github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-29 19:24:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

Jan_31_2024-Dev

Browse Source
This commit is contained in:
Ned Wright
2024-01-31 17:34:53 +00:00
parent 752a5785f0
commit 6d67818a94
376 changed files with 8101 additions and 7064 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
components/security_apps/local_policy_mgmt_gen/access_control_practice.cc
View File

@@ -133,11 +133,12 @@ AccessControlRateLimiteRules::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading Access control rate limite rules";
parseAppsecJSONKey<int>("limit", limit, archive_in);
parseAppsecJSONKey<string>("uri", uri, archive_in);
parseAppsecJSONKey<string>("unit", unit, archive_in);
parseAppsecJSONKey<string>("unit", unit, archive_in, "minute");
if (valid_units.count(unit) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "Access control rate limite rules units invalid: "
<< unit;
throw PolicyGenException("Access control rate limite rules units invalid: " + unit);
}
parseAppsecJSONKey<string>("comment", comment, archive_in);
parseAppsecJSONKey<vector<string>>("triggers", triggers, archive_in);
@@ -177,10 +178,10 @@ AccessControlRateLimit::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading Access control rate limit";
string in_mode;
parseAppsecJSONKey<string>("overrideMode", in_mode, archive_in, "inactive");
parseAppsecJSONKey<string>("overrideMode", in_mode, archive_in, "detect");
if (valid_modes_to_key.find(in_mode) == valid_modes_to_key.end()) {
dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << in_mode;
mode = "Inactive";
throw PolicyGenException("AppSec access control rate limit override mode invalid: " + in_mode);
} else {
mode = valid_modes_to_key.at(in_mode);
}
@@ -216,7 +217,7 @@ AccessControlPracticeSpec::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("name", practice_name, archive_in);
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseAppsecJSONKey<AccessControlRateLimit>("rateLimit", rate_limit, archive_in);
parseMandatoryAppsecJSONKey<AccessControlRateLimit>("rateLimit", rate_limit, archive_in);
}
void

1
components/security_apps/local_policy_mgmt_gen/include/k8s_policy_utils.h
View File

@@ -111,7 +111,6 @@ private:
I_EnvDetails* env_details = nullptr;
I_Messaging* messaging = nullptr;
EnvType env_type;
Flags<MessageConnConfig> conn_flags;
std::string token;
};

43
components/security_apps/local_policy_mgmt_gen/include/local_policy_common.h
View File

@@ -17,6 +17,7 @@
#include <map>
#include <set>
#include <string>
#include <exception>
#include <cereal/archives/json.hpp>
#include "config.h"
@@ -66,27 +67,57 @@ static const std::unordered_map<std::string, std::string> key_to_practices_val2
static const std::string default_appsec_url = "http://*:*";
class PolicyGenException : public std::exception
{
public:
PolicyGenException(const std::string& msg="") noexcept : m_msg(msg) {}
const char* what() const noexcept override
{
return m_msg.c_str();
}
private:
std::string m_msg;
};
template <typename T>
void
parseAppsecJSONKey(
const std::string &key_name,
T &value,
cereal::JSONInputArchive &archive_in,
const T &default_value = T())
const T &default_value = T(),
bool mandatory = false)
{
try {
archive_in(cereal::make_nvp(key_name, value));
} catch (const cereal::Exception &e) {
archive_in.setNextName(nullptr);
value = default_value;
dbgDebug(D_LOCAL_POLICY)
<< "Could not parse the required key. Key: \""
<< key_name
<< "\", Error: "
<< e.what();
if (!mandatory) {
dbgDebug(D_LOCAL_POLICY)
<< "Could not parse the required key. Key: \""<< key_name
<< "\", Error: " << e.what();
} else {
throw PolicyGenException(
"Could not parse a mandatory key: \"" + key_name + "\", Error: " + std::string(e.what())
);
}
}
}
template <typename T>
void
parseMandatoryAppsecJSONKey(
const std::string &key_name,
T &value,
cereal::JSONInputArchive &archive_in,
const T &default_value = T())
{
parseAppsecJSONKey(key_name, value, archive_in, default_value, true);
}
class AppsecSpecParserMetaData
{
public:

