Agent tamper protection (#4232)

* First draft - Creates new page for feature - Reorganizes related pages in nav - Adds section to What's New * Li'l edit * Add content for uninstall page * Add item to release notes * Add Agent version rerquirement * Apply suggestions from Nastasha's review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit 2229f98)
elastic · Nov 10, 2023 · a57fb9f · a57fb9f
1 parent d15bf7c
commit a57fb9f
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 5 deletions.
diff --git a/docs/getting-started/agent-tamper-protection.asciidoc b/docs/getting-started/agent-tamper-protection.asciidoc
@@ -0,0 +1,47 @@
+[[agent-tamper-protection]]
+= Prevent {agent} uninstallation
+
+For hosts enrolled in {elastic-defend}, you can prevent unauthorized attempts to uninstall {agent} and {elastic-endpoint} by enabling *Agent tamper protection* on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling {elastic-defend}'s endpoint protections. 
+
+When enabled, {agent} and {elastic-endpoint} can only be uninstalled on the host by including an uninstall token in the uninstall CLI command. One unique uninstall token is generated per Agent policy, and you can retrieve uninstall tokens in an Agent policy's settings or in the {fleet} UI.
+
+.Requirements
+[sidebar]
+--
+* Agent tamper protection requires a https://www.elastic.co/pricing[Platinum or higher subscription]. 
+
+* Hosts must be enrolled in the {elastic-defend} integration.
+
+* {agent}s must be version 8.11.0 or later.
+--
+
+[role="screenshot"]
+image::images/agent-tamper-protection.png[Agent tamper protection setting highlighted on Agent policy settings page]
+
+[discrete]
+[[enable-agent-tamper-protection]]
+== Enable Agent tamper protection
+
+You can enable Agent tamper protection by configuring the {agent} policy.
+
+. Go to *{fleet}* -> *Agent policies*, then select the Agent policy you want to configure.
+. Select the *Settings* tab on the policy details page.
+. In the *Agent tamper protection* section, turn on the *Prevent agent tampering* setting.
++
+This makes the *Get uninstall command* link available, which you can follow to get the uninstall token and CLI command if you need to <<uninstall-agent,uninstall an Agent>> on this policy.
++
+TIP: You can also access an Agent policy's uninstall tokens on the *Uninstall tokens* tab on the *{fleet}* page. Refer to <<fleet-uninstall-tokens>> for more information.
+. Select *Save changes*.
+
+[discrete]
+[[fleet-uninstall-tokens]]
+== Access uninstall tokens
+
+If you need the uninstall token to remove {agent} from a endpoint, you can find it in several ways:
+
+* *On the Agent policy* — Go to the Agent policy's *Settings* tab, then click the *Get uninstall command* link. The *Uninstall agent* flyout opens, containing the full uninstall command with the token.
+
+* *On the {fleet} page* — Go to *{fleet}* -> *Uninstall tokens* for a list of the uninstall tokens generated for your Agent policies. You can:
+
+** Click the *Show token* icon in the *Token* column to reveal a specific token.
+** Click the *View uninstall command* icon in the *Actions* column to open the *Uninstall agent* flyout, containing the full uninstall command with the token.
diff --git a/docs/getting-started/images/agent-tamper-protection.png b/docs/getting-started/images/agent-tamper-protection.png
diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc
@@ -20,6 +20,9 @@ include::security-spaces.asciidoc[leveloffset=+1]
 include::data-views-in-sec.asciidoc[leveloffset=+1]
 include::ingest-data.asciidoc[leveloffset=+1]
 include::install-endpoint.asciidoc[leveloffset=+1]
+include::agent-tamper-protection.asciidoc[leveloffset=+2]
+include::uninstall-agent.asciidoc[leveloffset=+2]
+include::uninstall-endpoint.asciidoc[leveloffset=+2]
 include::elastic-endpoint-reqs.asciidoc[leveloffset=+1]
 include::install-elastic-endpoint.asciidoc[leveloffset=+2]
 include::install-elastic-endpoint-ven.asciidoc[leveloffset=+2]
@@ -32,5 +35,3 @@ include::linux-file-monitoring.asciidoc[leveloffset=+2]
 include::create-defend-policy-api.asciidoc[leveloffset=+2]
 include::threat-intel-integrations.asciidoc[leveloffset=+1]
 include::advanced-setting.asciidoc[leveloffset=+1]
-include::uninstall-agent.asciidoc[leveloffset=+1]
-include::uninstall-endpoint.asciidoc[leveloffset=+1]
diff --git a/docs/getting-started/uninstall-agent.asciidoc b/docs/getting-started/uninstall-agent.asciidoc
@@ -1,4 +1,13 @@
 [[uninstall-agent]]
 = Uninstall {agent}
 
