github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2026-01-17 16:00:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

sync code

Browse Source
This commit is contained in:
Daniel Eisenberg
2026-01-12 16:46:35 +02:00
parent 823e8bac0f
commit 6607c6a24f
4 changed files with 104 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nodes/orchestration/package/CMakeLists.txt
View File

@@ -8,6 +8,7 @@ install(FILES orchestration_package.sh DESTINATION ./orchestration/ PERMISSIONS
install(FILES cp-agent-info.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES k8s-check-update-listener.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES k8s-check-update-trigger.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES local-default-policy-v1beta2.yaml DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES get-cloud-metadata.sh DESTINATION ./orchestration/scripts/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-agent-uninstall.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
@@ -28,7 +29,6 @@ install(FILES watchdog/wait-for-networking-inspection-modules.sh DESTINATION ./o
install(FILES watchdog/access_pre_init DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES watchdog/revert_orchestrator_version.sh DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES local-default-policy.yaml DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES open-appsec-cloud-mgmt DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES open-appsec-cloud-mgmt-k8s DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)

11
nodes/orchestration/package/cp-nano-cli.sh
View File

@@ -256,7 +256,7 @@ usage()
uninstall_option="-u, --uninstall"
load_config_option="-lc, --load-config <$(get_installed_services '|')>"
display_config_option="-dc, --display-config [$(get_installed_services '|')]"
cp_agent_info_option="--info [-wd|--with_dump|-u|--upload|-fms|--file_max_size|-an|--additional_name]"
cp_agent_info_option="--info [-wd|--with_dump|-fms|--file_max_size|-an|--additional_name]"
display_policy_option="-dp, --display-policy"
set_gradual_policy_option="-gp, --set-gradual-policy [access-control|http-manager] <ip-ranges>"
delete_gradual_policy_option="-dg, --delete-gradual-policy [access-control|http-manager]"
@@ -1198,7 +1198,6 @@ run_ai() # Initials - ra
for arg; do
if [ "$arg" = "--upload" ] || [ "$arg" = "-u" ]; then
ra_upload_to_fog=true
shift
continue
elif [ "$arg" = "--verbose" ] || [ "$arg" = "-v" ]; then
@@ -1210,14 +1209,6 @@ run_ai() # Initials - ra
shift
done
if [ "$ra_upload_to_fog" = "false" ]; then
printf "Would you like to upload the file to be inspected by the product support team? [y/n] " && read -r ra_should_upload
case $ra_should_upload in
[Yy] | [Yy][Ee][Ss]) ra_upload_to_fog=true ;;
*) ;;
esac
fi
ra_https_prefix="https://"
ra_agent_details=$(cat ${FILESYSTEM_PATH}/$cp_nano_conf_location/agent_details.json)
if echo "$ra_agent_details" | grep -q "Fog domain"; then

101
nodes/orchestration/package/local-default-policy-v1beta2.yaml Executable file
View File

@@ -0,0 +1,101 @@
# open-appsec default declarative configuration file
# based on schema version: "v1beta2"
# more information on declarative configuration: https://docs.openappsec.io
apiVersion: v1beta2
policies:
default:
# start in detect-learn and move to prevent-learn based on learning progress
mode: detect-learn
threatPreventionPractices: [default-threat-prevention-practice]
accessControlPractices: [default-access-control-practice]
customResponses: default-web-user-response
triggers: [default-log-trigger]
sourceIdentifiers: ""
trustedSources: ""
exceptions: []
specificRules: []
threatPreventionPractices:
- name: default-threat-prevention-practice
practiceMode: inherited
webAttacks:
overrideMode: inherited
minimumConfidence: high
intrusionPrevention:
# intrusion prevention (IPS) requires "Premium Edition"
overrideMode: inherited
maxPerformanceImpact: medium
minSeverityLevel: medium
minCveYear: 2016
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
fileSecurity:
# file security requires "Premium Edition"
overrideMode: inherited
minSeverityLevel: medium
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
snortSignatures:
# you must specify snort signatures in configmap or file to activate snort inspection
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
schemaValidation: # schema validation requires "Premium Edition"
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
antiBot: # antibot requires "Premium Edition"
overrideMode: inherited
injectedUris: []
validatedUris: []
accessControlPractices:
- name: default-access-control-practice
practiceMode: inherited
rateLimit:
# specify one or more rules below to use rate limiting
overrideMode: inherited
rules: []
logTriggers:
- name: default-log-trigger
accessControlLogging:
allowEvents: false
dropEvents: true
appsecLogging:
detectEvents: true
preventEvents: true
allWebRequests: false
extendedLogging:
urlPath: true
urlQuery: true
httpHeaders: false
requestBody: false
additionalSuspiciousEventsLogging:
enabled: true
minSeverity: high
responseBody: false
responseCode: true
logDestination:
cloud: true
logToAgent: false
stdout:
format: json
customResponses:
- name: default-web-user-response
mode: response-code-only
httpResponseCode: 403

11
nodes/orchestration/package/open-appsec-ctl.sh
View File

@@ -281,7 +281,7 @@ usage()
uninstall_option="-u, --uninstall"
load_config_option="-lc, --load-config <$(get_installed_services '|')>"
display_config_option="-dc, --display-config [$(get_installed_services '|')]"
cp_agent_info_option="--info [-wd|--with_dump|-u|--upload|-fms|--file_max_size|-an|--additional_name]"
cp_agent_info_option="--info [-wd|--with_dump|-fms|--file_max_size|-an|--additional_name]"
display_policy_option="-dp, --display-policy"
set_gradual_policy_option="-gp, --set-gradual-policy [access-control|http-manager] <ip-ranges>"
delete_gradual_policy_option="-dg, --delete-gradual-policy [access-control|http-manager]"
@@ -1318,7 +1318,6 @@ run_ai() # Initials - ra
for arg; do
if [ "$arg" = "--upload" ] || [ "$arg" = "-u" ]; then
ra_upload_to_fog=true
shift
continue
elif [ "$arg" = "--verbose" ] || [ "$arg" = "-v" ]; then
@@ -1330,14 +1329,6 @@ run_ai() # Initials - ra
shift
done
if [ "$ra_upload_to_fog" = "false" ]; then
printf "Would you like to upload the file to be inspected by the product support team? [y/n] " && read -r ra_should_upload
case $ra_should_upload in
[Yy] | [Yy][Ee][Ss]) ra_upload_to_fog=true ;;
*) ;;
esac
fi
ra_https_prefix="https://"
ra_agent_details=$(cat ${FILESYSTEM_PATH}/$cp_nano_conf_location/agent_details.json)
if echo "$ra_agent_details" | grep -q "Fog domain"; then