github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

update embedded nginx support for openappsec and bug fixes and schema changes

Browse Source
This commit is contained in:
dgambarin 2022-11-16 17:56:41 +02:00
parent 03949a3cb7
commit 8bbd856d92
13 changed files with 90 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h
View File

@ -119,9 +119,9 @@ public:
load(cereal::JSONInputArchive &archive_in) load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_K8S_POLICY) << "Loading AppSec Web Attack Protections"; dbgTrace(D_K8S_POLICY) << "Loading AppSec Web Attack Protections";
parseAppsecJSONKey<std::string>("csrf-protection", csrf_protection, archive_in, "Inactive"); parseAppsecJSONKey<std::string>("csrf-enabled", csrf_protection, archive_in, "inactive");
parseAppsecJSONKey<std::string>("error-disclosure", error_disclosure, archive_in, "Inactive"); parseAppsecJSONKey<std::string>("error-disclosure-enabled", error_disclosure, archive_in, "inactive");
parseAppsecJSONKey<std::string>("open-redirect", open_redirect, archive_in, "Inactive"); parseAppsecJSONKey<std::string>("open-redirect-enabled", open_redirect, archive_in, "inactive");
parseAppsecJSONKey<bool>("non-valid-http-methods", non_valid_http_methods, archive_in, false); parseAppsecJSONKey<bool>("non-valid-http-methods", non_valid_http_methods, archive_in, false);
} }
@ -253,7 +253,7 @@ public:
{ {
dbgTrace(D_K8S_POLICY) << "Loading AppSec Snort Signatures practice"; dbgTrace(D_K8S_POLICY) << "Loading AppSec Snort Signatures practice";
parseAppsecJSONKey<std::string>("override-mode", override_mode, archive_in, "Inactive"); parseAppsecJSONKey<std::string>("override-mode", override_mode, archive_in, "Inactive");
parseAppsecJSONKey<std::vector<std::string>>("configmap", config_map, archive_in); parseAppsecJSONKey<std::vector<std::string>>("files", config_map, archive_in);
} }
const std::string & getOverrideMode() const { return override_mode; } const std::string & getOverrideMode() const { return override_mode; }
@ -285,7 +285,7 @@ public:
{ {
dbgTrace(D_K8S_POLICY) << "Loading AppSecPracticeOpenSchemaAPI practice"; dbgTrace(D_K8S_POLICY) << "Loading AppSecPracticeOpenSchemaAPI practice";
parseAppsecJSONKey<std::string>("override-mode", override_mode, archive_in, "Inactive"); parseAppsecJSONKey<std::string>("override-mode", override_mode, archive_in, "Inactive");
parseAppsecJSONKey<std::vector<std::string>>("configmap", config_map, archive_in); parseAppsecJSONKey<std::vector<std::string>>("files", config_map, archive_in);
} }
const std::string & getOverrideMode() const { return override_mode; } const std::string & getOverrideMode() const { return override_mode; }
@ -777,12 +777,12 @@ public:
dbgTrace(D_K8S_POLICY) << "Loading AppSec policy spec"; dbgTrace(D_K8S_POLICY) << "Loading AppSec policy spec";
parseAppsecJSONKey<AppsecPolicySpec>("policies", policies, archive_in); parseAppsecJSONKey<AppsecPolicySpec>("policies", policies, archive_in);
parseAppsecJSONKey<std::vector<AppSecPracticeSpec>>("practices", practices, archive_in); parseAppsecJSONKey<std::vector<AppSecPracticeSpec>>("practices", practices, archive_in);
parseAppsecJSONKey<std::vector<AppsecTriggerSpec>>("logtriggers", log_triggers, archive_in); parseAppsecJSONKey<std::vector<AppsecTriggerSpec>>("log-triggers", log_triggers, archive_in);
parseAppsecJSONKey<std::vector<AppSecCustomResponseSpec>>("customresponses", custom_responses, archive_in); parseAppsecJSONKey<std::vector<AppSecCustomResponseSpec>>("custom-responses", custom_responses, archive_in);
parseAppsecJSONKey<std::vector<AppsecExceptionSpec>>("exceptions", exceptions, archive_in); parseAppsecJSONKey<std::vector<AppsecExceptionSpec>>("exceptions", exceptions, archive_in);
parseAppsecJSONKey<std::vector<TrustedSourcesSpec>>("trustedsources", trusted_sources, archive_in); parseAppsecJSONKey<std::vector<TrustedSourcesSpec>>("trusted-sources", trusted_sources, archive_in);
parseAppsecJSONKey<std::vector<SourceIdentifierSpecWrapper>>( parseAppsecJSONKey<std::vector<SourceIdentifierSpecWrapper>>(
"sourceidentifiers", "source-identifier",
sources_identifier, sources_identifier,
archive_in archive_in
); );

