github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

update checkpoint to openappsec

Browse Source
This commit is contained in:
davidga 2022-11-15 18:28:19 +02:00
parent d414de2014
commit 1026b1e1dc
3 changed files with 73 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
nodes/orchestration/package/cp-nano-cli.sh
View File

@ -5,7 +5,7 @@ LOG_FILE_PATH="/var/log"
INIT_D_PATH="/etc/init.d" INIT_D_PATH="/etc/init.d"
USR_LIB_PATH="/usr/lib" USR_LIB_PATH="/usr/lib"
USR_SBIN_PATH="/usr/sbin" USR_SBIN_PATH="/usr/sbin"
CP_NANO_CTL="cpnano" CP_NANO_CTL="open-appsec-ctl"
BIN_PATH="bin" BIN_PATH="bin"
CP_NANO_BASE64="cpnano_base64" CP_NANO_BASE64="cpnano_base64"
INSTALL_DIR_INDEX=1 INSTALL_DIR_INDEX=1
@ -27,7 +27,7 @@ var_default_fog_address="i2-agents.cloud.ngen.checkpoint.com/"
var_default_gem_fog_address="inext-agents.cloud.ngen.checkpoint.com" var_default_gem_fog_address="inext-agents.cloud.ngen.checkpoint.com"
var_default_us_fog_address="inext-agents-us.cloud.ngen.checkpoint.com" var_default_us_fog_address="inext-agents-us.cloud.ngen.checkpoint.com"
#NOTE: cpnano only supports nano services with name of the format cp-nano-<service> #NOTE: open-appsec-ctl only supports nano services with name of the format cp-nano-<service>
cp_nano_service_name_prefix="cp-nano" cp_nano_service_name_prefix="cp-nano"
cp_nano_conf_suffix="conf.json" cp_nano_conf_suffix="conf.json"
@ -264,7 +264,11 @@ usage()
set_public_key="-pk, --set-public-key <Public key file path>" set_public_key="-pk, --set-public-key <Public key file path>"
set_traffic_recording_policy_option="-tr, --traffic-recording-policy <off|req_hdr|req_body|resp_hdr|resp_body>" set_traffic_recording_policy_option="-tr, --traffic-recording-policy <off|req_hdr|req_body|resp_hdr|resp_body>"
print_metrics_option="-pm, --print-metrics <service>" print_metrics_option="-pm, --print-metrics <service>"
view_policy_option="-vp, --view-policy [policy-file]"
edit_policy_option="-ep, --edit-policy [policy-file]"
apply_policy_option="-ap, --apply-policy [policy-file]"
list_policy_option="-lp, --list-policies"
view_logs_option="-vl, --view-logs"
# Padding makes each comment to start a specific index, increase 'line_padding' when option length is bigger than pedding. # Padding makes each comment to start a specific index, increase 'line_padding' when option length is bigger than pedding.
line_padding=' ' line_padding=' '
echo "Options:" echo "Options:"
@ -275,16 +279,21 @@ usage()
printf "%s %s : Start a service previously stopped\n" "$start_service_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#start_service_option})))")" printf "%s %s : Start a service previously stopped\n" "$start_service_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#start_service_option})))")"
printf "%s %s : Stop service\n" "$stop_service_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#stop_service_option})))")" printf "%s %s : Stop service\n" "$stop_service_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#stop_service_option})))")"
printf "%s %s : Uninstall agent\n" "$uninstall_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#uninstall_option})))")" printf "%s %s : Uninstall agent\n" "$uninstall_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#uninstall_option})))")"
printf "%s %s : Load configuration\n" "$load_config_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#load_config_option})))")" printf "%s %s : Open a policy file as read only\n" "$view_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#view_policy_option})))")"
printf "%s %s : Set proxy\n" "$proxy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#proxy_option})))")" printf "%s %s : Open and edit a policy file\n" "$edit_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#edit_policy_option})))")"
printf "%s %s : Display configuration\n" "$display_config_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#display_config_option})))")" printf "%s %s : Apply a new policy file\n" "$apply_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#apply_policy_option})))")"
printf "%s %s : Create open-appsec agent info\n" "$cp_agent_info_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#cp_agent_info_option})))")" printf "%s %s : View list of used policy files\n" "$list_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#list_policy_option})))")"
