NM-304,362: MDM & EDR posture check integration#4064
Conversation
…r complaince check
|
Review Complete Files Reviewed: 43 By Severity:
PR introduces MDM integration providers (Intune, Jamf, JumpCloud, Iru), SIEM refactoring, and device posture checks. 12 findings identified including 3 high-severity issues: stale compliance state never cleared, host update path wipes MDM identifiers, and wrong provider snapshot used for posture evaluation. Files Reviewed (43 files) |
There was a problem hiding this comment.
Expand to see previous review
Risk: 🟠 High (78/100) — 2 high findings, 8 medium · 3735 LOC across 43 files
High-Severity Issues
Stale compliance state (sync.go) — The sync() function updates compliance status for matched devices but never clears it for devices no longer found at the provider, leaving hosts with stale compliance data indefinitely. HardwareUUID is also unused in the serial-number matching path.
Host update wipes MDM identifiers (logic/hosts.go:148) — The UpdateHost handler unconditionally overwrites DeviceID and PlatformInfo, destroying the MDM-to-host link on every unrelated host update.
Wrong provider snapshot (posture_check.go:356) — MDM state fallback logic can silently select a different provider's snapshot, causing posture evaluations to use incorrect compliance data.
Medium-Severity Issues
- TOCTOU race in sync rate-limiting (sync.go:40) — The rate-limit check is non-atomic, allowing concurrent sync operations to bypass the limiter.
- Jamf error handling (jamf.go:147,179) — HTTP status codes are checked after JSON decoding, making it impossible to distinguish network errors from legitimate error responses.
- Intune backup lookup (lookup.go:71) — The backup path hardcodes
Enrolled=truewithout verifying actual enrollment fields, producing false-positive device matches. - Authorization missing on posture endpoint (controllers/hosts.go:73) — The
/api/hosts/{hostid}/postureUI endpoint lacks host-level access control. - Error body leaks (iru.go:170, jumpcloud.go:263) — MDM provider Test endpoints leak raw upstream API error bodies to authenticated callers.
- Orphaned MDM rows (logic/hosts.go:362) — Deleting a host does not cascade-delete associated MDM device state rows.
- MDM list returns 500 for not-found (integrations.go:396) — Single-record lookups return HTTP 500 instead of 404 when no device state exists.
Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com>
NM-362: EDR integration
|
Review Complete Files Reviewed: 74 By Severity:
This large PR adds MDM/EDR posture compliance, host posture status API, and SIEM event export. Review found 4 high-severity issues including FQL injection in CrowdStrike integration, a broken host access control check, and EDR audit event omission, plus 7 medium-severity correctness and security issues. Files Reviewed (74 files) |
There was a problem hiding this comment.
Risk: 🟠 High (72/100) — 4 high findings, 6 medium · 7457 LOC across 74 files
Overview
This PR (74 files, ~8,500 diff lines) introduces MDM/EDR posture compliance evaluation, a host posture status API, and SIEM event export across 4 backend providers.
Critical Issues
- CrowdStrike FQL injection in
pro/integration/edr/crowdstrike/crowdstrike.go:157— attacker-controlled serial numbers interpolated directly into FQL filters without escaping, enabling EDR posture check bypass. - Broken access control in
pro/logic/security.go:297—CheckUIHostReadAccessaccepts a*schema.Hostparameter but never uses it, denying network-scoped users access to the posture status UI endpoint. - Silent EDR audit gap in
pro/logic/posture_check.go:888—emitNewMDMViolationEventsonly emits events for MDM violations; EDR failures are invisible in event logs. - Fail-open risk parsing in
pro/integration/edr/normalize.go:70— unknown/empty risk levels map to the lowest severity, silently bypassing EDR risk enforcement.
Medium-severity Issues
- Secret loss risk in
pro/controllers/integrations.go:550— EDR config unmarshal errors silently swallowed (unlike MDM), potentially replacing real secrets with masked values. - JumpCloud compliance bypass in
pro/integration/mdm/jumpcloud/compliance.go:14— empty policy results treated as compliant even when specific policies are configured. - SSRF via CrowdStrike test endpoint in
pro/integration/edr/config.go:99— lacks HTTPS enforcement present in other EDR providers. - Asymmetric MDM/EDR recovery in
controllers/hosts.go:1677-1714— MDM silently omits data on cache miss while EDR syncs and recovers; EDR hard-fails the entire response while MDM gracefully degrades. - SIEM retry inconsistency — only Datadog uses retryable HTTP; Elastic, Sentinel, Splunk lack retries.
- Legacy posture check regression in
pro/logic/posture_check.go:681— existing MDM/EDR checks with nil Config become uneditable after upgrade.
Recommendation
Fix the 4 high-severity issues before merge. The medium issues should be addressed in follow-up commits or tracked for vNext.
Co-authored-by: tenki-reviewer[bot] <262613592+tenki-reviewer[bot]@users.noreply.github.com>
Describe your changes
Provide Issue ticket number if applicable/not in title
Provide testing steps
Checklist before requesting a review