4
components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h
View File

@ -34,7 +34,7 @@ public:
{ {
dbgTrace(D_K8S_POLICY) << "Loading trusted sources spec"; dbgTrace(D_K8S_POLICY) << "Loading trusted sources spec";
parseAppsecJSONKey<int>("minNumOfSources", min_num_of_sources, archive_in, 3); parseAppsecJSONKey<int>("minNumOfSources", min_num_of_sources, archive_in, 3);
parseAppsecJSONKey<std::vector<std::string>>("sourcesIdentifiers", sources_identifiers, archive_in); parseAppsecJSONKey<std::vector<std::string>>("sources-identifiers", sources_identifiers, archive_in);
parseAppsecJSONKey<std::string>("name", name, archive_in); parseAppsecJSONKey<std::string>("name", name, archive_in);
} }
@ -110,7 +110,7 @@ public:
load(cereal::JSONInputArchive &archive_in) load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_K8S_POLICY) << "Loading trusted sources spec"; dbgTrace(D_K8S_POLICY) << "Loading trusted sources spec";
parseAppsecJSONKey<std::string>("sourceIdentifier", source_identifier, archive_in); parseAppsecJSONKey<std::string>("source-identifier", source_identifier, archive_in);
parseAppsecJSONKey<std::vector<std::string>>("value", value, archive_in); parseAppsecJSONKey<std::vector<std::string>>("value", value, archive_in);
} }

20
components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc
View File

@ -28,6 +28,7 @@
#include <boost/uuid/uuid_generators.hpp> #include <boost/uuid/uuid_generators.hpp>
#include "rest.h" #include "rest.h"
#include "report/report.h"
#include "debug.h" #include "debug.h"
#include "config.h" #include "config.h"
#include "connkey.h" #include "connkey.h"
@ -1218,27 +1219,10 @@ private:
LocalPolicyEnv env_type; LocalPolicyEnv env_type;
map<string, string> practice_name_to_id_map; map<string, string> practice_name_to_id_map;
bool
isPlaygroundEnv()
{
string playground_variable = "PLAYGROUND";
const char* env_string = getenv(playground_variable.c_str());
if (env_string)
{
string env_value = env_string;
std::transform(env_value.begin(), env_value.end(), env_value.begin(),
[](unsigned char c){ return std::tolower(c); });
return env_value == "true";
}
return false;
}
bool bool
getClusterId() getClusterId()
{ {
string playground_uid = isPlaygroundEnv() ? "playground-" : ""; string playground_uid = Report::isPlaygroundEnv() ? "playground-" : "";
dbgTrace(D_K8S_POLICY) << "Getting cluster UID"; dbgTrace(D_K8S_POLICY) << "Getting cluster UID";
auto maybe_namespaces_data = getObjectFromCluster<NamespaceData>("/api/v1/namespaces/"); auto maybe_namespaces_data = getObjectFromCluster<NamespaceData>("/api/v1/namespaces/");