printf "%s %s : Display current policy\n" "$display_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#display_policy_option})))")" printf "%s %s : View security logs\n" "$view_logs_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#view_logs_option})))")"
printf "%s %s : Load gradual policy\n" "$set_gradual_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_gradual_policy_option})))")" # printf "%s %s : Load configuration\n" "$load_config_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#load_config_option})))")"
printf "%s %s : Remove gradual policy\n" "$delete_gradual_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#delete_gradual_policy_option})))")" # printf "%s %s : Set proxy\n" "$proxy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#proxy_option})))")"
printf "%s %s : Set the SSL certificate's public key file path (PEM format)\n" "$set_public_key" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_public_key})))")" # printf "%s %s : Display configuration\n" "$display_config_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#display_config_option})))")"
printf "%s %s : Set traffic recording policy\n" "$set_traffic_recording_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_traffic_recording_policy_option})))")" # printf "%s %s : Create open-appsec agent info\n" "$cp_agent_info_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#cp_agent_info_option})))")"
printf "%s %s : Print metrics report\n" "$print_metrics_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#print_metrics_option})))")" # printf "%s %s : Display current policy\n" "$display_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#display_policy_option})))")"
# printf "%s %s : Load gradual policy\n" "$set_gradual_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_gradual_policy_option})))")"
# printf "%s %s : Remove gradual policy\n" "$delete_gradual_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#delete_gradual_policy_option})))")"
# printf "%s %s : Set the SSL certificate's public key file path (PEM format)\n" "$set_public_key" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_public_key})))")"
# printf "%s %s : Set traffic recording policy\n" "$set_traffic_recording_policy_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#set_traffic_recording_policy_option})))")"
# printf "%s %s : Print metrics report\n" "$print_metrics_option" "$(printf "%s" "$line_padding" | cut -c 1-"$(max_num 1 $((${#line_padding} - ${#print_metrics_option})))")"
exit 255 exit 255
} }
@ -556,10 +565,10 @@ run_update_gradual_policy() # Initials - rugp
rugp_service_name=$1 rugp_service_name=$1
shift shift
rugp_gp_usage="Usage: cpnano -gp|--set-gradual-policy [access-control|http-manager] <ip-ranges>" rugp_gp_usage="Usage: open-appsec-ctl -gp|--set-gradual-policy [access-control|http-manager] <ip-ranges>"
rugp_success_message="Gradual policy for $rugp_service_name was set successfully" rugp_success_message="Gradual policy for $rugp_service_name was set successfully"
if [ "$rugp_mod" = "delete" ]; then if [ "$rugp_mod" = "delete" ]; then
rugp_gp_usage="Usage: cpnano -dg|--delete-gradual-policy [access-control|http-manager]" rugp_gp_usage="Usage: open-appsec-ctl -dg|--delete-gradual-policy [access-control|http-manager]"
rugp_success_message="Gradual policy for $rugp_service_name was deleted successfully" rugp_success_message="Gradual policy for $rugp_service_name was deleted successfully"
fi fi
@ -621,7 +630,7 @@ run_update_gradual_policy() # Initials - rugp
run_set_traffic_recording_policy() # Initials - rstrp run_set_traffic_recording_policy() # Initials - rstrp
{ {
if [ "$1" != "off" ] && [ "$1" != "req_hdr" ] && [ "$1" != "req_body" ] && [ "$1" != "resp_hdr" ] && [ "$1" != "resp_body" ]; then if [ "$1" != "off" ] && [ "$1" != "req_hdr" ] && [ "$1" != "req_body" ] && [ "$1" != "resp_hdr" ] && [ "$1" != "resp_body" ]; then
printf "Error: Could not set up traffic recording.\nUsage: cpnano <-tr|--traffic-recording> <off|req_hdr|req_body|resp_hdr|resp_body>\n" printf "Error: Could not set up traffic recording.\nUsage: open-appsec-ctl <-tr|--traffic-recording> <off|req_hdr|req_body|resp_hdr|resp_body>\n"
exit 1 exit 1
fi fi
@ -916,11 +925,30 @@ run_status() # Initials - rs
if echo "$rs_orch_status" | grep -q "update status"; then if echo "$rs_orch_status" | grep -q "update status"; then
