From 1026b1e1dccedff18132e6b522faa2f5eeadff5c Mon Sep 17 00:00:00 2001 From: davidga Date: Tue, 15 Nov 2022 18:28:19 +0200 Subject: [PATCH] update checkpoint to openappsec --- nodes/orchestration/package/cp-nano-cli.sh | 93 ++++++++++++++----- .../package/local-default-policy.yaml | 6 -- .../package/orchestration_package.sh | 3 +- 3 files changed, 73 insertions(+), 29 deletions(-) diff --git a/nodes/orchestration/package/cp-nano-cli.sh b/nodes/orchestration/package/cp-nano-cli.sh index d590a02..e854e0c 100755 --- a/nodes/orchestration/package/cp-nano-cli.sh +++ b/nodes/orchestration/package/cp-nano-cli.sh @@ -5,7 +5,7 @@ LOG_FILE_PATH="/var/log" INIT_D_PATH="/etc/init.d" USR_LIB_PATH="/usr/lib" USR_SBIN_PATH="/usr/sbin" -CP_NANO_CTL="cpnano" +CP_NANO_CTL="open-appsec-ctl" BIN_PATH="bin" CP_NANO_BASE64="cpnano_base64" INSTALL_DIR_INDEX=1 @@ -27,7 +27,7 @@ var_default_fog_address="i2-agents.cloud.ngen.checkpoint.com/" var_default_gem_fog_address="inext-agents.cloud.ngen.checkpoint.com" var_default_us_fog_address="inext-agents-us.cloud.ngen.checkpoint.com" -#NOTE: cpnano only supports nano services with name of the format cp-nano- +#NOTE: open-appsec-ctl only supports nano services with name of the format cp-nano- cp_nano_service_name_prefix="cp-nano" cp_nano_conf_suffix="conf.json" @@ -264,7 +264,11 @@ usage() set_public_key="-pk, --set-public-key " set_traffic_recording_policy_option="-tr, --traffic-recording-policy " print_metrics_option="-pm, --print-metrics " - + view_policy_option="-vp, --view-policy [policy-file]" + edit_policy_option="-ep, --edit-policy [policy-file]" + apply_policy_option="-ap, --apply-policy [policy-file]" + list_policy_option="-lp, --list-policies" + view_logs_option="-vl, --view-logs" # Padding makes each comment to start a specific index, increase 'line_padding' when option length is bigger than pedding. line_padding=' ' echo "Options:" @@ -275,16 +279,21 @@ usage() printf "%s %s : Start a service previously stopped\n" "$start_service_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#start_service_option})))")" printf "%s %s : Stop service\n" "$stop_service_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#stop_service_option})))")" printf "%s %s : Uninstall agent\n" "$uninstall_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#uninstall_option})))")" - printf "%s %s : Load configuration\n" "$load_config_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#load_config_option})))")" - printf "%s %s : Set proxy\n" "$proxy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#proxy_option})))")" - printf "%s %s : Display configuration\n" "$display_config_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#display_config_option})))")" - printf "%s %s : Create open-appsec agent info\n" "$cp_agent_info_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#cp_agent_info_option})))")" - printf "%s %s : Display current policy\n" "$display_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#display_policy_option})))")" - printf "%s %s : Load gradual policy\n" "$set_gradual_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_gradual_policy_option})))")" - printf "%s %s : Remove gradual policy\n" "$delete_gradual_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#delete_gradual_policy_option})))")" - printf "%s %s : Set the SSL certificate's public key file path (PEM format)\n" "$set_public_key" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_public_key})))")" - printf "%s %s : Set traffic recording policy\n" "$set_traffic_recording_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_traffic_recording_policy_option})))")" - printf "%s %s : Print metrics report\n" "$print_metrics_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#print_metrics_option})))")" + printf "%s %s : Open a policy file as read only\n" "$view_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#view_policy_option})))")" + printf "%s %s : Open and edit a policy file\n" "$edit_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#edit_policy_option})))")" + printf "%s %s : Apply a new policy file\n" "$apply_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#apply_policy_option})))")" + printf "%s %s : View list of used policy files\n" "$list_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#list_policy_option})))")" + printf "%s %s : View security logs\n" "$view_logs_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#view_logs_option})))")" + # printf "%s %s : Load configuration\n" "$load_config_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#load_config_option})))")" + # printf "%s %s : Set proxy\n" "$proxy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#proxy_option})))")" + # printf "%s %s : Display configuration\n" "$display_config_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#display_config_option})))")" + # printf "%s %s : Create open-appsec agent info\n" "$cp_agent_info_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#cp_agent_info_option})))")" + # printf "%s %s : Display current policy\n" "$display_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#display_policy_option})))")" + # printf "%s %s : Load gradual policy\n" "$set_gradual_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_gradual_policy_option})))")" + # printf "%s %s : Remove gradual policy\n" "$delete_gradual_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#delete_gradual_policy_option})))")" + # printf "%s %s : Set the SSL certificate's public key file path (PEM format)\n" "$set_public_key" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_public_key})))")" + # printf "%s %s : Set traffic recording policy\n" "$set_traffic_recording_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_traffic_recording_policy_option})))")" + # printf "%s %s : Print metrics report\n" "$print_metrics_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#print_metrics_option})))")" exit 255 } @@ -556,10 +565,10 @@ run_update_gradual_policy() # Initials - rugp rugp_service_name=$1 shift - rugp_gp_usage="Usage: cpnano -gp|--set-gradual-policy [access-control|http-manager] " + rugp_gp_usage="Usage: open-appsec-ctl -gp|--set-gradual-policy [access-control|http-manager] " rugp_success_message="Gradual policy for $rugp_service_name was set successfully" if [ "$rugp_mod" = "delete" ]; then - rugp_gp_usage="Usage: cpnano -dg|--delete-gradual-policy [access-control|http-manager]" + rugp_gp_usage="Usage: open-appsec-ctl -dg|--delete-gradual-policy [access-control|http-manager]" rugp_success_message="Gradual policy for $rugp_service_name was deleted successfully" fi @@ -621,7 +630,7 @@ run_update_gradual_policy() # Initials - rugp run_set_traffic_recording_policy() # Initials - rstrp { if [ "$1" != "off" ] && [ "$1" != "req_hdr" ] && [ "$1" != "req_body" ] && [ "$1" != "resp_hdr" ] && [ "$1" != "resp_body" ]; then - printf "Error: Could not set up traffic recording.\nUsage: cpnano <-tr|--traffic-recording> \n" + printf "Error: Could not set up traffic recording.\nUsage: open-appsec-ctl <-tr|--traffic-recording> \n" exit 1 fi @@ -916,11 +925,30 @@ run_status() # Initials - rs if echo "$rs_orch_status" | grep -q "update status"; then rs_line_count=$(echo "$rs_orch_status" | grep -c '^') - echo "$rs_orch_status" | sed -r "${rs_line_count},${rs_line_count}d; "' 1,1d; s/^\s*//g; s/^\n//g; s/\"//g; s/\\n/\n/g; s/\,//g' + rs_policy_load_time="$(echo "${rs_orch_status}" | grep "Last policy update"| sed "s|\"||g" | sed "s|,||g")" + + rs_temp_old_status=$(echo "$rs_orch_status" | sed -r "${rs_line_count},${rs_line_count}d; "' 1,1d; s/^\s*//g; s/^\n//g; s/\"//g; s/\\n/\n/g; s/\,//g') else - sed 's/{//g' <${FILESYSTEM_PATH}/$cp_nano_conf_location/orchestrations_status.json | sed 's/}//g' | sed 's/"//g' | sed 's/,//g' | sed -r '/^\s*$/d' | sed -r 's/^ //g' + rs_temp_old_status=$(sed 's/{//g' <${FILESYSTEM_PATH}/$cp_nano_conf_location/orchestrations_status.json | sed 's/}//g' | sed 's/"//g' | sed 's/,//g' | sed -r '/^\s*$/d' | sed -r 's/^ //g') + rs_policy_load_time="$(cat /etc/cp/conf/orchestrations_status.json | grep "Last policy update" | sed "s|\"||g" | sed "s|,||g")" fi + if [ -n "$(cat /etc/cp/conf/agent_details.json | grep "hybrid_mode")" ]; then + rs_mgmt_mode_text="Local managment" + else + rs_mgmt_mode_text="Cloud managment" + fi + echo "Managment mode: ${rs_mgmt_mode_text}" + echo "Policy files: " + echo " /etc/cp/conf/local_policy.yaml" + + if [ -n "$(echo ${rs_temp_old_status} | grep "Last update status" | grep "Fail")" ]; then + rs_policy_load_status="Error" + else + rs_policy_load_status="Success" + fi + echo "Policy load status: ${rs_policy_load_status}" + echo ${rs_policy_load_time} echo "" for service in $all_services; do @@ -933,7 +961,7 @@ run_load_settings() # Initials - rls rls_service_to_update=$1 if [ -z "$rls_service_to_update" ] || [ -z "$(get_nano_service_location_and_port "$rls_service_to_update")" ]; then echo "Error: Could not load configuration" - printf "Usage: cpnano <-lc|--load-config> <%b>\n" "$(get_installed_services '|')" + printf "Usage: open-appsec-ctl <-lc|--load-config> <%b>\n" "$(get_installed_services '|')" exit 1 fi @@ -956,7 +984,7 @@ set_proxy() # Initials - sp if [ -z "$sp_proxy" ]; then echo "Error: Proxy was not provided." - ech "Usage: cpnano <-sp|--set-proxy> " + ech "Usage: open-appsec-ctl <-sp|--set-proxy> " exit 1 fi @@ -1453,7 +1481,7 @@ set_mode() start_service() # Initials - starts { if [ -z "$1" ]; then - printf "Usage: cpnano <-rs|--start-service> <%b>\n" "$(get_installed_services '|')" + printf "Usage: open-appsec-ctl <-rs|--start-service> <%b>\n" "$(get_installed_services '|')" exit 255 fi starts_persistance_arg="" @@ -1490,7 +1518,7 @@ start_service() # Initials - starts stop_service() # Initials - stops { if [ -z "$1" ]; then - printf "Usage: cpnano <-qs|--stop-service> <%b>\n" "$(get_installed_services '|')" + printf "Usage: open-appsec-ctl <-qs|--stop-service> <%b>\n" "$(get_installed_services '|')" exit 255 fi stops_persistance_arg="" @@ -1583,6 +1611,27 @@ run() # Initials - r elif [ "--set-mode" = "$1" ] || [ "-sm" = "$1" ]; then shift set_mode "${@}" + elif [ "-vp" = "$1" ] || [ "--view-policy" = "$1" ]; then + shift + var_policy_file=$1 + if [ -z ${var_policy_file} ]; then + var_policy_file="/etc/cp/conf/local_policy.yaml" + fi + less ${var_policy_file} + elif [ "-ep" = "$1" ] || [ "--edit-policy" = "$1" ]; then + shift + var_policy_file=$1 + if [ -z ${var_policy_file} ]; then + var_policy_file="/etc/cp/conf/local_policy.yaml" + fi + vi ${var_policy_file} + elif [ "-ap" = "$1" ] || [ "--apply-policy" = "$1" ]; then + echo "Error: This option is not yet supported" + exit 1 + elif [ "-lp" = "$1" ] || [ "--list-policies" = "$1" ]; then + echo "/etc/cp/conf/local_policy.yaml" + elif [ "-vl" = "$1" ] || [ "--view-logs" = "$1" ]; then + less /var/log/nano_agent/cp-nano-http-transaction-handler.log? else usage fi diff --git a/nodes/orchestration/package/local-default-policy.yaml b/nodes/orchestration/package/local-default-policy.yaml index 9c1eabb..1720ff0 100644 --- a/nodes/orchestration/package/local-default-policy.yaml +++ b/nodes/orchestration/package/local-default-policy.yaml @@ -5,10 +5,7 @@ policies: mode: detect-learn practices: - webapp-default-practice - source-identifiers: - trusted-sources: custom-response: appsec-default-web-user-response - exceptions: specific-rules: - host: "*" triggers: @@ -16,10 +13,7 @@ policies: mode: detect-learn practices: - webapp-default-practice - source-identifiers: - trusted-sources: custom-response: appsec-default-web-user-response - exceptions: practices: - name: webapp-default-practice diff --git a/nodes/orchestration/package/orchestration_package.sh b/nodes/orchestration/package/orchestration_package.sh index 253dad8..7bde5bf 100755 --- a/nodes/orchestration/package/orchestration_package.sh +++ b/nodes/orchestration/package/orchestration_package.sh @@ -558,7 +558,8 @@ install_cp_nano_ctl() cp_exec "cp -f $CP_NANO_CLI ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL" cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL" if ! [ -f $USR_SBIN_PATH/${CP_NANO_CTL} ]; then - cp_exec "ln -s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL $USR_SBIN_PATH/${CP_NANO_CTL}" + cp_exec "ln -s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL $USR_SBIN_PATH/${CP_NANO_CTL}" + cp_exec "ln -s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL $USR_SBIN_PATH/open-appsec-ctl" fi cp_exec "cp -f ${CP_NANO_DEBUG} ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_NANO_DEBUG}"