-This page is a placeholder for future documentation.
+To uninstall {agent} from a host, run the `uninstall` command from the directory where it's running. Refer to the {fleet-guide}/uninstall-elastic-agent.html[{fleet} and {agent} documentation] for more information.
+
+If <<agent-tamper-protection,Agent tamper protection>> is enabled on the Agent policy for the host, you'll need to include the uninstall token in the command, using the `--uninstall-token` flag. You can <<fleet-uninstall-tokens,find the uninstall token>> on the Agent policy or at *{fleet}* -> *Uninstall tokens*.
+
+For example, to uninstall {agent} on a macOS or Linux host:
+
+[source,shell]
+----------------------------------
+sudo elastic-agent uninstall --uninstall-token 12345678901234567890123456789012
+----------------------------------
diff --git a/docs/getting-started/uninstall-endpoint.asciidoc b/docs/getting-started/uninstall-endpoint.asciidoc
@@ -1,7 +1,7 @@
 [[uninstall-endpoint]]
-= Uninstall an endpoint
+= Uninstall {elastic-endpoint}
 
-Use these commands to uninstall an endpoint **ONLY** if {fleet-guide}/uninstall-elastic-agent.html[uninstalling an {agent}] is unsuccessful.
+Use these commands to uninstall {elastic-endpoint} from a host **ONLY** if {fleet-guide}/uninstall-elastic-agent.html[uninstalling an {agent}] is unsuccessful.
 
 Windows
 

diff --git a/docs/release-notes/8.11.asciidoc b/docs/release-notes/8.11.asciidoc
@@ -38,6 +38,7 @@
 * Introduces full support for {elastic-endpoint} on macOS Sonoma (https://github.com/elastic/endpoint-dev/issues/13058[#13058]).
 * Updates {elastic-defend} to support AlmaLinux 9 and Rocky Linux 9 (https://github.com/elastic/endpoint-dev/pull/13613[#13613]).
 * Adds a new optional parameter to {elastic-endpoint}'s `top` command. The `--limit` parameter specifies how many times to refresh the command's output before a graceful exit (https://github.com/elastic/endpoint-dev/pull/13608[#13608]).
+* Adds Agent tamper protection for {elastic-defend}, which prevents unauthorized attempts to uninstall {agent} and {elastic-endpoint} from a host (https://github.com/elastic/endpoint-dev/pull/12997[#12997]).
 
 [discrete]
 [[enhancements-8.11.0]]

diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc
@@ -93,4 +93,15 @@ The page where you create and manage case connectors has been renamed to Setting
 [role="screenshot"]
 image::whats-new/images/8.11/cases-settings.png[The case settings page]
 
+[float]
+== Agent tamper protection with {elastic-defend}
+
+For hosts enrolled in {elastic-defend}, you can prevent unauthorized attempts to uninstall {agent} and {elastic-endpoint} by enabling *Agent tamper protection* on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling {elastic-defend}'s endpoint protections. 
+
+When enabled, {agent} and {elastic-endpoint} can only be uninstalled on the host by including the policy's generated uninstall token in the uninstall CLI command.
+
+[role="screenshot"]
+image::whats-new/images/8.11/agent-tamper-protection.png[Agent tamper protection setting highlighted on Agent policy settings page]
+
+
 // end::notable-highlights[]
diff --git a/docs/whats-new/images/8.11/agent-tamper-protection.png b/docs/whats-new/images/8.11/agent-tamper-protection.png