6
components/security_apps/orchestration/orchestration_comp.cc
View File

@ -596,6 +596,10 @@ private:
auto team = i_env->get<AudienceTeam>("Audience Team"); auto team = i_env->get<AudienceTeam>("Audience Team");
if (team.ok()) audience_team = *team; if (team.ok()) audience_team = *team;
string agent_uid =
(Report::isPlaygroundEnv() ? "playground-" : "") +
Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getAgentId();
Report policy_update_message( Report policy_update_message(
"Agent's policy has been updated", "Agent's policy has been updated",
curr_time, curr_time,
@ -607,7 +611,7 @@ private:
Severity::INFO, Severity::INFO,
Priority::LOW, Priority::LOW,
chrono::seconds(0), chrono::seconds(0),
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getAgentId()), LogField("agentId", agent_uid),
Tags::ORCHESTRATOR Tags::ORCHESTRATOR
); );
policy_update_message.addToOrigin(LogField("policyVersion", new_policy_version)); policy_update_message.addToOrigin(LogField("policyVersion", new_policy_version));

5
components/signal_handler/signal_handler.cc
View File

@ -207,6 +207,9 @@ private:
} }
set<ReportIS::Tags> tags; set<ReportIS::Tags> tags;
string agent_uid =
(Report::isPlaygroundEnv() ? "playground-" : "") +
Singleton::Consume<I_AgentDetails>::by<SignalHandler>()->getAgentId();
Report message_to_fog( Report message_to_fog(
"Nano service startup after crash", "Nano service startup after crash",
curr_time, curr_time,
@ -218,7 +221,7 @@ private:
Severity::HIGH, Severity::HIGH,
Priority::HIGH, Priority::HIGH,
chrono::seconds(0), chrono::seconds(0),
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<SignalHandler>()->getAgentId()), LogField("agentId", agent_uid),
tags, tags,
Tags::INFORMATIONAL Tags::INFORMATIONAL
); );

10
core/debug_is/debug_streams.cc
View File

@ -245,6 +245,9 @@ DebugFogStream::finishMessage()
if (team.ok()) audience_team = *team; if (team.ok()) audience_team = *team;
} }
string agent_uid =
(Report::isPlaygroundEnv() ? "playground-" : "") +
Singleton::Consume<I_AgentDetails>::by<DebugFogStream>()->getAgentId();
Report message_to_fog( Report message_to_fog(
"Debug message", "Debug message",
curr_time, curr_time,
@ -256,7 +259,7 @@ DebugFogStream::finishMessage()
getSeverity(), getSeverity(),
Priority::LOW, Priority::LOW,
chrono::seconds(0), chrono::seconds(0),
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<DebugFogStream>()->getAgentId()), LogField("agentId", agent_uid),
LogField("issuingFunction", func_name), LogField("issuingFunction", func_name),
LogField("issuingFile", file_name), LogField("issuingFile", file_name),
LogField("issuingLine", line), LogField("issuingLine", line),
@ -328,6 +331,9 @@ DebugFogStream::handleThresholdReach()
if (team.ok()) audience_team = *team; if (team.ok()) audience_team = *team;
} }
string agent_uid =
(Report::isPlaygroundEnv() ? "playground-" : "") +
Singleton::Consume<I_AgentDetails>::by<DebugFogStream>()->getAgentId();
Report message_to_fog( Report message_to_fog(
"Debug message", "Debug message",
curr_time, curr_time,
@ -339,7 +345,7 @@ DebugFogStream::handleThresholdReach()
Severity::MEDIUM, Severity::MEDIUM,
Priority::LOW, Priority::LOW,
chrono::seconds(0), chrono::seconds(0),
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<DebugFogStream>()->getAgentId()), LogField("agentId", agent_uid),
LogField("issuingFunction", __FUNCTION__), LogField("issuingFunction", __FUNCTION__),
LogField("issuingFile", "debug_streams.cc"), LogField("issuingFile", "debug_streams.cc"),
LogField("issuingLine", __LINE__), LogField("issuingLine", __LINE__),

