sync code

nodes/orchestration/package/CMakeLists.txt

@@ -8,6 +8,7 @@ install(FILES orchestration_package.sh DESTINATION ./orchestration/ PERMISSIONS
 install(FILES cp-agent-info.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 install(FILES k8s-check-update-listener.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 install(FILES k8s-check-update-trigger.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
+install(FILES local-default-policy-v1beta2.yaml DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 install(FILES get-cloud-metadata.sh DESTINATION ./orchestration/scripts/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 
 install(FILES cp-agent-uninstall.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
@@ -28,7 +29,6 @@ install(FILES watchdog/wait-for-networking-inspection-modules.sh DESTINATION ./o
 install(FILES watchdog/access_pre_init DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 install(FILES watchdog/revert_orchestrator_version.sh DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 
-install(FILES local-default-policy.yaml DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 install(FILES open-appsec-cloud-mgmt DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 install(FILES open-appsec-cloud-mgmt-k8s DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
 

nodes/orchestration/package/cp-nano-cli.sh

@@ -256,7 +256,7 @@ usage()
     uninstall_option="-u,  --uninstall"
     load_config_option="-lc, --load-config <$(get_installed_services '|')>"
     display_config_option="-dc, --display-config [$(get_installed_services '|')]"
-    cp_agent_info_option="--info [-wd|--with_dump|-u|--upload|-fms|--file_max_size|-an|--additional_name]"
+    cp_agent_info_option="--info [-wd|--with_dump|-fms|--file_max_size|-an|--additional_name]"
     display_policy_option="-dp, --display-policy"
     set_gradual_policy_option="-gp, --set-gradual-policy [access-control|http-manager] <ip-ranges>"
     delete_gradual_policy_option="-dg, --delete-gradual-policy [access-control|http-manager]"
@@ -1198,7 +1198,6 @@ run_ai() # Initials - ra
 
     for arg; do
         if [ "$arg" = "--upload" ] || [ "$arg" = "-u" ]; then
-            ra_upload_to_fog=true
             shift
             continue
         elif [ "$arg" = "--verbose" ] || [ "$arg" = "-v" ]; then
@@ -1210,14 +1209,6 @@ run_ai() # Initials - ra
         shift
     done
 
-    if [ "$ra_upload_to_fog" = "false" ]; then
-        printf "Would you like to upload the file to be inspected by the product support team? [y/n] " && read -r ra_should_upload
-        case $ra_should_upload in
-        [Yy] | [Yy][Ee][Ss]) ra_upload_to_fog=true ;;
-        *) ;;
-        esac
-    fi
-
     ra_https_prefix="https://"
     ra_agent_details=$(cat ${FILESYSTEM_PATH}/$cp_nano_conf_location/agent_details.json)
     if echo "$ra_agent_details" | grep -q "Fog domain"; then

