosts.go
models/host.go
models/posture_status.go
models/structs.go
mq/handlers.go
pro/controllers/integrations.go
pro/controllers/posture_check.go
pro/initialize.go
pro/integration/mdm/active.go
pro/integration/mdm/config.go
pro/integration/mdm/errors.go
pro/integration/mdm/intune/intune.go
pro/integration/mdm/intune/intune_test.go
pro/integration/mdm/intune/lookup.go
pro/integration/mdm/iru/compliance.go
pro/integration/mdm/iru/compliance_test.go
pro/integration/mdm/iru/iru.go
pro/integration/mdm/jamf/compliance.go
pro/integration/mdm/jamf/compliance_test.go
pro/integration/mdm/jamf/jamf.go
pro/integration/mdm/jumpcloud/compliance.go
pro/integration/mdm/jumpcloud/compliance_test.go
pro/integration/mdm/jumpcloud/jumpcloud.go
pro/integration/mdm/lookup.go
pro/integration/mdm/registry.go
pro/integration/mdm/sync.go
pro/integration/mdm/sync_test.go
pro/integration/mdm_provider.go
pro/integration/providers.go
pro/integration/siem/client.go
pro/integration/siem/datadog.go
pro/integration/siem/elastic.go
pro/integration/siem/sentinel.go
pro/integration/siem/splunk.go
pro/logic/posture_check.go
pro/logic/posture_check_mdm_test.go
schema/event.go
schema/hosts.go
schema/mdm_device_state.go
schema/models.go
schema/posture_check.go

@tenki-reviewer tenki-reviewer Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expand to see previous review

Risk: 🟠 High (78/100) — 2 high findings, 8 medium · 3735 LOC across 43 files


High-Severity Issues

Stale compliance state (sync.go) — The sync() function updates compliance status for matched devices but never clears it for devices no longer found at the provider, leaving hosts with stale compliance data indefinitely. HardwareUUID is also unused in the serial-number matching path.

Host update wipes MDM identifiers (logic/hosts.go:148) — The UpdateHost handler unconditionally overwrites DeviceID and PlatformInfo, destroying the MDM-to-host link on every unrelated host update.

Wrong provider snapshot (posture_check.go:356) — MDM state fallback logic can silently select a different provider's snapshot, causing posture evaluations to use incorrect compliance data.

Medium-Severity Issues

  • TOCTOU race in sync rate-limiting (sync.go:40) — The rate-limit check is non-atomic, allowing concurrent sync operations to bypass the limiter.
  • Jamf error handling (jamf.go:147,179) — HTTP status codes are checked after JSON decoding, making it impossible to distinguish network errors from legitimate error responses.
  • Intune backup lookup (lookup.go:71) — The backup path hardcodes Enrolled=true without verifying actual enrollment fields, producing false-positive device matches.
  • Authorization missing on posture endpoint (controllers/hosts.go:73) — The /api/hosts/{hostid}/posture UI endpoint lacks host-level access control.
  • Error body leaks (iru.go:170, jumpcloud.go:263) — MDM provider Test endpoints leak raw upstream API error bodies to authenticated callers.
  • Orphaned MDM rows (logic/hosts.go:362) — Deleting a host does not cascade-delete associated MDM device state rows.
  • MDM list returns 500 for not-found (integrations.go:396) — Single-record lookups return HTTP 500 instead of 404 when no device state exists.

Comment thread pro/integration/mdm/sync.go
Comment thread pro/integration/mdm/sync.go Outdated
Comment thread pro/integration/mdm/jamf/jamf.go Outdated
Comment thread pro/integration/mdm/jamf/jamf.go Outdated
Comment thread pro/integration/mdm/intune/lookup.go
Comment thread controllers/hosts.go
Comment thread pro/controllers/integrations.go
Comment thread pro/logic/posture_check.go Outdated
Comment thread pro/integration/mdm/iru/iru.go Outdated
Comment thread pro/integration/mdm/jumpcloud/jumpcloud.go Outdated
@abhishek9686 abhishek9686 changed the title NM-304: MDM posture check integration NM-304,362: MDM & EDR posture check integration Jun 26, 2026
@abhishek9686

Copy link
Copy Markdown
Member Author

@tenki-reviewer

@tenki-reviewer

tenki-reviewer Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Complete

Files Reviewed: 74
Findings: 10

By Severity:

  • 🟠 High: 4
  • 🟡 Medium: 6

This large PR adds MDM/EDR posture compliance, host posture status API, and SIEM event export. Review found 4 high-severity issues including FQL injection in CrowdStrike integration, a broken host access control check, and EDR audit event omission, plus 7 medium-severity correctness and security issues.