6
core/include/services_sdk/resources/log_generator.h
View File

@ -80,7 +80,11 @@ public:
_severity, _severity,
_priority, _priority,
std::chrono::seconds(0), std::chrono::seconds(0),
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<LogGen>()->getAgentId()), LogField(
"agentId",
(Report::isPlaygroundEnv() ? "playground-" : "") +
Singleton::Consume<I_AgentDetails>::by<LogGen>()->getAgentId()
),
std::forward<Args>(args)... std::forward<Args>(args)...
) )
{ {

24
core/include/services_sdk/resources/report/report.h
View File

@ -16,6 +16,10 @@
#include <set> #include <set>
#include <chrono> #include <chrono>
#include <stdlib.h>
#include <algorithm>
#include <cctype>
#include <iostream>
#include "report/base_field.h" #include "report/base_field.h"
#include "report/report_enums.h" #include "report/report_enums.h"
@ -71,6 +75,26 @@ public:
setInstanceAwareness(); setInstanceAwareness();
} }
static bool
isPlaygroundEnv()
{
std::string playground_variable = "PLAYGROUND";
const char *env_string = getenv(playground_variable.c_str());
if (env_string) {
std::string env_value = env_string;
std::transform(
env_value.begin(),
env_value.end(),
env_value.begin(),
[](unsigned char c){ return std::tolower(c); }
);
return env_value == "true";
}
return false;
}
void serialize(cereal::JSONOutputArchive &ar) const; void serialize(cereal::JSONOutputArchive &ar) const;
std::string getSyslog() const; std::string getSyslog() const;
std::string getCef() const; std::string getCef() const;

5
core/mainloop/mainloop.cc
View File

@ -174,6 +174,9 @@ MainloopComponent::Impl::reportStartupEvent()
auto team = i_env->get<ReportIS::AudienceTeam>("Audience Team"); auto team = i_env->get<ReportIS::AudienceTeam>("Audience Team");
if (team.ok()) audience_team = *team; if (team.ok()) audience_team = *team;
string agent_uid =
(Report::isPlaygroundEnv() ? "playground-" : "") +
Singleton::Consume<I_AgentDetails>::by<MainloopComponent>()->getAgentId();
Report startup_message( Report startup_message(
"Nano service successfully started", "Nano service successfully started",
curr_time, curr_time,
@ -185,7 +188,7 @@ MainloopComponent::Impl::reportStartupEvent()
ReportIS::Severity::INFO, ReportIS::Severity::INFO,
ReportIS::Priority::HIGH, ReportIS::Priority::HIGH,
chrono::seconds(0), chrono::seconds(0),
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<MainloopComponent>()->getAgentId()), LogField("agentId", agent_uid),
ReportIS::Tags::INFORMATIONAL ReportIS::Tags::INFORMATIONAL
); );

5
core/metric/generic_metric.cc
View File

@ -170,6 +170,9 @@ string GenericMetric::getListenerName() const { return metric_name; }
void void
GenericMetric::generateLog() GenericMetric::generateLog()
{ {
string agent_uid =
(Report::isPlaygroundEnv() ? "playground-" : "") +
Singleton::Consume<I_AgentDetails>::by<GenericMetric>()->getAgentId();
set<ReportIS::Tags> tags; set<ReportIS::Tags> tags;
Report metric_to_fog( Report metric_to_fog(
metric_name, metric_name,
@ -182,7 +185,7 @@ GenericMetric::generateLog()
Severity::INFO, Severity::INFO,
Priority::LOW, Priority::LOW,
report_interval, report_interval,
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<GenericMetric>()->getAgentId()), LogField("agentId", agent_uid),
tags, tags,
Tags::INFORMATIONAL, Tags::INFORMATIONAL,
issuing_engine issuing_engine