88
components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
View File

@@ -43,8 +43,6 @@ K8sPolicyUtils::init()
if (env_type == EnvType::K8S) {
token = env_details->getToken();
messaging = Singleton::Consume<I_Messaging>::by<K8sPolicyUtils>();
conn_flags.setFlag(MessageConnConfig::SECURE_CONN);
conn_flags.setFlag(MessageConnConfig::IGNORE_SSL_VALIDATION);
}
}
@@ -79,17 +77,19 @@ Maybe<T, string>
K8sPolicyUtils::getObjectFromCluster(const string &path) const
{
T object;
bool res = messaging->sendObject(
object,
I_Messaging::Method::GET,
"kubernetes.default.svc",
443,
conn_flags,
MessageMetadata k8s_md("kubernetes.default.svc", 443);
k8s_md.insertHeader("Authorization", "Bearer " + token);
k8s_md.insertHeader("Connection", "close");
k8s_md.setConnectioFlag(MessageConnectionConfig::IGNORE_SSL_VALIDATION);
auto res = messaging->sendSyncMessage(
HTTPMethod::GET,
path,
"Authorization: Bearer " + token + "\nConnection: close"
object,
MessageCategory::GENERIC,
k8s_md
);
if (res) return object;
if (res.ok()) return object;
return genError(string("Was not able to get object form k8s cluser in path: " + path));
}
@@ -488,23 +488,33 @@ K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &i
if (!maybe_appsec_policy_spec.ok() ||
!doesVersionExist(maybe_appsec_policy_spec.unpack().getMetaData().getAnnotations(), "v1beta1")
) {
dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve Appsec policy with crds version: v1beta1, Trying version: v1beta2";
auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<NewAppsecPolicySpec>>(
"/apis/openappsec.io/v1beta2/policies/" + policy_name
);
if(!maybe_v1beta2_appsec_policy_spec.ok()) {
dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve AppSec policy. Error: "
<< maybe_v1beta2_appsec_policy_spec.getErr();
try {
dbgWarning(D_LOCAL_POLICY
) << "Failed to retrieve Appsec policy with crds version: v1beta1, Trying version: v1beta2";
auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<NewAppsecPolicySpec>>(
"/apis/openappsec.io/v1beta2/policies/" + policy_name
);
if (!maybe_v1beta2_appsec_policy_spec.ok()) {
dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve AppSec policy. Error: " << maybe_v1beta2_appsec_policy_spec.getErr();
return std::make_tuple(
genError("Failed to retrieve AppSec v1beta1 policy. Error: " + maybe_appsec_policy_spec.getErr()),
genError(
"Failed to retrieve AppSec v1beta2 policy. Error: " + maybe_v1beta2_appsec_policy_spec.getErr()
)
);
}
return std::make_tuple(
genError("Failed to retrieve AppSec v1beta1 policy. Error: " + maybe_appsec_policy_spec.getErr()),
genError(
"Failed to retrieve AppSec v1beta2 policy. Error: " + maybe_v1beta2_appsec_policy_spec.getErr()));
genError("There is no v1beta1 policy"),
createAppsecPolicyK8sFromV1beta2Crds(maybe_v1beta2_appsec_policy_spec.unpack(), ingress_mode)
);
} catch (const PolicyGenException &e) {
dbgDebug(D_LOCAL_POLICY) << "Failed in policy generation. Error: " << e.what();
return std::make_tuple(
genError("There is no v1beta1 policy"),
genError("Failed to retrieve AppSec v1beta2 policy. Error: " + string(e.what()))
);
}
return std::make_tuple(
genError("There is no v1beta1 policy"),
createAppsecPolicyK8sFromV1beta2Crds(maybe_v1beta2_appsec_policy_spec.unpack(), ingress_mode));
}
return std::make_tuple(
@@ -521,22 +531,22 @@ K8sPolicyUtils::createPolicy(
const SingleIngressData &item) const
{
for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
string url = rule.getHost();
for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(url + uri.getPath())) {
dbgTrace(D_LOCAL_POLICY)
<< "Inserting Host data to the specific asset set:"
<< "URL: '"
<< url
<< "' uri: '"
<< uri.getPath()
<< "'";
K ingress_rule = K(url + uri.getPath());
appsec_policy.addSpecificRule(ingress_rule);
}
string url = rule.getHost();
for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(url + uri.getPath())) {
dbgTrace(D_LOCAL_POLICY)
<< "Inserting Host data to the specific asset set:"
<< "URL: '"
<< url
<< "' uri: '"
<< uri.getPath()
<< "'";
K ingress_rule = K(url + uri.getPath());
appsec_policy.addSpecificRule(ingress_rule);
}
}
policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
}
policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
}