rs_line_count=$(echo "$rs_orch_status" | grep -c '^') rs_line_count=$(echo "$rs_orch_status" | grep -c '^')
echo "$rs_orch_status" | sed -r "${rs_line_count},${rs_line_count}d; "' 1,1d; s/^\s*//g; s/^\n//g; s/\"//g; s/\\n/\n/g; s/\,//g' rs_policy_load_time="$(echo "${rs_orch_status}" | grep "Last policy update"| sed "s|\"||g" | sed "s|,||g")"
rs_temp_old_status=$(echo "$rs_orch_status" | sed -r "${rs_line_count},${rs_line_count}d; "' 1,1d; s/^\s*//g; s/^\n//g; s/\"//g; s/\\n/\n/g; s/\,//g')
else else
sed 's/{//g' <${FILESYSTEM_PATH}/$cp_nano_conf_location/orchestrations_status.json | sed 's/}//g' | sed 's/"//g' | sed 's/,//g' | sed -r '/^\s*$/d' | sed -r 's/^ //g' rs_temp_old_status=$(sed 's/{//g' <${FILESYSTEM_PATH}/$cp_nano_conf_location/orchestrations_status.json | sed 's/}//g' | sed 's/"//g' | sed 's/,//g' | sed -r '/^\s*$/d' | sed -r 's/^ //g')
rs_policy_load_time="$(cat /etc/cp/conf/orchestrations_status.json | grep "Last policy update" | sed "s|\"||g" | sed "s|,||g")"
fi fi
if [ -n "$(cat /etc/cp/conf/agent_details.json | grep "hybrid_mode")" ]; then
rs_mgmt_mode_text="Local managment"
else
rs_mgmt_mode_text="Cloud managment"
fi
echo "Managment mode: ${rs_mgmt_mode_text}"
echo "Policy files: "
echo " /etc/cp/conf/local_policy.yaml"
if [ -n "$(echo ${rs_temp_old_status} | grep "Last update status" | grep "Fail")" ]; then
rs_policy_load_status="Error"
else
rs_policy_load_status="Success"
fi
echo "Policy load status: ${rs_policy_load_status}"
echo ${rs_policy_load_time}
echo "" echo ""
for service in $all_services; do for service in $all_services; do
@ -933,7 +961,7 @@ run_load_settings() # Initials - rls
rls_service_to_update=$1 rls_service_to_update=$1
if [ -z "$rls_service_to_update" ] || [ -z "$(get_nano_service_location_and_port "$rls_service_to_update")" ]; then if [ -z "$rls_service_to_update" ] || [ -z "$(get_nano_service_location_and_port "$rls_service_to_update")" ]; then
echo "Error: Could not load configuration" echo "Error: Could not load configuration"
printf "Usage: cpnano <-lc|--load-config> <%b>\n" "$(get_installed_services '|')" printf "Usage: open-appsec-ctl <-lc|--load-config> <%b>\n" "$(get_installed_services '|')"
exit 1 exit 1
fi fi
@ -956,7 +984,7 @@ set_proxy() # Initials - sp
if [ -z "$sp_proxy" ]; then if [ -z "$sp_proxy" ]; then
echo "Error: Proxy was not provided." echo "Error: Proxy was not provided."
ech "Usage: cpnano <-sp|--set-proxy> <proxy>" ech "Usage: open-appsec-ctl <-sp|--set-proxy> <proxy>"
exit 1 exit 1
fi fi
@ -1453,7 +1481,7 @@ set_mode()
start_service() # Initials - starts start_service() # Initials - starts
{ {
if [ -z "$1" ]; then if [ -z "$1" ]; then
printf "Usage: cpnano <-rs|--start-service> <%b>\n" "$(get_installed_services '|')" printf "Usage: open-appsec-ctl <-rs|--start-service> <%b>\n" "$(get_installed_services '|')"
exit 255 exit 255
fi fi
starts_persistance_arg="" starts_persistance_arg=""
@ -1490,7 +1518,7 @@ start_service() # Initials - starts
stop_service() # Initials - stops stop_service() # Initials - stops
{ {
if [ -z "$1" ]; then if [ -z "$1" ]; then
printf "Usage: cpnano <-qs|--stop-service> <%b>\n" "$(get_installed_services '|')" printf "Usage: open-appsec-ctl <-qs|--stop-service> <%b>\n" "$(get_installed_services '|')"
exit 255 exit 255
fi fi
stops_persistance_arg="" stops_persistance_arg=""
@ -1583,6 +1611,27 @@ run() # Initials - r
elif [ "--set-mode" = "$1" ] || [ "-sm" = "$1" ]; then elif [ "--set-mode" = "$1" ] || [ "-sm" = "$1" ]; then
shift shift
set_mode "${@}" set_mode "${@}"
elif [ "-vp" = "$1" ] || [ "--view-policy" = "$1" ]; then
shift
var_policy_file=$1
if [ -z ${var_policy_file} ]; then
var_policy_file="/etc/cp/conf/local_policy.yaml"
fi
less ${var_policy_file}
elif [ "-ep" = "$1" ] || [ "--edit-policy" = "$1" ]; then
shift
var_policy_file=$1
if [ -z ${var_policy_file} ]; then
var_policy_file="/etc/cp/conf/local_policy.yaml"
fi
vi ${var_policy_file}
elif [ "-ap" = "$1" ] || [ "--apply-policy" = "$1" ]; then
echo "Error: This option is not yet supported"
exit 1
elif [ "-lp" = "$1" ] || [ "--list-policies" = "$1" ]; then
echo "/etc/cp/conf/local_policy.yaml"
elif [ "-vl" = "$1" ] || [ "--view-logs" = "$1" ]; then
less /var/log/nano_agent/cp-nano-http-transaction-handler.log?
else else
usage usage
fi fi

