diff --git a/components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h b/components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h index 532b8af..84f4d07 100755 --- a/components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h +++ b/components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h @@ -50,7 +50,7 @@ checkIDP(shared_ptr file_stream) if (line.find("") != string::npos) { return string("false"); } - if (line.find("identity_provider") != string::npos) { + if (line.find("/dev/null") #endif // SHELL_CMD_OUTPUT diff --git a/components/security_apps/orchestration/manifest_controller/manifest_controller.cc b/components/security_apps/orchestration/manifest_controller/manifest_controller.cc index db93264..b0aee07 100755 --- a/components/security_apps/orchestration/manifest_controller/manifest_controller.cc +++ b/components/security_apps/orchestration/manifest_controller/manifest_controller.cc @@ -397,7 +397,7 @@ ManifestController::Impl::handlePackage( if (!package.isInstallable().ok()) { string report_msg = - "Skipping installation of " + package.getName() + ". Reason: " + package.isInstallable().getErr(); + "Skipping installation of package: " + package.getName() + ". Reason: " + package.isInstallable().getErr(); dbgWarning(D_ORCHESTRATOR) << report_msg; LogGen(report_msg, Audience::SECURITY, Severity::CRITICAL, Priority::HIGH, Tags::ORCHESTRATOR); current_packages.insert(make_pair(package.getName(), package)); diff --git a/components/security_apps/orchestration/orchestration_comp.cc b/components/security_apps/orchestration/orchestration_comp.cc index 6f734a4..10df2f4 100755 --- a/components/security_apps/orchestration/orchestration_comp.cc +++ b/components/security_apps/orchestration/orchestration_comp.cc @@ -1342,6 +1342,18 @@ private: << LogField("agentType", "Orchestration") << LogField("agentVersion", Version::get()); + auto email = getSettingWithDefault("", "email-address"); + if (email != "") { + dbgInfo(D_ORCHESTRATOR) << "Sending registration data"; + LogGen( + "Local Agent Data", + Audience::INTERNAL, + Severity::INFO, + Priority::LOW, + Tags::ORCHESTRATOR + ) << LogField("userDefinedId", email); + } + reportAgentDetailsMetaData(); if (!Singleton::Consume::by()->loadAfterSelfUpdate()) { @@ -1683,5 +1695,7 @@ OrchestrationComp::preload() registerExpectedSetting>("orchestration", "Orchestration status ignored policies"); registerExpectedSetting("agentType"); registerExpectedSetting("upgradeMode"); + registerExpectedSetting("email-address"); registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy); + registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy); } diff --git a/components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc b/components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc index e80dc65..a11a165 100755 --- a/components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc +++ b/components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc @@ -456,6 +456,25 @@ TEST_F(OrchestrationTest, register_config) env.fini(); } +TEST_F(OrchestrationTest, registertion_data_config) +{ + EXPECT_CALL(rest, mockRestCall(RestAction::ADD, "declare-boolean-variable", _)) + .WillOnce(WithArg<2>(Invoke(this, &OrchestrationTest::declareVariable))); + + preload(); + env.init(); + + string config_json = + "{\n" + " \"email-address\": \"fake@example.com\"\n" + "}"; + + istringstream ss(config_json); + Singleton::Consume::from(config_comp)->loadConfiguration(ss); + EXPECT_THAT(getSetting("email-address"), IsValue("fake@example.com")); + env.fini(); +} + TEST_F(OrchestrationTest, orchestrationPolicyUpdate) { waitForRestCall(); diff --git a/components/security_apps/waap/waap_clib/WaapAssetState.cc b/components/security_apps/waap/waap_clib/WaapAssetState.cc index bef3892..55dd107 100755 --- a/components/security_apps/waap/waap_clib/WaapAssetState.cc +++ b/components/security_apps/waap/waap_clib/WaapAssetState.cc @@ -102,6 +102,8 @@ static const boost::regex utf_evasion_for_dot_regex(utf_evasion_for_dot_helper); static const std::string sqli_comma_evasion_regex_helper = "\"\\s*,\\s*\""; static const boost::regex sqli_comma_evasion_regex(sqli_comma_evasion_regex_helper); +static const boost::regex space_evasion_regex("[[:space:]]{2,}"); + WaapAssetState::WaapAssetState(const std::shared_ptr& pWaapAssetState, const std::string& waapDataFileName, const std::string& id) : @@ -267,6 +269,76 @@ WaapAssetState::WaapAssetState(std::shared_ptr signatures, } #endif + void trimSpaces(std::string & text) { + size_t result_position = 0; + size_t position = 0; + space_stage state = NO_SPACES; + uint32_t code; + + if (text.empty()) { + return; + } + + boost::cmatch what; + if (!boost::regex_search(text.c_str(), what, space_evasion_regex)) + return; + dbgTrace(D_WAAP) << "Boost regex passed"; + for (;position < text.size(); position++) { + code = text[position]; + switch (code) { + case '\t': + case ' ': + case '\f': + case '\v': + if (state == NO_SPACES) { + state = SPACE_SYNBOL; + text[result_position++] = code; + } + break; + case '\r': + switch (state) { + case (SPACE_SYNBOL): + text[result_position - 1] = code; + state = BR_SYMBOL; + break; + case (NO_SPACES): + text[result_position++] = code; + state = BR_SYMBOL; + break; + case (BN_SYMBOL): + text[result_position++] = code; + state = BNR_SEQUENCE; + break; + default: + break; + } + break; + case '\n': + switch (state) { + case (SPACE_SYNBOL): + text[result_position - 1] = code; + state = BN_SYMBOL; + break; + case (NO_SPACES): + text[result_position++] = code; + state = BN_SYMBOL; + break; + case (BR_SYMBOL): + text[result_position++] = code; + state = BRN_SEQUENCE; + break; + default: + break; + } + break; + default: + text[result_position++] = code; + state = NO_SPACES; + } + } + text.erase(result_position, position - result_position); + } + // Python equivalent: text = re.sub(r'[^\x00-\x7F]+',' ', text) void replaceUnicodeSequence(std::string & text, const char repl) { std::string::iterator it = text.begin(); @@ -432,6 +504,8 @@ WaapAssetState::WaapAssetState(std::shared_ptr signatures, dbgTrace(D_WAAP_SAMPLE_PREPROCESS) << "unescape: (11) '" << text << "'"; + trimSpaces(text); + // 12. finally, apply tolower() to all characters of a string // std::for_each(text.begin(), text.end(), [](char &c) { c = tolower(c); }); for (std::string::iterator pC = text.begin(); pC != text.end(); ++pC) { diff --git a/components/security_apps/waap/waap_clib/WaapAssetState.h b/components/security_apps/waap/waap_clib/WaapAssetState.h index 72231ad..d760dab 100755 --- a/components/security_apps/waap/waap_clib/WaapAssetState.h +++ b/components/security_apps/waap/waap_clib/WaapAssetState.h @@ -34,6 +34,8 @@ #include "ScanResult.h" #include "WaapSampleValue.h" +enum space_stage {SPACE_SYNBOL, BR_SYMBOL, BN_SYMBOL, BRN_SEQUENCE, BNR_SEQUENCE, NO_SPACES}; + class IWaf2Transaction; class WaapAssetState : public boost::noncopyable, public I_WaapAssetState @@ -155,6 +157,7 @@ inline std::size_t hash_value(WaapAssetState::CacheKey const &cacheKey) } void filterUnicode(std::string & text); +void trimSpaces(std::string & text); void replaceUnicodeSequence(std::string & text, const char repl); std::string unescape(const std::string & s); diff --git a/core/include/services_sdk/resources/debug_flags.h