11
components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc
View File

@@ -26,13 +26,16 @@ NewParsedRule::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec NewParsedRule";
parseAppsecJSONKey<vector<string>>("exceptions", exceptions, archive_in);
parseAppsecJSONKey<vector<string>>("triggers", log_triggers, archive_in);
parseAppsecJSONKey<vector<string>>("threatPreventionPractices", threat_prevention_practices, archive_in);
parseAppsecJSONKey<vector<string>>("accessControlPractices", access_control_practices, archive_in);
parseMandatoryAppsecJSONKey<vector<string>>(
"threatPreventionPractices",
threat_prevention_practices,
archive_in);
parseMandatoryAppsecJSONKey<vector<string>>("accessControlPractices", access_control_practices, archive_in);
parseAppsecJSONKey<string>("mode", mode, archive_in);
if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec New Parsed Rule mode invalid: " << mode;
throw PolicyGenException("AppSec New Parsed Rule mode invalid: " + mode);
}
parseAppsecJSONKey<string>("customResponse", custom_response, archive_in);
parseAppsecJSONKey<string>("customResponse", custom_response, archive_in, "403");
parseAppsecJSONKey<string>("sourceIdentifiers", source_identifiers, archive_in);
parseAppsecJSONKey<string>("trustedSources", trusted_sources, archive_in);
parseAppsecJSONKey<string>("autoUpgrade", upgrade_settings, archive_in);

19
components/security_apps/local_policy_mgmt_gen/new_custom_response.cc
View File

@@ -21,7 +21,11 @@ using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
// LCOV_EXCL_START Reason: no test exist
static const set<string> valid_modes = {"block-page", "response-code-only", "redirect"};
static const map<string, string> mode_to_appsec_mode_val = {
{"block-page", "Redirect"},
{"response-code-only", "Response Code"},
{"redirect", "Redirect"}
};
void
NewAppSecCustomResponse::load(cereal::JSONInputArchive &archive_in)
@@ -32,13 +36,10 @@ NewAppSecCustomResponse::load(cereal::JSONInputArchive &archive_in)
if (http_response_code < MIN_RESPONSE_CODE || http_response_code > MAX_RESPOMSE_CODE) {
dbgWarning(D_LOCAL_POLICY) << "AppSec web user response code invalid: " << http_response_code;
}
parseAppsecJSONKey<string>("mode", mode, archive_in, "block-page");
if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec web user response mode invalid: " << mode;
}
parseMandatoryAppsecJSONKey<string>("mode", mode, archive_in, "response-code-only");
parseAppsecJSONKey<string>("name", name, archive_in);
parseAppsecJSONKey<string>("redirectUrl", redirect_url, archive_in);
parseAppsecJSONKey<bool>("redirectAddXEventId", redirect_add_x_event_id, archive_in);
parseAppsecJSONKey<bool>("redirectAddXEventId", redirect_add_x_event_id, archive_in, false);
if (mode == "block-page") {
parseAppsecJSONKey<string>(
"messageBody",
@@ -53,6 +54,12 @@ NewAppSecCustomResponse::load(cereal::JSONInputArchive &archive_in)
"Attack blocked by web application protection"
);
}
if (mode_to_appsec_mode_val.find(mode) == mode_to_appsec_mode_val.end()) {
dbgWarning(D_LOCAL_POLICY) << "AppSec web user response mode invalid: " << mode;
mode = "Response Code";
} else {
mode = mode_to_appsec_mode_val.at(mode);
}
}
void