6
nodes/orchestration/package/local-default-policy.yaml
View File

@ -5,10 +5,7 @@ policies:
mode: detect-learn mode: detect-learn
practices: practices:
- webapp-default-practice - webapp-default-practice
source-identifiers:
trusted-sources:
custom-response: appsec-default-web-user-response custom-response: appsec-default-web-user-response
exceptions:
specific-rules: specific-rules:
- host: "*" - host: "*"
triggers: triggers:
@ -16,10 +13,7 @@ policies:
mode: detect-learn mode: detect-learn
practices: practices:
- webapp-default-practice - webapp-default-practice
source-identifiers:
trusted-sources:
custom-response: appsec-default-web-user-response custom-response: appsec-default-web-user-response
exceptions:
practices: practices:
- name: webapp-default-practice - name: webapp-default-practice

1
nodes/orchestration/package/orchestration_package.sh
View File

@ -559,6 +559,7 @@ install_cp_nano_ctl()
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL" cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL"
if ! [ -f $USR_SBIN_PATH/${CP_NANO_CTL} ]; then if ! [ -f $USR_SBIN_PATH/${CP_NANO_CTL} ]; then
cp_exec "ln -s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL $USR_SBIN_PATH/${CP_NANO_CTL}" cp_exec "ln -s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL $USR_SBIN_PATH/${CP_NANO_CTL}"
cp_exec "ln -s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL $USR_SBIN_PATH/open-appsec-ctl"
fi fi
cp_exec "cp -f ${CP_NANO_DEBUG} ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_NANO_DEBUG}" cp_exec "cp -f ${CP_NANO_DEBUG} ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_NANO_DEBUG}"