From 3084641737bf3e4b4779e9488c19281e79e54e95 Mon Sep 17 00:00:00 2001 From: Ned Wright Date: Mon, 25 Dec 2023 16:45:45 +0000 Subject: [PATCH 1/6] Change declarative policy initialization --- .../orchestration/include/declarative_policy_utils.h | 1 + .../orchestration/include/i_declarative_policy.h | 1 + .../security_apps/orchestration/orchestration_comp.cc | 6 ++---- .../update_communication/declarative_policy_utils.cc | 6 ++++++ 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/components/security_apps/orchestration/include/declarative_policy_utils.h b/components/security_apps/orchestration/include/declarative_policy_utils.h index 1db30ce..73861c7 100644 --- a/components/security_apps/orchestration/include/declarative_policy_utils.h +++ b/components/security_apps/orchestration/include/declarative_policy_utils.h @@ -80,6 +80,7 @@ public: std::string getUpdate(CheckUpdateRequest &request) override; bool shouldApplyPolicy() override; void turnOffApplyPolicyFlag() override; + void turnOnApplyPolicyFlag() override; std::string getCurrPolicy() override { return curr_policy; } diff --git a/components/security_apps/orchestration/include/i_declarative_policy.h b/components/security_apps/orchestration/include/i_declarative_policy.h index 1390766..0401463 100644 --- a/components/security_apps/orchestration/include/i_declarative_policy.h +++ b/components/security_apps/orchestration/include/i_declarative_policy.h @@ -23,6 +23,7 @@ public: virtual std::string getCurrPolicy() = 0; virtual void turnOffApplyPolicyFlag() = 0; + virtual void turnOnApplyPolicyFlag() = 0; protected: virtual ~I_DeclarativePolicy() {} diff --git a/components/security_apps/orchestration/orchestration_comp.cc b/components/security_apps/orchestration/orchestration_comp.cc index 9b7863b..e3dfb81 100755 --- a/components/security_apps/orchestration/orchestration_comp.cc +++ b/components/security_apps/orchestration/orchestration_comp.cc @@ -221,10 +221,7 @@ private: auto update_communication = Singleton::Consume::by(); auto agent_mode = getOrchestrationMode(); auto policy_mgmt_mode = getSettingWithDefault("management", "profileManagedMode"); - if (agent_mode == OrchestrationMode::HYBRID || policy_mgmt_mode == "declarative") { - update_communication->authenticateAgent(); - return Maybe(); - } + bool declarative = agent_mode == OrchestrationMode::HYBRID || policy_mgmt_mode == "declarative"; bool enforce_policy_flag = false; Maybe maybe_policy = genError("Empty policy"); @@ -274,6 +271,7 @@ private: if (enforce_policy_flag) { // Trying to create the Orchestration policy from the general policy file maybe_policy = enforceOrchestrationPolicy(); + if (declarative) Singleton::Consume::from()->turnOnApplyPolicyFlag(); if (!maybe_policy.ok()) { return genError(maybe_policy.getErr()); } diff --git a/components/security_apps/orchestration/update_communication/declarative_policy_utils.cc b/components/security_apps/orchestration/update_communication/declarative_policy_utils.cc index 1d85a0d..00e8a49 100644 --- a/components/security_apps/orchestration/update_communication/declarative_policy_utils.cc +++ b/components/security_apps/orchestration/update_communication/declarative_policy_utils.cc @@ -57,6 +57,12 @@ DeclarativePolicyUtils::turnOffApplyPolicyFlag() should_apply_policy = false; } +void +DeclarativePolicyUtils::turnOnApplyPolicyFlag() +{ + should_apply_policy = true; +} + Maybe DeclarativePolicyUtils::getLocalPolicyChecksum() { From eb1bc9227bd19c63dad592adeb93973219b9421d Mon Sep 17 00:00:00 2001 From: Ned Wright Date: Tue, 26 Dec 2023 11:36:21 +0000 Subject: [PATCH 2/6] Minor cpnano_debug fix --- nodes/orchestration/package/cpnano_debug/cpnano_debug.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc b/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc index 1461b71..70789ac 100755 --- a/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc +++ b/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc @@ -577,6 +577,7 @@ public: { try { cereal::load(ar, streams); + if (streams["Output"].empty()) streams["Output"] = "STDOUT"; if (streams["Output"] != "FOG" && streams["Output"] != "STDOUT" && streams["Output"].front() != '/') { streams["Output"] = log_files_path + "/" + streams["Output"]; } From 596033391bdc7dc38788d4858a8606bb33f9337a Mon Sep 17 00:00:00 2001 From: Ned Wright Date: Tue, 26 Dec 2023 12:50:52 +0000 Subject: [PATCH 3/6] Turning on local policy after initial orcherstation load --- components/security_apps/orchestration/orchestration_comp.