diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h index 39a429b..8aa7d58 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h @@ -119,9 +119,9 @@ public: load(cereal::JSONInputArchive &archive_in) { dbgTrace(D_K8S_POLICY) << "Loading AppSec Web Attack Protections"; - parseAppsecJSONKey("csrf-protection", csrf_protection, archive_in, "Inactive"); - parseAppsecJSONKey("error-disclosure", error_disclosure, archive_in, "Inactive"); - parseAppsecJSONKey("open-redirect", open_redirect, archive_in, "Inactive"); + parseAppsecJSONKey("csrf-enabled", csrf_protection, archive_in, "inactive"); + parseAppsecJSONKey("error-disclosure-enabled", error_disclosure, archive_in, "inactive"); + parseAppsecJSONKey("open-redirect-enabled", open_redirect, archive_in, "inactive"); parseAppsecJSONKey("non-valid-http-methods", non_valid_http_methods, archive_in, false); } @@ -253,7 +253,7 @@ public: { dbgTrace(D_K8S_POLICY) << "Loading AppSec Snort Signatures practice"; parseAppsecJSONKey("override-mode", override_mode, archive_in, "Inactive"); - parseAppsecJSONKey>("configmap", config_map, archive_in); + parseAppsecJSONKey>("files", config_map, archive_in); } const std::string & getOverrideMode() const { return override_mode; } @@ -285,7 +285,7 @@ public: { dbgTrace(D_K8S_POLICY) << "Loading AppSecPracticeOpenSchemaAPI practice"; parseAppsecJSONKey("override-mode", override_mode, archive_in, "Inactive"); - parseAppsecJSONKey>("configmap", config_map, archive_in); + parseAppsecJSONKey>("files", config_map, archive_in); } const std::string & getOverrideMode() const { return override_mode; } @@ -777,12 +777,12 @@ public: dbgTrace(D_K8S_POLICY) << "Loading AppSec policy spec"; parseAppsecJSONKey("policies", policies, archive_in); parseAppsecJSONKey>("practices", practices, archive_in); - parseAppsecJSONKey>("logtriggers", log_triggers, archive_in); - parseAppsecJSONKey>("customresponses", custom_responses, archive_in); + parseAppsecJSONKey>("log-triggers", log_triggers, archive_in); + parseAppsecJSONKey>("custom-responses", custom_responses, archive_in); parseAppsecJSONKey>("exceptions", exceptions, archive_in); - parseAppsecJSONKey>("trustedsources", trusted_sources, archive_in); + parseAppsecJSONKey>("trusted-sources", trusted_sources, archive_in); parseAppsecJSONKey>( - "sourceidentifiers", + "source-identifier", sources_identifier, archive_in ); diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h index aca3b57..a152bf6 100755 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h @@ -34,7 +34,7 @@ public: { dbgTrace(D_K8S_POLICY) << "Loading trusted sources spec"; parseAppsecJSONKey("minNumOfSources", min_num_of_sources, archive_in, 3); - parseAppsecJSONKey>("sourcesIdentifiers", sources_identifiers, archive_in); + parseAppsecJSONKey>("sources-identifiers", sources_identifiers, archive_in); parseAppsecJSONKey("name", name, archive_in); } @@ -110,7 +110,7 @@ public: load(cereal::JSONInputArchive &archive_in) { dbgTrace(D_K8S_POLICY) << "Loading trusted sources spec"; - parseAppsecJSONKey("sourceIdentifier", source_identifier, archive_in); + parseAppsecJSONKey("source-identifier", source_identifier, archive_in); parseAppsecJSONKey>("value", value, archive_in); } diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc index fef5779..3925e30 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc @@ -28,6 +28,7 @@ #include #include "rest.h" +#include "report/report.h" #include "debug.h" #include "config.h" #include "connkey.h" @@ -1218,27 +1219,10 @@ private: LocalPolicyEnv env_type; map practice_name_to_id_map; - bool - isPlaygroundEnv() - { - string playground_variable = "PLAYGROUND"; - const char* env_string = getenv(playground_variable.c_str()); - - if (env_string) - { - string env_value = env_string; - std::transform(env_value.begin(), env_value.end(), env_value.begin(), - [](unsigned char c){ return std::tolower(c); }); - return env_value == "true"; - } - - return false; - } - bool getClusterId() { - string playground_uid = isPlaygroundEnv() ? "playground-" : ""; + string playground_uid = Report::isPlaygroundEnv() ? "playground-" : ""; dbgTrace(D_K8S_POLICY) << "Getting cluster UID"; auto maybe_namespaces_data = getObjectFromCluster("/api/v1/namespaces/"); diff --git a/components/security_apps/orchestration/orchestration_comp.cc b/components/security_apps/orchestration/orchestration_comp.cc index 7cea246..944412c 100755 --- a/components/security_apps/orchestration/orchestration_comp.cc +++ b/components/security_apps/orchestration/orchestration_comp.cc @@ -596,6 +596,10 @@ private: auto team = i_env->get("Audience Team"); if (team.ok()) audience_team = *team; + string agent_uid = + (Report::isPlaygroundEnv() ? "playground-" : "") + + Singleton::Consume::by()->getAgentId(); + Report policy_update_message( "Agent's policy has been updated", curr_time, @@ -607,7 +611,7 @@ private: Severity::INFO, Priority::LOW, chrono::seconds(0), - LogField("agentId", Singleton::Consume::by()->getAgentId()), + LogField("agentId", agent_uid), Tags::ORCHESTRATOR ); policy_update_message.addToOrigin(LogField("policyVersion", new_policy_version)); diff --git a/components/signal_handler/signal_handler.cc b/components/signal_handler/signal_handler.cc index ab1f2b3..0175d57 100755 --- a/components/signal_handler/signal_handler.cc +++ b/components/signal_handler/signal_handler.cc @@ -207,6 +207,9 @@ private: } set tags; + string agent_uid = + (Report::isPlaygroundEnv() ? "playground-" : "") + + Singleton::Consume::by()->getAgentId(); Report message_to_fog( "Nano service startup after crash", curr_time, @@ -218,7 +221,7 @@ private: Severity::HIGH, Priority::HIGH, chrono::seconds(0), - LogField("agentId", Singleton::Consume::by()->getAgentId()), + LogField("agentId", agent_uid), tags, Tags::INFORMATIONAL ); diff --git a/core/debug_is/debug_streams.cc b/core/debug_is/debug_streams.cc index a9fa83c..3cc0567 100644 --- a/core/debug_is/debug_streams.cc +++ b/core/debug_is/debug_streams.cc @@ -245,6 +245,9 @@ DebugFogStream::finishMessage() if (team.ok()) audience_team = *team; } + string agent_uid = + (Report::isPlaygroundEnv() ? "playground-" : "") + + Singleton::Consume::by()->getAgentId(); Report message_to_fog( "Debug message", curr_time, @@ -256,7 +259,7 @@ DebugFogStream::finishMessage() getSeverity(), Priority::LOW, chrono::seconds(0), - LogField("agentId", Singleton::Consume::by()->getAgentId()), + LogField("agentId", agent_uid), LogField("issuingFunction", func_name), LogField("issuingFile", file_name), LogField("issuingLine", line), @@ -328,6 +331,9 @@ DebugFogStream::handleThresholdReach() if (team.ok()) audience_team = *team; } + string agent_uid = + (Report::isPlaygroundEnv() ? "playground-" : "") + + Singleton::Consume::by()->getAgentId(); Report message_to_fog( "Debug message", curr_time, @@ -339,7 +345,7 @@ DebugFogStream::handleThresholdReach() Severity::MEDIUM, Priority::LOW, chrono::seconds(0), - LogField("agentId", Singleton::Consume::by()->getAgentId()), + LogField("agentId", agent_uid), LogField("issuingFunction", __FUNCTION__), LogField("issuingFile", "debug_streams.cc"), LogField("issuingLine", __LINE__), diff --git a/core/include/services_sdk/resources/log_generator.h b/core/include/services_sdk/resources/log_generator.h index 32f996f..fbf082d 100755 --- a/core/include/services_sdk/resources/log_generator.h +++ b/core/include/services_sdk/resources/log_generator.h @@ -80,7 +80,11 @@ public: _severity, _priority, std::chrono::seconds(0), - LogField("agentId", Singleton::Consume::by()->getAgentId()), + LogField( + "agentId", + (Report::isPlaygroundEnv() ? "playground-" : "") + + Singleton::Consume::by()->getAgentId() + ), std::forward(args)... ) { diff --git a/core/include/services_sdk/resources/report/report.h b/core/include/services_sdk/resources/report/report.h index 53fb85c..bff2a66 100755 --- a/core/include/services_sdk/resources/report/report.h +++ b/core/include/services_sdk/resources/report/report.h @@ -16,6 +16,10 @@ #include #include +#include +#include +#include +#include #include "report/base_field.h" #include "report/report_enums.h" @@ -71,6 +75,26 @@ public: setInstanceAwareness(); } + static bool + isPlaygroundEnv() + { + std::string playground_variable = "PLAYGROUND"; + const char *env_string = getenv(playground_variable.c_str()); + + if (env_string) { + std::string env_value = env_string; + std::transform( + env_value.begin(), + env_value.end(), + env_value.begin(), + [](unsigned char c){ return std::tolower(c); } + ); + return env_value == "true"; + } + + return false; + } + void serialize(cereal::JSONOutputArchive &ar) const; std::string getSyslog() const; std::string getCef() const; diff --git a/core/mainloop/mainloop.cc b/core/mainloop/mainloop.cc index 4ffc588..32ee1f2 100644 --- a/core/mainloop/mainloop.cc +++ b/core/mainloop/mainloop.cc @@ -174,6 +174,9 @@ MainloopComponent::Impl::reportStartupEvent() auto team = i_env->get("Audience Team"); if (team.ok()) audience_team = *team; + string agent_uid = + (Report::isPlaygroundEnv() ? "playground-" : "") + + Singleton::Consume::by()->getAgentId(); Report startup_message( "Nano service successfully started", curr_time, @@ -185,7 +188,7 @@ MainloopComponent::Impl::reportStartupEvent() ReportIS::Severity::INFO, ReportIS::Priority::HIGH, chrono::seconds(0), - LogField("agentId", Singleton::Consume::by()->getAgentId()), + LogField("agentId", agent_uid), ReportIS::Tags::INFORMATIONAL ); diff --git a/core/metric/generic_metric.cc b/core/metric/generic_metric.cc index 51d4f9d..42b0674 100755 --- a/core/metric/generic_metric.cc +++ b/core/metric/generic_metric.cc @@ -170,6 +170,9 @@ string GenericMetric::getListenerName() const { return metric_name; } void GenericMetric::generateLog() { + string agent_uid = + (Report::isPlaygroundEnv() ? "playground-" : "") + + Singleton::Consume::by()->getAgentId(); set tags; Report metric_to_fog( metric_name, @@ -182,7 +185,7 @@ GenericMetric::generateLog() Severity::INFO, Priority::LOW, report_interval, - LogField("agentId", Singleton::Consume::by()->getAgentId()), + LogField("agentId", agent_uid), tags, Tags::INFORMATIONAL, issuing_engine diff --git a/nodes/orchestration/package/cp-nano-cli.sh b/nodes/orchestration/package/cp-nano-cli.sh index 2e33f2b..c9c88b1 100755 --- a/nodes/orchestration/package/cp-nano-cli.sh +++ b/nodes/orchestration/package/cp-nano-cli.sh @@ -899,6 +899,25 @@ print_single_service_status() # Initials - psss fi } +get_status_content() +{ + if [ "${remove_curl_ld_path}" = "true" ]; then + gsc_orch_status=$(LD_LIBRARY_PATH="" ${curl_cmd} -sS -m 1 --noproxy "*" --header "Content-Type: application/json" --request POST --data {} http://127.0.0.1:"$(extract_api_port 'orchestration')"/show-orchestration-status 2>&1) + else + gsc_orch_status=$(${curl_cmd} -sS -m 1 --noproxy "*" --header "Content-Type: application/json" --request POST --data {} http://127.0.0.1:"$(extract_api_port 'orchestration')"/show-orchestration-status 2>&1) + fi + + if echo "$gsc_orch_status" | grep -q "update status"; then + gsc_line_count=$(echo "$gsc_orch_status" | grep -c '^') + + gsc_temp_old_status=$(echo "$gsc_orch_status" | sed -r "${gsc_line_count},${gsc_line_count}d; "' 1,1d; s/^\s*//g; s/^\n//g; s/\"//g; s/\\n/\n/g; s/\,//g') + else + gsc_temp_old_status=$(sed 's/{//g' <${FILESYSTEM_PATH}/$cp_nano_conf_location/orchestrations_status.json | sed 's/}//g' | sed 's/"//g' | sed 's/,//g' | sed -r '/^\s*$/d' | sed -r 's/^ //g') + fi + + echo ${gsc_temp_old_status} +} + run_status() # Initials - rs { rs_orch_service_full_path=$(get_nano_service_path 'orchestration') @@ -1463,7 +1482,7 @@ set_mode() time_sleep=2 time_out=60 echo "Registering open-appsec Nano Agent to Fog.." - until $USR_SBIN_PATH/${CP_NANO_CTL} -s 2> /dev/null | grep -q "Registration status: Succeeded"; do + until get_status_content | grep -q "Registration status: Succeeded"; do time_out=$(( time_out - time_sleep )) if [ $time_out -le 0 ]; then echo "open-appsec Nano Agent registration failed. Failed to register to Fog: $fog_address" diff --git a/nodes/orchestration/package/local-default-policy.yaml b/nodes/orchestration/package/local-default-policy.yaml index e9845f6..efc0223 100644 --- a/nodes/orchestration/package/local-default-policy.yaml +++ b/nodes/orchestration/package/local-default-policy.yaml @@ -6,7 +6,7 @@ policies: practices: - webapp-default-practice custom-response: appsec-default-web-user-response - specific-rules: + specific-rules: [] practices: - name: webapp-default-practice @@ -33,7 +33,7 @@ practices: validated-URIs: [] override-mode: detect-learn -logtriggers: +log-triggers: - name: appsec-default-log-trigger access-control-logging: allow-events: false @@ -53,18 +53,11 @@ logtriggers: url-query: false log-destination: cloud: false - file: stdout: format: json - syslog-service: - cef-service: -customresponses: +custom-responses: - name: appsec-default-web-user-response mode: response-code-only http-response-code: 403 -exceptions: -trustedsources: -sourceidentifiers: - diff --git a/nodes/orchestration/package/watchdog/watchdog b/nodes/orchestration/package/watchdog/watchdog index afbc424..ef6ef47 100755 --- a/nodes/orchestration/package/watchdog/watchdog +++ b/nodes/orchestration/package/watchdog/watchdog @@ -63,7 +63,6 @@ load_paths() if [ -z "${MAX_ROTATION}" ]; then MAX_ROTATION=$DEFAULT_MAX_ROTATION fi - } load_paths