b/core/include/services_sdk/resources/debug_flags.h index 6641b28..b102f02 100755 --- a/core/include/services_sdk/resources/debug_flags.h +++ b/core/include/services_sdk/resources/debug_flags.h @@ -147,6 +147,7 @@ DEFINE_FLAG(D_COMPONENT, D_ALL) DEFINE_FLAG(D_IOT_ENFORCE_POLICY, D_IOT_ENFORCE) DEFINE_FLAG(D_IOT_ENFORCE_ASSETS, D_IOT_ENFORCE) DEFINE_FLAG(D_IOT_DOCTOR, D_IOT_NEXT) + DEFINE_FLAG(D_IOT_RISK, D_IOT_NEXT) DEFINE_FLAG(D_IOT_DISCOVERY, D_IOT_NEXT) DEFINE_FLAG(D_IOT_DISCOVERY_UTILS, D_IOT_DISCOVERY) DEFINE_FLAG(D_IOT_PROBE, D_IOT_DISCOVERY_UTILS) diff --git a/core/mainloop/mainloop.cc b/core/mainloop/mainloop.cc index b104e79..b058665 100644 --- a/core/mainloop/mainloop.cc +++ b/core/mainloop/mainloop.cc @@ -441,6 +441,7 @@ void MainloopComponent::Impl::yield(bool force) { dbgAssert(curr_iter != routines.end()) << "Calling 'yield' without a running current routine"; + if (do_stop) throw MainloopStop(); if (!force && getTimer()->getMonotonicTime() < stop_time) return; auto env = Singleton::Consume::by()->saveEnvironment(); diff --git a/core/report/tag_and_enum_management.cc b/core/report/tag_and_enum_management.cc index 95fe4be..0ca3a52 100755 --- a/core/report/tag_and_enum_management.cc +++ b/core/report/tag_and_enum_management.cc @@ -242,8 +242,8 @@ TagAndEnumManagement::convertToString(const Notification ¬ification) case Notification::SYNC_LEARNING: return "b9b9ab04-2e2a-4cd1-b7e5-2c956861fb69"; case Notification::SDWAN_POLICY_UPDATE: return "2b18f5a0-5503-4c6b-967f-aa71dbced1aa"; case Notification::SDWAN_POLICY_UPDATE_ERROR: return "8d2db6ea-30b7-11ec-8d3d-0242ac130003"; - case Notification::SDWAN_POLICY_UPDATE_LOG: return "f3a4fa06-2d91-41bc-84cd-7e9eaa9f4ce3"; - case Notification::SDWAN_POLICY_UPDATE_ERROR_LOG: return "5529d385-44ed-46d6-b8d0-1b8a99b4fbea"; + case Notification::SDWAN_POLICY_UPDATE_LOG: return "97cb79e1-e873-4f28-b123-5e19f8dd6f99"; + case Notification::SDWAN_POLICY_UPDATE_ERROR_LOG: return "44ca5755-07a2-483c-b756-b7df444e175c"; } dbgAssert(false) << "Reached impossible notification value of: " << static_cast(notification); diff --git a/core/tenant_manager/tenant_manager.cc b/core/tenant_manager/tenant_manager.cc index 862b52e..bda3fa7 100644 --- a/core/tenant_manager/tenant_manager.cc +++ b/core/tenant_manager/tenant_manager.cc @@ -410,7 +410,13 @@ TenantManager::Impl::getProfileId(const string &tenant_id, const string ®ion, auto maybe_account_region_set = getSetting("accountRegionSet"); if (maybe_account_region_set.ok()) { - for (const AccountRegionPair &account : maybe_account_region_set.unpack().getAccoutRegionPairs()) { + auto account_region_set = maybe_account_region_set.unpack().getAccoutRegionPairs(); + if (account_region_set.empty()) { + dbgTrace(D_TENANT_MANAGER) << "Old profile with new hook. Resolving to profile ID: " << profile_id; + profiles_to_return.push_back(profile_id); + return profiles_to_return; + } + for (const AccountRegionPair &account : account_region_set) { if (region == account.getRegion() && (account_id.empty() || account_id == account.getAccountID())) { dbgTrace(D_TENANT_MANAGER) << "Found a corresponding profile ID: " << profile_id; profiles_to_return.push_back(profile_id); diff --git a/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc b/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc index 81d5ca0..b949e02 100755 --- a/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc +++ b/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc @@ -78,6 +78,7 @@ enum class Service { SDWAN_LOGGER, IOT_ENFORCE, IOT_DOCTOR, + IOT_RISK, IOT_GW_SENSOR, IOT_SNMP, IOT_MS_DHCP, @@ -152,6 +153,7 @@ getServiceString(const Service service) case (Service::CAPSULE8): return "capsule8"; case (Service::IOT_ENFORCE): return "iot-enforce"; case (Service::IOT_DOCTOR): return "iot-doctor"; + case (Service::IOT_RISK): return "iot-risk"; case (Service::IOT_GW_SENSOR): return "iot-gw-sensor"; case (Service::IOT_SNMP): return "iot-snmp"; case (Service::IOT_MS_DHCP): return "iot-ms-dhcp"; @@ -267,6 +269,11 @@ getServiceConfig (const Service service) filesystem_path + "/conf/cp-nano-iot-doctor-debug-conf.json", log_files_path + "/nano_agent/cp-nano-iot-doctor.dbg" ); + case (Service::IOT_RISK): + return ServiceConfig( + filesystem_path + "/conf/cp-nano-iot-risk-debug-conf.json", + log_files_path + "/nano_agent/cp-nano-iot-risk.dbg" + ); case (Service::IOT_GW_SENSOR): return ServiceConfig( filesystem_path + "/conf/cp-nano-iot-gw-sensor-debug-conf.json", @@ -1246,6 +1253,8 @@ extractServices(const vector &args) services.push_back(Service::IOT_ENFORCE); } else if (getServiceString(Service::IOT_DOCTOR).find(maybe_service) == 0) { services.push_back(Service::IOT_DOCTOR); + } else if (getServiceString(Service::IOT_RISK).find(maybe_service) == 0) { + services.push_back(Service::IOT_RISK); } else if (getServiceString(Service::IOT_GW_SENSOR).find(maybe_service) == 0) { services.push_back(Service::IOT_GW_SENSOR); } else if (getServiceString(Service::IOT_SNMP).find(maybe_service) == 0) { diff --git a/nodes/orchestration/package/open-appsec-ctl.sh b/nodes/orchestration/package/open-appsec-ctl.sh index e0f6153..ef18776 100644 --- a/nodes/orchestration/package/open-appsec-ctl.sh +++ b/nodes/orchestration/package/open-appsec-ctl.sh @@ -1565,26 +1565,39 @@ stop_service() # Initials - stops exit 255 } +record_command() # Initials - rc +{ + touch /var/log/nano_agent/operations.log + echo "$(tail -99 /var/log/nano_agent/operations.log)" > /var/log/nano_agent/operations.log + echo $(date "+%Y.%m.%d-%H.%M.%S") ": " $0 $@ >> /var/log/nano_agent/operations.log +} + run() # Initials - r { r_deprecated_msg="Option ${1} is deprecated. Please use" if [ -z "$1" ]; then usage elif [ "--debug" = "$1" ] || [ "-d" = "$1" ]; then + record_command $@ run_cpnano_debug "cpnano" "$@" elif [ "--display-policy" = "$1" ] || [ "-dp" = "$1" ]; then + record_command $@ run_display_policy elif [ "--status" = "$1" ] || [ "-s" = "$1" ]; then + record_command $@ run_status if [ "--extended" = "$2" ]; then shift run_health_check "${@}" fi elif [ "--start-agent" = "$1" ] || [ "-r" = "$1" ]; then + record_command $@ run_start_agent elif [ "--stop-agent" = "$1" ] || [ "-q" = "$1" ]; then + record_command $@ run_stop_agent elif [ "--uninstall" = "$1" ] || [ "-u" = "$1" ]; then + record_command $@ uninstall_agent elif [ "--display-settings" = "$1" ]; then echo "${r_deprecated_msg} --display-config" @@ -1595,42 +1608,56 @@ run() # Initials - r elif [ "-ls" = "$1" ]; then echo "${r_deprecated_msg} -lc" elif [ "--display-config" = "$1" ] || [ "-dc" = "$1" ]; then + record_command $@ shift run_display_settings "${@}" elif [ "--load-config" = "$1" ] || [ "-lc" = "$1" ]; then + record_command $@ shift run_load_settings "${@}" elif [ "--set-proxy" = "$1" ] || [ "-sp" = "$1" ]; then + record_command $@ shift set_proxy "${@}" elif [ "--set-gradual-policy" = "$1" ] || [ "-gp" = "$1" ]; then + record_command $@ shift run_update_gradual_policy "set" "${@}" elif [ "--delete-gradual-policy" = "$1" ] || [ "-dg" = "$1" ]; then + record_command $@ shift run_update_gradual_policy "delete" "${@}" elif [ "--set-traffic-recording-policy" = "$1" ] || [ "-tr" = "$1" ]; then + record_command $@ shift run_set_traffic_recording_policy "${@}" elif [ "--cp-agent-info" = "$1" ] || [ "-ai" = "$1" ]; then + record_command $@ shift run_ai "${@}" elif [ "--update-certs" = "$1" ] || [ "-uc" = "$1" ]; then + record_command $@ run_set_ca_directory "$2" elif [ "--set-public-key" = "$1" ] || [ "-pk" = "$1" ]; then + record_command $@ run_set_publick_key "$2" elif [ "--print-metrics" = "$1" ] || [ "-pm" = "$1" ]; then + record_command $@ run_print_metrics "$2" elif [ "--stop-service" = "$1" ] || [ "-qs" = "$1" ]; then + record_command $@ shift stop_service "${@}" elif [ "--start-service" = "$1" ] || [ "-rs" = "$1" ]; then + record_command $@ shift start_service "${@}" elif [ "--set-mode" = "$1" ] || [ "-sm" = "$1" ]; then + record_command $@ shift set_mode "${@}" elif [ "-vp" = "$1" ] || [ "--view-policy" = "$1" ]; then + record_command $@ shift var_policy_file=$1 if [ -z ${var_policy_file} ]; then @@ -1638,6 +1665,7 @@ run() # Initials - r fi less ${var_policy_file} elif [ "-ep" = "$1" ] || [ "--edit-policy" = "$1" ]; then + record_command $@ shift var_policy_file=$1 if [ -z ${var_policy_file} ]; then @@ -1645,6 +1673,7 @@ run() # Initials - r fi vi ${var_policy_file} elif [ "-ap" = "$1" ] || [ "--apply-policy" = "$1" ]; then + record_command $@ curl_apply_policy=$(${curl_cmd} -S -w "%{http_code}\n" -m 1 --noproxy "*" --header "Content-Type: application/json" \ --request POST --data {} http://127.0.0.1:"$(extract_api_port 'orchestration')"/set-apply-policy 2>&1) while [ /etc/cp/conf/local_policy.yaml -nt /etc/cp/conf/policy.json ]; do @@ -1654,8 +1683,10 @@ run() # Initials - r echo "New policy applied." exit 1 elif [ "-lp" = "$1" ] || [ "--list-policies" = "$1" ]; then + record_command $@ echo "/etc/cp/conf/local_policy.yaml" elif [ "-vl" = "$1" ] || [ "--view-logs" = "$1" ]; then + record_command $@ less /var/log/nano_agent/cp-nano-http-transaction-handler.log? else usage diff --git a/nodes/orchestration/package/orchestration_package.sh b/nodes/orchestration/package/orchestration_package.sh index 58dd640..c24302f 100755 --- a/nodes/orchestration/package/orchestration_package.sh +++ b/nodes/orchestration/package/orchestration_package.sh @@ -50,6 +50,7 @@ var_sleep_interval=30 var_error_sleep_interval=30 var_upgrade_mode= var_token= +var_email= var_installation_debug_mode=false var_startup_service= var_arch_flag= @@ -132,6 +133,7 @@ usage() echo "--uninstall : Remove Nano Agent" echo "--token : Registration token" echo "--fog : Fog Address" + echo "--email : Contact Information" echo "--certs-dir : Path to the trusted CA directory" echo "--public-key : Path to the SSL certificate's public key file (PEM format)" echo "--ignore : List of ignored packages" @@ -222,6 +224,9 @@ while true; do elif [ "$1" = "--token" ]; then shift OTP_TOKEN=$1 + elif [ "$1" = "--email" ]; then + shift + var_email=$1 elif [ "$1" = "--offline_mode" ]; then var_offline_mode=true var_orchestration_mode="offline_mode" @@ -891,7 +896,8 @@ install_orchestration() cp_print "Building the default policy json" echo '{"'$ORCHESTRATION_NAME'": { "fog-address":"'$var_fog_address'", ' > ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json echo '"pulling-interval":'$var_sleep_interval', ' >> ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json - echo '"error-pulling-interval":'$var_error_sleep_interval'}}' >> ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json + echo '"error-pulling-interval":'$var_error_sleep_interval'},' >> ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json + echo '"registration-data": { "email-address": "'$var_email'"}}' >> ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json copy_orchestration_executable copy_k8s_executable