nodes/orchestration/package/local-default-policy-v1beta2.yaml

@@ -0,0 +1,101 @@
+# open-appsec default declarative configuration file
+# based on schema version: "v1beta2"
+# more information on declarative configuration: https://docs.openappsec.io
+
+apiVersion: v1beta2
+
+policies:
+  default:
+    # start in detect-learn and move to prevent-learn based on learning progress
+    mode: detect-learn
+    threatPreventionPractices: [default-threat-prevention-practice]
+    accessControlPractices: [default-access-control-practice]
+    customResponses: default-web-user-response
+    triggers: [default-log-trigger]
+    sourceIdentifiers: ""
+    trustedSources: ""
+    exceptions: []
+  specificRules: []
+
+threatPreventionPractices:
+  - name: default-threat-prevention-practice
+    practiceMode: inherited
+    webAttacks:
+      overrideMode: inherited
+      minimumConfidence: high
+    intrusionPrevention:
+    # intrusion prevention (IPS) requires "Premium Edition"
+      overrideMode: inherited
+      maxPerformanceImpact: medium
+      minSeverityLevel: medium
+      minCveYear: 2016
+      highConfidenceEventAction: inherited
+      mediumConfidenceEventAction: inherited
+      lowConfidenceEventAction: detect
+    fileSecurity:
+    # file security requires "Premium Edition"
+      overrideMode: inherited
+      minSeverityLevel: medium
+      highConfidenceEventAction: inherited
+      mediumConfidenceEventAction: inherited
+      lowConfidenceEventAction: detect
+    snortSignatures:
+      # you must specify snort signatures in configmap or file to activate snort inspection
+      overrideMode: inherited
+      configmap: []
+      # relevant for deployments on kubernetes
+      # 0 or 1 configmaps supported in array
+      files: []
+      # relevant for docker and linux embedded deployments
+      # 0 or 1 files supported in array
+    schemaValidation: # schema validation requires "Premium Edition" 
+      overrideMode: inherited
+      configmap: []
+      # relevant for deployments on kubernetes
+      # 0 or 1 configmaps supported in array
+      files: []
+      # relevant for docker and linux embedded deployments
+      # 0 or 1 files supported in array
+    antiBot: # antibot requires "Premium Edition" 
+      overrideMode: inherited
+      injectedUris: []
+      validatedUris: []
+
+accessControlPractices:
+  - name: default-access-control-practice
+    practiceMode: inherited
+    rateLimit:
+    # specify one or more rules below to use rate limiting
+      overrideMode: inherited
+      rules: []
+
+logTriggers:
+  - name: default-log-trigger
+    accessControlLogging:
+      allowEvents: false
+      dropEvents: true
+    appsecLogging:
+      detectEvents: true
+      preventEvents: true
+      allWebRequests: false
+    extendedLogging:
+      urlPath: true
+      urlQuery: true
+      httpHeaders: false
+      requestBody: false
+    additionalSuspiciousEventsLogging:
+      enabled: true
+      minSeverity: high
+      responseBody: false
+      responseCode: true
+
+    logDestination:
+      cloud: true
+      logToAgent: false
+      stdout:
+        format: json
+
+customResponses:
+  - name: default-web-user-response
+    mode: response-code-only
+    httpResponseCode: 403

nodes/orchestration/package/open-appsec-ctl.sh

@@ -281,7 +281,7 @@ usage()
     uninstall_option="-u,  --uninstall"
     load_config_option="-lc, --load-config <$(get_installed_services '|')>"
     display_config_option="-dc, --display-config [$(get_installed_services '|')]"
-    cp_agent_info_option="--info [-wd|--with_dump|-u|--upload|-fms|--file_max_size|-an|--additional_name]"
+    cp_agent_info_option="--info [-wd|--with_dump|-fms|--file_max_size|-an|--additional_name]"
     display_policy_option="-dp, --display-policy"
     set_gradual_policy_option="-gp, --set-gradual-policy [access-control|http-manager] <ip-ranges>"
     delete_gradual_policy_option="-dg, --delete-gradual-policy [access-control|http-manager]"
@@ -1318,7 +1318,6 @@ run_ai() # Initials - ra
 
     for arg; do
         if [ "$arg" = "--upload" ] || [ "$arg" = "-u" ]; then
-            ra_upload_to_fog=true
             shift
             continue
         elif [ "$arg" = "--verbose" ] || [ "$arg" = "-v" ]; then
@@ -1330,14 +1329,6 @@ run_ai() # Initials - ra
         shift
     done
 
-    if [ "$ra_upload_to_fog" = "false" ]; then
-        printf "Would you like to upload the file to be inspected by the product support team? [y/n] " && read -r ra_should_upload
-        case $ra_should_upload in
-        [Yy] | [Yy][Ee][Ss]) ra_upload_to_fog=true ;;
-        *) ;;
-        esac
-    fi
-
     ra_https_prefix="https://"
     ra_agent_details=$(cat ${FILESYSTEM_PATH}/$cp_nano_conf_location/agent_details.json)
     if echo "$ra_agent_details" | grep -q "Fog domain"; then