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/components/security_apps/orchestration/orchestration_comp.cc b/components/security_apps/orchestration/orchestration_comp.cc index e3dfb81..4a7e0c4 100755 --- a/components/security_apps/orchestration/orchestration_comp.cc +++ b/components/security_apps/orchestration/orchestration_comp.cc @@ -231,6 +231,7 @@ private: auto orchestration_tools = Singleton::Consume::by(); if (orchestration_tools->doesFileExist(orchestration_policy_file)) { maybe_policy = loadOrchestrationPolicy(); + if (declarative) Singleton::Consume::from()->turnOnApplyPolicyFlag(); if (!maybe_policy.ok()) { dbgWarning(D_ORCHESTRATOR) << "Failed to load Orchestration policy. Error: " << maybe_policy.getErr(); enforce_policy_flag = true; From d91a1c4ca5501a76c643e29db92bd18430f34b35 Mon Sep 17 00:00:00 2001 From: Ned Wright Date: Tue, 26 Dec 2023 13:10:04 +0000 Subject: [PATCH 4/6] Fix rate limit string handling --- components/security_apps/rate_limit/rate_limit.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/security_apps/rate_limit/rate_limit.cc b/components/security_apps/rate_limit/rate_limit.cc index 5ef7aed..2025c9b 100755 --- a/components/security_apps/rate_limit/rate_limit.cc +++ b/components/security_apps/rate_limit/rate_limit.cc @@ -114,7 +114,7 @@ public: } string application_uri = maybe_uri.unpack(); - if (application_uri.back() == '/') application_uri.pop_back(); + if (!application_uri.empty() && application_uri.back() == '/') application_uri.pop_back(); for (const auto &rule : rate_limit_config.getRateLimitRules()) { string full_rule_uri = application_uri + rule.getRateLimitUri(); @@ -227,7 +227,7 @@ public: << " seconds"; string unique_key = asset_id + ":" + source_identifier + ":" + uri; - if (unique_key.back() == '/') unique_key.pop_back(); + if (!unique_key.empty() && unique_key.back() == '/') unique_key.pop_back(); auto verdict = decide(unique_key); if (verdict == RateLimitVedict::ACCEPT) { From 1eee88cba55cf19b336f1accd5944a97c702fd0a Mon Sep 17 00:00:00 2001 From: root Date: Tue, 26 Dec 2023 14:53:59 +0000 Subject: [PATCH 5/6] Moving checking for declarative --- components/security_apps/orchestration/orchestration_comp.cc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/components/security_apps/orchestration/orchestration_comp.cc b/components/security_apps/orchestration/orchestration_comp.cc index 4a7e0c4..33af4f5 100755 --- a/components/security_apps/orchestration/orchestration_comp.cc +++ b/components/security_apps/orchestration/orchestration_comp.cc @@ -231,7 +231,6 @@ private: auto orchestration_tools = Singleton::Consume::by(); if (orchestration_tools->doesFileExist(orchestration_policy_file)) { maybe_policy = loadOrchestrationPolicy(); - if (declarative) Singleton::Consume::from()->turnOnApplyPolicyFlag(); if (!maybe_policy.ok()) { dbgWarning(D_ORCHESTRATOR) << "Failed to load Orchestration policy. Error: " << maybe_policy.getErr(); enforce_policy_flag = true; @@ -272,7 +271,6 @@ private: if (enforce_policy_flag) { // Trying to create the Orchestration policy from the general policy file maybe_policy = enforceOrchestrationPolicy(); - if (declarative) Singleton::Consume::from()->turnOnApplyPolicyFlag(); if (!maybe_policy.ok()) { return genError(maybe_policy.getErr()); } @@ -298,6 +296,7 @@ private: } } + if (declarative) Singleton::Consume::from()->turnOnApplyPolicyFlag(); return authentication_res; } From c4d7ab54a6b8f14fbc8e23d7ccea2d3012bc774e Mon Sep 17 00:00:00 2001 From: Ned Wright Date: Tue, 26 Dec 2023 20:46:23 +0000 Subject: [PATCH 6/6] Logging changes --- components/security_apps/waap/waap_clib/Waf2Engine.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/components/security_apps/waap/waap_clib/Waf2Engine.cc b/components/security_apps/waap/waap_clib/Waf2Engine.cc index 8922fc0..188a264 100755 --- a/components/security_apps/waap/waap_clib/Waf2Engine.cc +++ b/components/security_apps/waap/waap_clib/Waf2Engine.cc @@ -1741,7 +1741,7 @@ Waf2Transaction::sendLog() static int cur_grace_logs = 0; bool grace_period = is_hybrid_mode && cur_grace_logs < max_grace_logs; - bool send_extended_log = grace_period || shouldSendExtendedLog(triggerLog); + bool send_extended_log = shouldSendExtendedLog(triggerLog); if (grace_period) { dbgTrace(D_WAAP) << "Waf2Transaction::sendLog: current grace log index: " @@ -2339,7 +2339,7 @@ bool Waf2Transaction::shouldSendExtendedLog(const std::shared_ptrgetThreatLevel()); - if (trigger_log->extendLoggingMinSeverity == "Critical") + if (trigger_log->extendLoggingMinSeverity == "Critical" || trigger_log->extendLoggingMinSeverity == "critical") { if (severity == ReportIS::Severity::CRITICAL) { @@ -2349,7 +2349,7 @@ bool Waf2Transaction::shouldSendExtendedLog(const std::shared_ptrextendLoggingMinSeverity == "High") + else if (trigger_log->extendLoggingMinSeverity == "High" || trigger_log->extendLoggingMinSeverity == "high") { if (severity == ReportIS::Severity::CRITICAL || severity == ReportIS::Severity::HIGH) {