15
components/security_apps/local_policy_mgmt_gen/new_exceptions.cc
View File

@@ -23,9 +23,9 @@ static const set<string> valid_actions = {"skip", "accept", "drop", "suppressLog
void
NewAppsecExceptionCondition::load(cereal::JSONInputArchive &archive_in)
{
parseAppsecJSONKey<string>("key", key, archive_in);
parseAppsecJSONKey<string>("value", value, archive_in);
dbgTrace(D_LOCAL_POLICY) << "Key: " << key << " Value: " << value;
parseMandatoryAppsecJSONKey<string>("key", key, archive_in);
parseMandatoryAppsecJSONKey<string>("value", value, archive_in);
dbgTrace(D_LOCAL_POLICY) << "Parsed exception condition: Key: " << key << " Value: " << value;
}
const string &
@@ -45,12 +45,17 @@ NewAppsecException::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading New AppSec exception";
parseAppsecJSONKey<string>("name", name, archive_in, "exception");
parseAppsecJSONKey<string>("action", action, archive_in);
parseMandatoryAppsecJSONKey<string>("action", action, archive_in, "accept");
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
if (valid_actions.count(action) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec exception action invalid: " << action;
action = "accept";
}
parseMandatoryAppsecJSONKey<vector<NewAppsecExceptionCondition>>("condition", conditions, archive_in);
if (conditions.empty()) {
dbgWarning(D_LOCAL_POLICY) << "AppSec exception conditions empty";
throw PolicyGenException("AppSec exception conditions empty");
}
parseAppsecJSONKey<vector<NewAppsecExceptionCondition>>("condition", conditions, archive_in);
}
void

16
components/security_apps/local_policy_mgmt_gen/new_log_trigger.cc
View File

@@ -43,6 +43,10 @@ NewAppsecTriggerAdditionalSuspiciousEventsLogging::load(cereal::JSONInputArchive
dbgWarning(D_LOCAL_POLICY)
<< "AppSec AppSec Trigger - Additional Suspicious Events Logging minimum severity invalid: "
<< minimum_severity;
throw PolicyGenException(
"AppSec AppSec Trigger - Additional Suspicious Events Logging minimum severity invalid: "
+ minimum_severity
);
}
}
@@ -132,6 +136,7 @@ NewLoggingService::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("proto", proto, archive_in);
if (valid_protocols.count(proto) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Logging Service - proto invalid: " << proto;
throw PolicyGenException("AppSec Logging Service - proto invalid: " + proto);
}
parseAppsecJSONKey<int>("port", port, archive_in, 514);
@@ -156,6 +161,7 @@ NewStdoutLogging::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("format", format, archive_in, "json");
if (valid_formats.count(format) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Stdout Logging - format invalid: " << format;
throw PolicyGenException("AppSec Stdout Logging - format invalid: " + format);
}
}
@@ -261,19 +267,19 @@ NewAppsecLogTrigger::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec log trigger";
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseAppsecJSONKey<NewAppsecTriggerAccessControlLogging>(
parseMandatoryAppsecJSONKey<NewAppsecTriggerAccessControlLogging>(
"accessControlLogging",
access_control_logging,
archive_in
);
parseAppsecJSONKey<NewAppsecTriggerAdditionalSuspiciousEventsLogging>(
parseMandatoryAppsecJSONKey<NewAppsecTriggerAdditionalSuspiciousEventsLogging>(
"additionalSuspiciousEventsLogging",
additional_suspicious_events_logging,
archive_in
);
parseAppsecJSONKey<NewAppsecTriggerLogging>("appsecLogging", appsec_logging, archive_in);
parseAppsecJSONKey<NewAppsecTriggerExtendedLogging>("extendedLogging", extended_logging, archive_in);
parseAppsecJSONKey<NewAppsecTriggerLogDestination>("logDestination", log_destination, archive_in);
parseMandatoryAppsecJSONKey<NewAppsecTriggerLogging>("appsecLogging", appsec_logging, archive_in);
parseMandatoryAppsecJSONKey<NewAppsecTriggerExtendedLogging>("extendedLogging", extended_logging, archive_in);
parseMandatoryAppsecJSONKey<NewAppsecTriggerLogDestination>("logDestination", log_destination, archive_in);
parseAppsecJSONKey<string>("name", name, archive_in);
}

