Support local managment for embedded agent on nginx

2025-09-29 19:24:26 +03:00 · 2022-11-13 13:29:35 +02:00
parent 8b01396eca
commit 1b4b7d17e0
406 changed files with 37980 additions and 35 deletions
--- a/nodes/orchestration/CMakeLists.txt
+++ b/nodes/orchestration/CMakeLists.txt
@@ -27,7 +27,7 @@ target_link_libraries(
    update_communication
    orchestration_tools
    messaging_downloader_client
-    k8s_policy_gen
+    local_policy_mgmt_gen
    curl

    -Wl,--end-group
--- a/nodes/orchestration/main.cc
+++ b/nodes/orchestration/main.cc
@@ -53,7 +53,7 @@
 #include "health_check_manager.h"
 #include "generic_metric.h"
 #include "tenant_manager.h"
-#include "k8s_policy_gen.h"
+#include "local_policy_mgmt_gen.h"

 using namespace std;

@@ -78,7 +78,7 @@ main(int argc, char **argv)
        HealthChecker,
        HealthCheckManager,
        MessagingDownloaderClient,
-        K8sPolicyGenerator
+        LocalPolicyMgmtGenerator
    > comps;

    comps.registerGlobalValue<uint>("Nano service API Port Primary", 7777);
--- a/nodes/orchestration/package/CMakeLists.txt
+++ b/nodes/orchestration/package/CMakeLists.txt
@@ -25,3 +25,6 @@ install(FILES configuration/cp-nano-orchestration-debug-conf.json DESTINATION ./
 install(FILES watchdog/watchdog DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 install(FILES watchdog/wait-for-networking-inspection-modules.sh DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 install(FILES watchdog/access_pre_init DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
+
+install(FILES local-default-policy.yaml DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
+
--- a/nodes/orchestration/package/local-default-policy.yaml
+++ b/nodes/orchestration/package/local-default-policy.yaml
@@ -0,0 +1,85 @@
+policies:
+  default:
+    triggers:
+    - appsec-default-log-trigger
+    mode: detect-learn
+    practices:
+    - webapp-default-practice
+    source-identifiers:
+    trusted-sources:
+    custom-response: appsec-default-web-user-response
+    exceptions:
+  specific-rules:
+  - host: "*"
+    triggers:
+    - appsec-default-log-trigger
+    mode: detect-learn
+    practices:
+    - webapp-default-practice
+    source-identifiers:
+    trusted-sources:
+    custom-response: appsec-default-web-user-response
+    exceptions:
+
+practices:
+  - name: webapp-default-practice
+    openapi-schema-validation:
+      configmap: []
+      override-mode: detect-learn
+    snort-signatures:
+      configmap: []
+      override-mode: detect-learn
+    web-attacks:
+      max-body-size-kb: 1000000
+      max-header-size-bytes: 102400
+      max-object-depth: 40
+      max-url-size-bytes: 32768
+      minimum-confidence: Transparent
+      override-mode: detect-learn
+      protections:
+        csrf-protection: detect-learn
+        error-disclosure: detect-learn
+        non-valid-http-methods: true
+        open-redirect: detect-learn
+    anti-bot:
+      injected-URIs: []
+      validated-URIs: []
+      override-mode: detect-learn
+
+logtriggers:
+  - name: appsec-default-log-trigger
+    access-control-logging:
+      allow-events: false
+      drop-events: true
+    additional-suspicious-events-logging:
+      enabled: true
+      minimum-severity: high
+      response-body: false
+    appsec-logging:
+      all-web-requests: false
+      detect-events: true
+      prevent-events: true
+    extended-logging:
+      http-headers: false
+      request-body: false
+      url-path: false
+      url-query: false
+    log-destination:
+      cloud: false
+      file:
+      stdout:
+        format: json-formatted
+      syslog-service:
+      cef-service:
+
+customresponses:
+  - name: appsec-default-web-user-response
+    mode: response-code-only
+    http-response-code: 403
+    message-title: This is the best title ever
+    message-body: Look at this body
+
+exceptions:
+trustedsources:
+sourceidentifiers:
+
--- a/nodes/orchestration/package/orchestration_package.sh
+++ b/nodes/orchestration/package/orchestration_package.sh
@@ -324,6 +324,10 @@ if [ "$RUN_MODE" = "install" ] && [ $var_offline_mode = false ]; then
        fi
    fi

+    if [ $var_hybrid_mode = true ] && [ -z "$var_fog_address" ]; then
+        var_fog_address="$var_default_gem_fog_address"
+    fi
+
    if [ -n "$var_proxy" ]; then
        if [ "$var_proxy" = 'none' ]; then
            echo "Ignoring system proxy"
@@ -536,6 +540,8 @@ install_cp_nano_ctl()
    CP_NANO_CLI="cp-nano-cli.sh"
    CP_NANO_JSON="cpnano_json"
    CP_NANO_CTL="cpnano"
+    CP_NANO_YQ_LOCATION="./scripts/yq"
+    CP_NANO_YQ="yq"

    if [ -f $USR_SBIN_PATH/${CP_NANO_CTL_DEPRECATED} ]; then
        cp_exec "rm -rf $USR_SBIN_PATH/${CP_NANO_CTL_DEPRECATED}"
@@ -563,6 +569,9 @@ install_cp_nano_ctl()

    cp_exec "cp -f ${CP_NANO_BASE64} ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_BASE64}" ${FORCE_STDOUT}
    cp_exec "chmod 700 ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_BASE64}"
+
+    cp_exec "cp -f ${CP_NANO_YQ_LOCATION} ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_YQ}" ${FORCE_STDOUT}
+    cp_exec "chmod 700 ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_YQ}"
 }

 set_conf_temp_location()
@@ -645,6 +654,9 @@ copy_orchestration_executable()
    cp_print "Copying cp-nano-agent binary file to folder: ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}" $FORCE_STDOUT
    cp_copy "$ORCHESTRATION_EXE_SOURCE_PATH" ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}
    cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}"
+    if [ $var_hybrid_mode = true ]; then
+        cp_copy local-default-policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml
+    fi
 }

 copy_k8s_executable()