diff --git a/nodes/orchestration/package/CMakeLists.txt b/nodes/orchestration/package/CMakeLists.txt index f1558dd..0ac350c 100755 --- a/nodes/orchestration/package/CMakeLists.txt +++ b/nodes/orchestration/package/CMakeLists.txt @@ -8,6 +8,7 @@ install(FILES orchestration_package.sh DESTINATION ./orchestration/ PERMISSIONS install(FILES cp-agent-info.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) install(FILES k8s-check-update-listener.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) install(FILES k8s-check-update-trigger.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) +install(FILES local-default-policy-v1beta2.yaml DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) install(FILES get-cloud-metadata.sh DESTINATION ./orchestration/scripts/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) install(FILES cp-agent-uninstall.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) @@ -28,7 +29,6 @@ install(FILES watchdog/wait-for-networking-inspection-modules.sh DESTINATION ./o install(FILES watchdog/access_pre_init DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) install(FILES watchdog/revert_orchestrator_version.sh DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) -install(FILES local-default-policy.yaml DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) install(FILES open-appsec-cloud-mgmt DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) install(FILES open-appsec-cloud-mgmt-k8s DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ) diff --git a/nodes/orchestration/package/cp-nano-cli.sh b/nodes/orchestration/package/cp-nano-cli.sh index 5173a0a..b98650e 100755 --- a/nodes/orchestration/package/cp-nano-cli.sh +++ b/nodes/orchestration/package/cp-nano-cli.sh @@ -256,7 +256,7 @@ usage() uninstall_option="-u, --uninstall" load_config_option="-lc, --load-config <$(get_installed_services '|')>" display_config_option="-dc, --display-config [$(get_installed_services '|')]" - cp_agent_info_option="--info [-wd|--with_dump|-u|--upload|-fms|--file_max_size|-an|--additional_name]" + cp_agent_info_option="--info [-wd|--with_dump|-fms|--file_max_size|-an|--additional_name]" display_policy_option="-dp, --display-policy" set_gradual_policy_option="-gp, --set-gradual-policy [access-control|http-manager] " delete_gradual_policy_option="-dg, --delete-gradual-policy [access-control|http-manager]" @@ -1198,7 +1198,6 @@ run_ai() # Initials - ra for arg; do if [ "$arg" = "--upload" ] || [ "$arg" = "-u" ]; then - ra_upload_to_fog=true shift continue elif [ "$arg" = "--verbose" ] || [ "$arg" = "-v" ]; then @@ -1210,14 +1209,6 @@ run_ai() # Initials - ra shift done - if [ "$ra_upload_to_fog" = "false" ]; then - printf "Would you like to upload the file to be inspected by the product support team? [y/n] " && read -r ra_should_upload - case $ra_should_upload in - [Yy] | [Yy][Ee][Ss]) ra_upload_to_fog=true ;; - *) ;; - esac - fi - ra_https_prefix="https://" ra_agent_details=$(cat ${FILESYSTEM_PATH}/$cp_nano_conf_location/agent_details.json) if echo "$ra_agent_details" | grep -q "Fog domain"; then diff --git a/nodes/orchestration/package/local-default-policy-v1beta2.yaml b/nodes/orchestration/package/local-default-policy-v1beta2.yaml new file mode 100755 index 0000000..04f95a5 --- /dev/null +++ b/nodes/orchestration/package/local-default-policy-v1beta2.yaml @@ -0,0 +1,101 @@ +# open-appsec default declarative configuration file +# based on schema version: "v1beta2" +# more information on declarative configuration: https://docs.openappsec.io + +apiVersion: v1beta2 + +policies: + default: + # start in detect-learn and move to prevent-learn based on learning progress + mode: detect-learn + threatPreventionPractices: [default-threat-prevention-practice] + accessControlPractices: [default-access-control-practice] + customResponses: default-web-user-response + triggers: [default-log-trigger] + sourceIdentifiers: "" + trustedSources: "" + exceptions: [] + specificRules: [] + +threatPreventionPractices: + - name: default-threat-prevention-practice + practiceMode: inherited + webAttacks: + overrideMode: inherited + minimumConfidence: high + intrusionPrevention: + # intrusion prevention (IPS) requires "Premium Edition" + overrideMode: inherited + maxPerformanceImpact: medium + minSeverityLevel: medium + minCveYear: 2016 + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + fileSecurity: + # file security requires "Premium Edition" + overrideMode: inherited + minSeverityLevel: medium + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + snortSignatures: + # you must specify snort signatures in configmap or file to activate snort inspection + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + schemaValidation: # schema validation requires "Premium Edition" + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + antiBot: # antibot requires "Premium Edition" + overrideMode: inherited + injectedUris: [] + validatedUris: [] + +accessControlPractices: + - name: default-access-control-practice + practiceMode: inherited + rateLimit: + # specify one or more rules below to use rate limiting + overrideMode: inherited + rules: [] + +logTriggers: + - name: default-log-trigger + accessControlLogging: + allowEvents: false + dropEvents: true + appsecLogging: + detectEvents: true + preventEvents: true + allWebRequests: false + extendedLogging: + urlPath: true + urlQuery: true + httpHeaders: false + requestBody: false + additionalSuspiciousEventsLogging: + enabled: true + minSeverity: high + responseBody: false + responseCode: true + + logDestination: + cloud: true + logToAgent: false + stdout: + format: json + +customResponses: + - name: default-web-user-response + mode: response-code-only + httpResponseCode: 403 diff --git a/nodes/orchestration/package/open-appsec-ctl.sh b/nodes/orchestration/package/open-appsec-ctl.sh index f0d8f2f..3449613 100644 --- a/nodes/orchestration/package/open-appsec-ctl.sh +++ b/nodes/orchestration/package/open-appsec-ctl.sh @@ -281,7 +281,7 @@ usage() uninstall_option="-u, --uninstall" load_config_option="-lc, --load-config <$(get_installed_services '|')>" display_config_option="-dc, --display-config [$(get_installed_services '|')]" - cp_agent_info_option="--info [-wd|--with_dump|-u|--upload|-fms|--file_max_size|-an|--additional_name]" + cp_agent_info_option="--info [-wd|--with_dump|-fms|--file_max_size|-an|--additional_name]" display_policy_option="-dp, --display-policy" set_gradual_policy_option="-gp, --set-gradual-policy [access-control|http-manager] " delete_gradual_policy_option="-dg, --delete-gradual-policy [access-control|http-manager]" @@ -1318,7 +1318,6 @@ run_ai() # Initials - ra for arg; do if [ "$arg" = "--upload" ] || [ "$arg" = "-u" ]; then - ra_upload_to_fog=true shift continue elif [ "$arg" = "--verbose" ] || [ "$arg" = "-v" ]; then @@ -1330,14 +1329,6 @@ run_ai() # Initials - ra shift done - if [ "$ra_upload_to_fog" = "false" ]; then - printf "Would you like to upload the file to be inspected by the product support team? [y/n] " && read -r ra_should_upload - case $ra_should_upload in - [Yy] | [Yy][Ee][Ss]) ra_upload_to_fog=true ;; - *) ;; - esac - fi - ra_https_prefix="https://" ra_agent_details=$(cat ${FILESYSTEM_PATH}/$cp_nano_conf_location/agent_details.json) if echo "$ra_agent_details" | grep -q "Fog domain"; then