87
components/security_apps/local_policy_mgmt_gen/new_practice.cc
View File

@@ -162,11 +162,12 @@ NewAppSecPracticeWebAttacks::load(cereal::JSONInputArchive &archive_in)
}
if (getMode() == "Prevent") {
parseAppsecJSONKey<string>("minimumConfidence", minimum_confidence, archive_in, "critical");
parseMandatoryAppsecJSONKey<string>("minimumConfidence", minimum_confidence, archive_in, "critical");
if (valid_confidences.count(minimum_confidence) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec practice override minimum confidence invalid: "
<< minimum_confidence;
throw PolicyGenException("AppSec practice override minimum confidence invalid: " + minimum_confidence);
}
} else {
minimum_confidence = "Transparent";
@@ -440,11 +441,12 @@ NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice";
parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
parseMandatoryAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
parseAppsecJSONKey<vector<string>>("files", files, archive_in);
is_temporary = false;
if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode;
throw PolicyGenException("AppSec Snort Signatures override mode invalid: " + override_mode);
}
}
@@ -567,12 +569,16 @@ NewIntrusionPrevention::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Intrusion Prevention override mode invalid: " << override_mode;
throw PolicyGenException("AppSec Intrusion Prevention override mode invalid: " + override_mode);
}
parseAppsecJSONKey<string>("maxPerformanceImpact", max_performance_impact, archive_in, "low");
parseAppsecJSONKey<string>("maxPerformanceImpact", max_performance_impact, archive_in, "medium");
if (performance_impacts.count(max_performance_impact) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec Intrusion Prevention max performance impact invalid: "
<< max_performance_impact;
throw PolicyGenException(
"AppSec Intrusion Prevention max performance impact invalid: " + max_performance_impact
);
}
parseAppsecJSONKey<string>("minSeverityLevel", min_severity_level, archive_in, "low");
if (severity_levels.count(min_severity_level) == 0) {
@@ -580,23 +586,32 @@ NewIntrusionPrevention::load(cereal::JSONInputArchive &archive_in)
<< "AppSec Intrusion Prevention min severity level invalid: "
<< min_severity_level;
}
parseAppsecJSONKey<string>("highConfidenceEventAction", high_confidence_event_action, archive_in, "inactive");
parseAppsecJSONKey<string>("highConfidenceEventAction", high_confidence_event_action, archive_in, "prevent");
if (confidences_actions.count(high_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec Intrusion Prevention high confidence event invalid: "
<< high_confidence_event_action;
throw PolicyGenException(
"AppSec Intrusion Prevention high confidence event invalid: " + high_confidence_event_action
);
}
parseAppsecJSONKey<string>("mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "inactive");
parseAppsecJSONKey<string>("mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "prevent");
if (confidences_actions.count(medium_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec Intrusion Prevention medium confidence event invalid: "
<< medium_confidence_event_action;
throw PolicyGenException(
"AppSec Intrusion Prevention medium confidence event invalid: " + medium_confidence_event_action
);
}
parseAppsecJSONKey<string>("lowConfidenceEventAction", low_confidence_event_action, archive_in, "inactive");
parseAppsecJSONKey<string>("lowConfidenceEventAction", low_confidence_event_action, archive_in, "detect");
if (confidences_actions.count(low_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec Intrusion Prevention low confidence event action invalid: "
<< low_confidence_event_action;
throw PolicyGenException(
"AppSec Intrusion Prevention low confidence event action invalid: " + low_confidence_event_action
);
}
parseAppsecJSONKey<int>("minCveYear", min_cve_Year, archive_in);
}
@@ -733,29 +748,36 @@ void
NewFileSecurityArchiveInspection::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec File Security Archive Inspection practice";
parseAppsecJSONKey<bool>("extractArchiveFiles", extract_archive_files, archive_in);
parseAppsecJSONKey<uint64_t>("scanMaxFileSize", scan_max_file_size, archive_in, 0);
parseAppsecJSONKey<string>("scanMaxFileSizeUnit", scan_max_file_size_unit, archive_in, "bytes");
parseAppsecJSONKey<bool>("extractArchiveFiles", extract_archive_files, archive_in, true);
parseAppsecJSONKey<uint64_t>("scanMaxFileSize", scan_max_file_size, archive_in, 10);
parseAppsecJSONKey<string>("scanMaxFileSizeUnit", scan_max_file_size_unit, archive_in, "MB");
if (size_unit.count(scan_max_file_size_unit) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security Archive Inspection scan max file size unit invalid: "
<< scan_max_file_size_unit;
throw PolicyGenException(
"AppSec File Security Archive Inspection scan max file size unit invalid: " + scan_max_file_size_unit
);
}
parseAppsecJSONKey<string>(
"archivedFilesWithinArchivedFiles",
archived_files_within_archived_files,
archive_in,
"inactive");
"prevent");
if (confidences_actions.count(archived_files_within_archived_files) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security Archive Inspection archived files within archived files invalid: "
<< archived_files_within_archived_files;
throw PolicyGenException(
"AppSec File Security Archive Inspection archived files within archived files invalid: "
+ archived_files_within_archived_files
);
}
parseAppsecJSONKey<string>(
"archivedFilesWhereContentExtractionFailed",
archived_files_where_content_extraction_failed,
archive_in,
"inactive");
"prevent");
if (confidences_actions.count(archived_files_where_content_extraction_failed) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security Archive Inspection archived files within archived file invalid: "
@@ -798,22 +820,29 @@ void
NewFileSecurityLargeFileInspection::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec File Security large File Inspection practice";
parseAppsecJSONKey<uint64_t>("fileSizeLimit", file_size_limit, archive_in);
parseAppsecJSONKey<string>("fileSizeLimitUnit", file_size_limit_unit, archive_in, "bytes");
parseAppsecJSONKey<uint64_t>("fileSizeLimit", file_size_limit, archive_in, 10);
parseAppsecJSONKey<string>("fileSizeLimitUnit", file_size_limit_unit, archive_in, "MB");
if (size_unit.count(file_size_limit_unit) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security large File Inspection file size limit unit invalid: "
<< file_size_limit_unit;
throw PolicyGenException(
"AppSec File Security large File Inspection file size limit unit invalid: " + file_size_limit_unit
);
}
parseAppsecJSONKey<string>(
"filesExceedingSizeLimitAction",
files_exceeding_size_limit_action,
archive_in,
"inactive");
"prevent");
if (confidences_actions.count(files_exceeding_size_limit_action) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security Archive Inspection archived files within archived files invalid: "
<< files_exceeding_size_limit_action;
throw PolicyGenException(
"AppSec File Security Archive Inspection archived files within archived files invalid: "
+ files_exceeding_size_limit_action
);
}
}
@@ -843,38 +872,52 @@ NewFileSecurity::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec File Security override mode invalid: " << override_mode;
throw PolicyGenException("AppSec File Security override mode invalid: " + override_mode);
}
parseAppsecJSONKey<string>("minSeverityLevel", min_severity_level, archive_in, "low");
parseMandatoryAppsecJSONKey<string>("minSeverityLevel", min_severity_level, archive_in, "low");
if (severity_levels.count(min_severity_level) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec File Security min severity level invalid: " << min_severity_level;
min_severity_level = "low";
}
parseAppsecJSONKey<string>("highConfidenceEventAction", high_confidence_event_action, archive_in, "inactive");
parseMandatoryAppsecJSONKey<string>(
"highConfidenceEventAction", high_confidence_event_action, archive_in, "inactive"
);
if (confidences_actions.count(high_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security high confidence event invalid: "
<< high_confidence_event_action;
high_confidence_event_action = "inactive";
}
parseAppsecJSONKey<string>("mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "inactive");
parseMandatoryAppsecJSONKey<string>(
"mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "inactive"
);
if (confidences_actions.count(medium_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security medium confidence event invalid: "
<< medium_confidence_event_action;
medium_confidence_event_action = "inactive";
}
parseAppsecJSONKey<string>("lowConfidenceEventAction", low_confidence_event_action, archive_in, "inactive");
parseMandatoryAppsecJSONKey<string>(
"lowConfidenceEventAction", low_confidence_event_action, archive_in, "inactive"
);
if (confidences_actions.count(low_confidence_event_action) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security low confidence event action invalid: "
<< low_confidence_event_action;
low_confidence_event_action = "inactive";
}
parseAppsecJSONKey<string>("unnamedFilesAction", unnamed_files_action, archive_in, "inactive");
parseMandatoryAppsecJSONKey<string>("unnamedFilesAction", unnamed_files_action, archive_in, "inactive");
if (confidences_actions.count(unnamed_files_action) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec File Security low unnamed files action invalid: "
<< unnamed_files_action;
unnamed_files_action = "inactive";
}
parseAppsecJSONKey<bool>("threatEmulationEnabled", threat_emulation_enabled, archive_in);
parseAppsecJSONKey<NewFileSecurityArchiveInspection>("archiveInspection", archive_inspection, archive_in);
parseAppsecJSONKey<NewFileSecurityLargeFileInspection>("largeFileInspection", large_file_inspection, archive_in);
parseMandatoryAppsecJSONKey<NewFileSecurityArchiveInspection>("archiveInspection", archive_inspection, archive_in);
parseMandatoryAppsecJSONKey<NewFileSecurityLargeFileInspection>(
"largeFileInspection", large_file_inspection, archive_in
);
}
const string &
@@ -939,7 +982,7 @@ NewAppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<NewFileSecurity>("fileSecurity", file_security, archive_in);
parseAppsecJSONKey<NewIntrusionPrevention>("intrusionPrevention", intrusion_prevention, archive_in);
parseAppsecJSONKey<NewSnortSignaturesAndOpenSchemaAPI>("snortSignatures", snort_signatures, archive_in);
parseAppsecJSONKey<NewAppSecPracticeWebAttacks>("webAttacks", web_attacks, archive_in);
parseMandatoryAppsecJSONKey<NewAppSecPracticeWebAttacks>("webAttacks", web_attacks, archive_in);
parseAppsecJSONKey<NewAppSecPracticeAntiBot>("antiBot", anti_bot, archive_in);
parseAppsecJSONKey<string>("name", practice_name, archive_in);
}