21
nodes/orchestration/package/cp-nano-cli.sh
View File

@ -899,6 +899,25 @@ print_single_service_status() # Initials - psss
fi fi
} }
get_status_content()
{
if [ "${remove_curl_ld_path}" = "true" ]; then
gsc_orch_status=$(LD_LIBRARY_PATH="" ${curl_cmd} -sS -m 1 --noproxy "*" --header "Content-Type: application/json" --request POST --data {} http://127.0.0.1:"$(extract_api_port 'orchestration')"/show-orchestration-status 2>&1)
else
gsc_orch_status=$(${curl_cmd} -sS -m 1 --noproxy "*" --header "Content-Type: application/json" --request POST --data {} http://127.0.0.1:"$(extract_api_port 'orchestration')"/show-orchestration-status 2>&1)
fi
if echo "$gsc_orch_status" | grep -q "update status"; then
gsc_line_count=$(echo "$gsc_orch_status" | grep -c '^')
gsc_temp_old_status=$(echo "$gsc_orch_status" | sed -r "${gsc_line_count},${gsc_line_count}d; "' 1,1d; s/^\s*//g; s/^\n//g; s/\"//g; s/\\n/\n/g; s/\,//g')
else
gsc_temp_old_status=$(sed 's/{//g' <${FILESYSTEM_PATH}/$cp_nano_conf_location/orchestrations_status.json | sed 's/}//g' | sed 's/"//g' | sed 's/,//g' | sed -r '/^\s*$/d' | sed -r 's/^ //g')
fi
echo ${gsc_temp_old_status}
}
run_status() # Initials - rs run_status() # Initials - rs
{ {
rs_orch_service_full_path=$(get_nano_service_path 'orchestration') rs_orch_service_full_path=$(get_nano_service_path 'orchestration')
@ -1463,7 +1482,7 @@ set_mode()
time_sleep=2 time_sleep=2
time_out=60 time_out=60
echo "Registering open-appsec Nano Agent to Fog.." echo "Registering open-appsec Nano Agent to Fog.."
until $USR_SBIN_PATH/${CP_NANO_CTL} -s 2> /dev/null | grep -q "Registration status: Succeeded"; do until get_status_content | grep -q "Registration status: Succeeded"; do
time_out=$(( time_out - time_sleep )) time_out=$(( time_out - time_sleep ))
if [ $time_out -le 0 ]; then if [ $time_out -le 0 ]; then
echo "open-appsec Nano Agent registration failed. Failed to register to Fog: $fog_address" echo "open-appsec Nano Agent registration failed. Failed to register to Fog: $fog_address"

13
nodes/orchestration/package/local-default-policy.yaml
View File

@ -6,7 +6,7 @@ policies:
practices: practices:
- webapp-default-practice - webapp-default-practice
custom-response: appsec-default-web-user-response custom-response: appsec-default-web-user-response
specific-rules: specific-rules: []
practices: practices:
- name: webapp-default-practice - name: webapp-default-practice
@ -33,7 +33,7 @@ practices:
validated-URIs: [] validated-URIs: []
override-mode: detect-learn override-mode: detect-learn
logtriggers: log-triggers:
- name: appsec-default-log-trigger - name: appsec-default-log-trigger
access-control-logging: access-control-logging:
allow-events: false allow-events: false
@ -53,18 +53,11 @@ logtriggers:
url-query: false url-query: false
log-destination: log-destination:
cloud: false cloud: false
file:
stdout: stdout:
format: json format: json
syslog-service:
cef-service:
customresponses: custom-responses:
- name: appsec-default-web-user-response - name: appsec-default-web-user-response
mode: response-code-only mode: response-code-only
http-response-code: 403 http-response-code: 403
exceptions:
trustedsources:
sourceidentifiers:

1
nodes/orchestration/package/watchdog/watchdog
View File

@ -63,7 +63,6 @@ load_paths()
if [ -z "${MAX_ROTATION}" ]; then if [ -z "${MAX_ROTATION}" ]; then
MAX_ROTATION=$DEFAULT_MAX_ROTATION MAX_ROTATION=$DEFAULT_MAX_ROTATION
fi fi
} }
load_paths load_paths