2024 April 14th update

components/security_apps/local_policy_mgmt_gen/access_control_practice.cc

@@ -228,6 +228,7 @@ AccessControlPracticeSpec::load(cereal::JSONInputArchive &archive_in)
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
 
     parseAppsecJSONKey<string>("name", practice_name, archive_in);
+    parseAppsecJSONKey<string>("practiceMode", mode, archive_in);
     parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
     parseMandatoryAppsecJSONKey<AccessControlRateLimit>("rateLimit", rate_limit, archive_in);
 }
@@ -255,4 +256,10 @@ AccessControlPracticeSpec::getName() const
 {
     return practice_name;
 }
+
+const string &
+AccessControlPracticeSpec::getMode(const std::string &default_mode) const
+{
+    return isModeInherited(mode) ? default_mode : mode;
+}
 // LCOV_EXCL_STOP

components/security_apps/local_policy_mgmt_gen/include/access_control_practice.h

@@ -181,12 +181,14 @@ public:
     const AccessControlRateLimit &getRateLimit() const;
     const std::string & getAppSecClassName() const;
     const std::string & getName() const;
+    const std::string & getMode(const std::string &default_mode = "inactive") const;
     void setName(const std::string &_name);
 
 private:
     AccessControlRateLimit      rate_limit;
     std::string                 appsec_class_name;
     std::string                 practice_name;
+    std::string                 mode;
 };
 
 #endif // __ACCESS_CONTROL_PRACTICE_H__

components/security_apps/local_policy_mgmt_gen/include/new_practice.h

@@ -587,6 +587,7 @@ public:
     const NewFileSecurity & getFileSecurity() const;
     const std::string & getAppSecClassName() const;
     const std::string & getName() const;
+    const std::string & getMode(const std::string &default_mode = "inactive") const;
     void setName(const std::string &_name);
 
 private:
@@ -598,6 +599,7 @@ private:
     NewAppSecPracticeAntiBot                    anti_bot;
     std::string                                 appsec_class_name;
     std::string                                 practice_name;
+    std::string                                 mode;
 };
 
 #endif // __NEW_PRACTICE_H__

components/security_apps/local_policy_mgmt_gen/new_practice.cc

@@ -1025,6 +1025,7 @@ NewAppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
     parseMandatoryAppsecJSONKey<NewAppSecPracticeWebAttacks>("webAttacks", web_attacks, archive_in);
     parseAppsecJSONKey<NewAppSecPracticeAntiBot>("antiBot", anti_bot, archive_in);
     parseAppsecJSONKey<string>("name", practice_name, archive_in);
+    parseAppsecJSONKey<string>("practiceMode", mode, archive_in, "inherited");
 }
 
 void
@@ -1080,4 +1081,11 @@ NewAppSecPracticeSpec::getName() const
 {
     return practice_name;
 }
+
+const string &
+NewAppSecPracticeSpec::getMode(const string &default_mode) const
+{
+    return isModeInherited(mode) ? default_mode : mode;
+}
+
 // LCOV_EXCL_STOP

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -1002,8 +1002,9 @@ PolicyMakerUtils::createIpsSections(
     auto apssec_practice = getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>(
         rule_annotations[AnnotationTypes::PRACTICE],
         policy);
+    const string &override_mode =
+        apssec_practice.getIntrusionPrevention().getMode(apssec_practice.getMode(default_mode));
 
-    const string &override_mode = apssec_practice.getIntrusionPrevention().getMode(default_mode);
     if (override_mode == "Inactive" || override_mode == "Disabled") return;
 
     IpsProtectionsSection ips_section = IpsProtectionsSection(
@@ -1076,8 +1077,9 @@ PolicyMakerUtils::createSnortSections(
     auto apssec_practice = getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>(
         rule_annotations[AnnotationTypes::PRACTICE],
         policy);
+    const string &override_mode =
+        apssec_practice.getSnortSignatures().getOverrideMode(apssec_practice.getMode(default_mode));
 
-    const string &override_mode = apssec_practice.getSnortSignatures().getOverrideMode(default_mode);
     if (override_mode == "Inactive" ||
         override_mode == "Disabled" ||
         apssec_practice.getSnortSignatures().getFiles().size() == 0) {
@@ -1129,7 +1131,7 @@ PolicyMakerUtils::createFileSecuritySections(
         asset_id,
         practice_name,
         practice_id,
-        default_mode
+        apssec_practice.getMode(default_mode)
     );
 
     file_security[asset_name] = file_security_section;
@@ -1171,7 +1173,7 @@ PolicyMakerUtils::createRateLimitSection(
         asset_name,
         url,
         uri,
-        access_control_practice.getRateLimit().getMode(default_mode),
+        access_control_practice.getRateLimit().getMode(access_control_practice.getMode(default_mode)),
         practice_id,
         rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE],
         rules
@@ -1191,6 +1193,8 @@ PolicyMakerUtils::createWebAppSection(
             rule_annotations[AnnotationTypes::PRACTICE],
             policy
         );
+    const string &practice_mode = apssec_practice.getMode(default_mode);
+
     PracticeAdvancedConfig practice_advance_config(
         apssec_practice.getWebAttacks().getMaxHeaderSizeBytes(),
         apssec_practice.getWebAttacks().getMaxBodySizeKb(),
@@ -1206,8 +1210,8 @@ PolicyMakerUtils::createWebAppSection(
         practice_id,
         rule_annotations[AnnotationTypes::PRACTICE],
         rule_config.getContext(),
-        apssec_practice.getWebAttacks().getMinimumConfidence(default_mode),
-        apssec_practice.getWebAttacks().getMode(default_mode),
+        apssec_practice.getWebAttacks().getMinimumConfidence(practice_mode),
+        apssec_practice.getWebAttacks().getMode(practice_mode),
         practice_advance_config,
         apssec_practice.getAntiBot(),
         log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],