15
components/security_apps/local_policy_mgmt_gen/new_trusted_sources.cc
View File

@@ -25,8 +25,8 @@ NewTrustedSourcesSpec::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading trusted sources spec";
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseAppsecJSONKey<int>("minNumOfSources", min_num_of_sources, archive_in, 3);
parseAppsecJSONKey<vector<string>>("sourcesIdentifiers", sources_identifiers, archive_in);
parseMandatoryAppsecJSONKey<int>("minNumOfSources", min_num_of_sources, archive_in, 3);
parseMandatoryAppsecJSONKey<vector<string>>("sourcesIdentifiers", sources_identifiers, archive_in);
parseAppsecJSONKey<string>("name", name, archive_in);
}
@@ -64,11 +64,12 @@ void
Identifier::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading source identifiers spec";
parseAppsecJSONKey<string>("identifier", identifier, archive_in);
parseMandatoryAppsecJSONKey<string>("identifier", identifier, archive_in, "sourceip");
if (valid_identifiers.count(identifier) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec identifier invalid: " << identifier;
identifier = "sourceip";
}
parseAppsecJSONKey<vector<string>>("value", value, archive_in);
parseMandatoryAppsecJSONKey<vector<string>>("value", value, archive_in);
}
const string &
@@ -88,7 +89,11 @@ NewSourcesIdentifiers::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading Sources Identifiers";
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseAppsecJSONKey<vector<Identifier>>("sourcesIdentifiers", sources_identifiers, archive_in);
parseMandatoryAppsecJSONKey<vector<Identifier>>("sourcesIdentifiers", sources_identifiers, archive_in);
if (sources_identifiers.empty()) {
dbgWarning(D_LOCAL_POLICY) << "AppSec sources identifiers empty";
throw PolicyGenException("AppSec sources identifiers empty");
}
parseAppsecJSONKey<string>("name", name, archive_in);
}

55
components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
View File

@@ -1649,36 +1649,39 @@ PolicyMakerUtils::proccesSingleAppsecPolicy(
const string &local_appsec_policy_path)
{
Maybe<V1beta2AppsecLinuxPolicy> maybe_policy_v1beta2 = openFileAsJson<V1beta2AppsecLinuxPolicy>(policy_path);
if (maybe_policy_v1beta2.ok()) {
policy_version_name = "v1beta2";
createAgentPolicyFromAppsecPolicy<V1beta2AppsecLinuxPolicy, NewParsedRule>(
getPolicyName(policy_path),
maybe_policy_v1beta2.unpack()
);
} else {
policy_version_name = "v1beta1";
dbgInfo(D_LOCAL_POLICY)
<< "Failed to retrieve AppSec local policy with version: v1beta2, Trying version: v1beta1";
try {
Maybe<V1beta2AppsecLinuxPolicy> maybe_policy_v1beta2 = openFileAsJson<V1beta2AppsecLinuxPolicy>(policy_path);
if (maybe_policy_v1beta2.ok()) {
policy_version_name = "v1beta2";
createAgentPolicyFromAppsecPolicy<V1beta2AppsecLinuxPolicy, NewParsedRule>(
getPolicyName(policy_path), maybe_policy_v1beta2.unpack()
);
} else {
policy_version_name = "v1beta1";
dbgInfo(D_LOCAL_POLICY
) << "Failed to retrieve AppSec local policy with version: v1beta2, Trying version: v1beta1";
Maybe<AppsecLinuxPolicy> maybe_policy_v1beta1 = openFileAsJson<AppsecLinuxPolicy>(policy_path);
if (!maybe_policy_v1beta1.ok()){
dbgWarning(D_LOCAL_POLICY) << maybe_policy_v1beta1.getErr();
return "";
Maybe<AppsecLinuxPolicy> maybe_policy_v1beta1 = openFileAsJson<AppsecLinuxPolicy>(policy_path);
if (!maybe_policy_v1beta1.ok()) {
dbgWarning(D_LOCAL_POLICY) << maybe_policy_v1beta1.getErr();
return "";
}
createAgentPolicyFromAppsecPolicy<AppsecLinuxPolicy, ParsedRule>(
getPolicyName(policy_path), maybe_policy_v1beta1.unpack()
);
if (getenv("OPENAPPSEC_STANDALONE")) rpmBuildNginxServers(maybe_policy_v1beta1.unpack());
}
createAgentPolicyFromAppsecPolicy<AppsecLinuxPolicy, ParsedRule>(
getPolicyName(policy_path),
maybe_policy_v1beta1.unpack()
PolicyWrapper policy_wrapper = combineElementsToPolicy(policy_version);
return dumpPolicyToFile(
policy_wrapper,
local_appsec_policy_path
);
if (getenv("OPENAPPSEC_STANDALONE")) rpmBuildNginxServers(maybe_policy_v1beta1.unpack());
} catch (const PolicyGenException &e) {
dbgDebug(D_LOCAL_POLICY) << "Policy generation failed. Error: " << e.what();
return "";
}
PolicyWrapper policy_wrapper = combineElementsToPolicy(policy_version);
return dumpPolicyToFile(
policy_wrapper,
local_appsec_policy_path
);
}
void

8
components/security_apps/local_policy_mgmt_gen/rules_config_section.cc
View File

@@ -174,8 +174,12 @@ RulesConfigRulebase::RulesConfigRulebase(
context ="All()";
return;
}
string host_check = "Any(EqualHost(" + _url + ")),";
string uri_check = (_uri.empty() || _uri == "/" ) ? "" : ",BeginWithUri(" + _uri + ")";
bool uri_regex = false;
if (std::find(_uri.begin(), _uri.end(), '*') != _uri.end()) {
uri_regex = true;
}
string host_check = (_url.empty() || _url == "/") ? "" : "Any(EqualHost(" + _url + ")),";
string uri_check = (_uri.empty() || _uri == "/" || uri_regex ) ? "" : ",BeginWithUri(" + _uri + ")";
auto ports = _port.empty() ? vector<string>({"80", "443"}) : vector<string>({_port});
context = "Any(";
for (auto &port : ports) {

5
components/security_apps/local_policy_mgmt_gen/settings_section.cc
View File

@@ -52,15 +52,14 @@ void
SettingsRulebase::save(cereal::JSONOutputArchive &out_ar) const
{
string profile_type = "Kubernetes";
string upgrade_mode = "automatic";
out_ar(
cereal::make_nvp("agentSettings", agentSettings),
cereal::make_nvp("agentType", profile_type),
cereal::make_nvp("allowOnlyDefinedApplications", false),
cereal::make_nvp("anyFog", true),
cereal::make_nvp("maxNumberOfAgents", 10),
cereal::make_nvp("upgradeMode", upgrade_mode)
cereal::make_nvp("maxNumberOfAgents", 10)
);
upgrade_settings.save(out_ar);
}
SettingsWrapper::SettingsWrapper(SettingsRulebase _agent) : agent(_agent)