Files Reviewed (74 files)
auth/host_session.go
controllers/enrollmentkeys.go
controllers/hosts.go
controllers/middleware.go
controllers/server.go
logic/hosts.go
models/api_host.go
models/host.go
models/posture_status.go
models/structs.go
mq/handlers.go
pro/controllers/integrations.go
pro/controllers/posture_check.go
pro/initialize.go
pro/integration/edr/active.go
pro/integration/edr/config.go
pro/integration/edr/config_wazuh_test.go
pro/integration/edr/crowdstrike/crowdstrike.go
pro/integration/edr/crowdstrike/crowdstrike_test.go
pro/integration/edr/defender/defender.go
pro/integration/edr/defender/defender_test.go
pro/integration/edr/errors.go
pro/integration/edr/lookup.go
pro/integration/edr/normalize.go
pro/integration/edr/normalize_test.go
pro/integration/edr/registry.go
pro/integration/edr/sentinelone/sentinelone.go
pro/integration/edr/sentinelone/sentinelone_test.go
pro/integration/edr/sync.go
pro/integration/edr/sync_host.go
pro/integration/edr/sync_host_id.go
pro/integration/edr/sync_test.go
pro/integration/edr/wazuh/wazuh.go
pro/integration/edr/wazuh/wazuh_test.go
pro/integration/edr_provider.go
pro/integration/mdm/active.go
pro/integration/mdm/config.go
pro/integration/mdm/errors.go
pro/integration/mdm/intune/intune.go
pro/integration/mdm/intune/intune_test.go
pro/integration/mdm/intune/lookup.go
pro/integration/mdm/iru/compliance.go
pro/integration/mdm/iru/compliance_test.go
pro/integration/mdm/iru/iru.go
pro/integration/mdm/iru/iru_test.go
pro/integration/mdm/jamf/compliance.go
pro/integration/mdm/jamf/compliance_test.go
pro/integration/mdm/jamf/jamf.go
pro/integration/mdm/jumpcloud/compliance.go
pro/integration/mdm/jumpcloud/compliance_test.go
pro/integration/mdm/jumpcloud/jumpcloud.go
pro/integration/mdm/lookup.go
pro/integration/mdm/registry.go
pro/integration/mdm/sync.go
pro/integration/mdm/sync_host.go
pro/integration/mdm/sync_test.go
pro/integration/mdm_provider.go
pro/integration/providers.go
pro/integration/siem/client.go
pro/integration/siem/datadog.go
pro/integration/siem/elastic.go
pro/integration/siem/sentinel.go
pro/integration/siem/splunk.go
pro/logic/posture_check.go
pro/logic/posture_check_edr_test.go
pro/logic/posture_check_mdm_test.go
pro/logic/security.go
schema/device_edr_state.go
schema/event.go
schema/hosts.go
schema/mdm_device_state.go
schema/models.go
schema/posture_check.go
swagger.yaml

@tenki-reviewer tenki-reviewer Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: 🟠 High (72/100) — 4 high findings, 6 medium · 7457 LOC across 74 files


Overview

This PR (74 files, ~8,500 diff lines) introduces MDM/EDR posture compliance evaluation, a host posture status API, and SIEM event export across 4 backend providers.

Critical Issues

  • CrowdStrike FQL injection in pro/integration/edr/crowdstrike/crowdstrike.go:157 — attacker-controlled serial numbers interpolated directly into FQL filters without escaping, enabling EDR posture check bypass.
  • Broken access control in pro/logic/security.go:297CheckUIHostReadAccess accepts a *schema.Host parameter but never uses it, denying network-scoped users access to the posture status UI endpoint.
  • Silent EDR audit gap in pro/logic/posture_check.go:888emitNewMDMViolationEvents only emits events for MDM violations; EDR failures are invisible in event logs.
  • Fail-open risk parsing in pro/integration/edr/normalize.go:70 — unknown/empty risk levels map to the lowest severity, silently bypassing EDR risk enforcement.

Medium-severity Issues

  • Secret loss risk in pro/controllers/integrations.go:550 — EDR config unmarshal errors silently swallowed (unlike MDM), potentially replacing real secrets with masked values.
  • JumpCloud compliance bypass in pro/integration/mdm/jumpcloud/compliance.go:14 — empty policy results treated as compliant even when specific policies are configured.
  • SSRF via CrowdStrike test endpoint in pro/integration/edr/config.go:99 — lacks HTTPS enforcement present in other EDR providers.
  • Asymmetric MDM/EDR recovery in controllers/hosts.go:1677-1714 — MDM silently omits data on cache miss while EDR syncs and recovers; EDR hard-fails the entire response while MDM gracefully degrades.
  • SIEM retry inconsistency — only Datadog uses retryable HTTP; Elastic, Sentinel, Splunk lack retries.
  • Legacy posture check regression in pro/logic/posture_check.go:681 — existing MDM/EDR checks with nil Config become uneditable after upgrade.

Recommendation

Fix the 4 high-severity issues before merge. The medium issues should be addressed in follow-up commits or tracked for vNext.

Comment thread pro/integration/edr/crowdstrike/crowdstrike.go Outdated
Comment thread pro/logic/posture_check.go
Comment thread pro/logic/security.go
Comment thread pro/controllers/integrations.go
Comment thread pro/integration/edr/normalize.go
Comment thread pro/integration/mdm/jumpcloud/compliance.go
Comment thread pro/integration/edr/config.go Outdated
Comment thread controllers/hosts.go
Comment thread controllers/hosts.go
Comment thread pro/logic/posture_check.go
Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com>
@abhishek9686 abhishek9686 merged commit b9ffd4f into develop Jun 29, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants