Update open-appsec-k8s-full-example-config-v1beta2.yaml

Update .env

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,7 +7,9 @@ labels: [bug]
 **Checklist**
 - Have you checked the open-appsec troubleshooting guides - https://docs.openappsec.io/troubleshooting/troubleshooting
   - Yes / No
-- Have you checked the existing issues and discussions in github for the same issue.
+- Have you checked the existing issues and discussions in github for the same issue 
+  - Yes / No
+- Have you checked the knwon limitations same issue - https://docs.openappsec.io/release-notes#limitations
   - Yes / No
 
 **Describe the bug**

build_system/docker/CMakeLists.txt

@@ -1,4 +1,4 @@
-install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh DESTINATION .)
+install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh self_managed_openappsec_manifest.json DESTINATION .)
 
 add_custom_command(
     OUTPUT ${CMAKE_INSTALL_PREFIX}/agent-docker.img

build_system/docker/Dockerfile

@@ -1,5 +1,7 @@
 FROM alpine
 
+ENV OPENAPPSEC_NANO_AGENT=TRUE
+
 RUN apk add --no-cache -u busybox
 RUN apk add --no-cache -u zlib
 RUN apk add --no-cache bash
@@ -13,6 +15,8 @@ RUN apk add --no-cache libxml2
 RUN apk add --no-cache pcre2
 RUN apk add --update coreutils
 
+COPY self_managed_openappsec_manifest.json /tmp/self_managed_openappsec_manifest.json
+
 COPY install*.sh /nano-service-installers/
 COPY entry.sh /entry.sh
 

config/k8s/v1beta2/open-appsec-k8s-full-example-config-v1beta2.yaml

@@ -39,10 +39,10 @@ kind: Exception
 metadata:
   name: exception-example
 spec:
-  action: accept
+  action: drop
   condition:
-    - key: countryCode
+    - key: sourceIP
-      value: US
+      value: 127.0.0.1
 
 ---
 apiVersion: openappsec.io/v1beta2

deployment/docker-compose/envoy/.env

@@ -56,7 +56,7 @@ COMPOSE_PROFILES=
 ## Make sure to also adjust the envoy.yaml file in ENVOY_CONFIG path
 ## to add a routing configuration for forwarding external traffic on e.g. port 80 to the juiceshop-backend container
 ## you can use the example file available here:
-## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/envoy/envoy.yamll
+## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/envoy/envoy.yaml
 ## place the file above in ENVOY_CONFIG path
 ## note that juiceshop container listens on HTTP port 3000 by default
 

deployment/docker-compose/nginx/docker-compose.yaml

@@ -36,6 +36,7 @@ services:
       - ${APPSEC_DATA}:/etc/cp/data
       - ${APPSEC_LOGS}:/var/log/nano_agent
       - ${APPSEC_LOCALCONFIG}:/ext/appsec
+      - shm-volume:/dev/shm/check-point
     command: /cp-nano-agent
     
   appsec-nginx:
@@ -45,7 +46,7 @@ services:
     restart: unless-stopped
     volumes:
       - ${NGINX_CONFIG}:/etc/nginx/conf.d
-
+      - shm-volume:/dev/shm/check-point
 ## advanced configuration - volume mount for nginx.conf file:
 ## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below
 ## then specify a desired local folder for NGINX_CONF_FILE in the .env file.
@@ -123,6 +124,13 @@ services:
     profiles:
       - juiceshop
 
+volumes:
+  shm-volume:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+
 ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
 ##
 ## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)

nodes/orchestration/package/orchestration_package.sh

@@ -359,7 +359,7 @@ done
 # VS ID argument is available only on install, for other actions, extract it from the package location
 if [ -z "$VS_ID" ]; then
     parent_pid=$PPID
-    parent_cmdline=$(ps -o cmd= -p "$parent_pid")
+    parent_cmdline=$(cat /proc/"$parent_pid"/cmdline | tr '\0' ' ')
     parent_dir=$(dirname "$parent_cmdline")
     packages_folder=$(dirname "$parent_dir")
     vs_folder=$(dirname "$packages_folder")
@@ -500,26 +500,26 @@ cp_copy() # Initials - cc
     cp_print "Destination md5, after the copy:\n$DEST_AFTER_COPY"
 }
 
-update_cloudguard_appsec_manifest()
+update_openappsec_manifest()
 {
-    if [ -z ${INFINITY_NEXT_NANO_AGENT} ] && { [ -z ${CLOUDGUARD_APPSEC_STANDALONE} ] || [ -z ${DOCKER_RPM_ENABLED} ]; }; then
+    if [ -z ${OPENAPPSEC_NANO_AGENT} ] && { [ -z ${CLOUDGUARD_APPSEC_STANDALONE} ] || [ -z ${DOCKER_RPM_ENABLED} ]; }; then
         return
     fi
 
-    selected_cloudguard_appsec_manifest_path="${TMP_FOLDER}/cloudguard_appsec_manifest.json"
+    selected_openappsec_manifest_path="${TMP_FOLDER}/openappsec_manifest.json"
-    if [ "${DOCKER_RPM_ENABLED}" = "false" ] || [ "${INFINITY_NEXT_NANO_AGENT}" = "TRUE" ]; then
+    if [ "${DOCKER_RPM_ENABLED}" = "false" ] || [ "${OPENAPPSEC_NANO_AGENT}" = "TRUE" ]; then
-        selected_cloudguard_appsec_manifest_path="${TMP_FOLDER}/self_managed_cloudguard_appsec_manifest.json"
+        selected_openappsec_manifest_path="${TMP_FOLDER}/self_managed_openappsec_manifest.json"
     fi
 
-    if [ ! -f "$selected_cloudguard_appsec_manifest_path" ]; then
+    if [ ! -f "$selected_openappsec_manifest_path" ]; then
         return
     fi
 
-    cloudguard_appsec_manifest_path="${selected_cloudguard_appsec_manifest_path}.used"
+    openappsec_manifest_path="${selected_openappsec_manifest_path}.used"
-    mv "$selected_cloudguard_appsec_manifest_path" "$cloudguard_appsec_manifest_path"
+    mv "$selected_openappsec_manifest_path" "$openappsec_manifest_path"
     fog_host=$(echo "$var_fog_address" | sed 's/https\?:\/\///')
     fog_host=${fog_host%/}
-    sed "s/namespace/${fog_host}/g" ${cloudguard_appsec_manifest_path} > "${FILESYSTEM_PATH}/${CONF_PATH}/manifest.json"
+    sed "s/namespace/${fog_host}/g" ${openappsec_manifest_path} > "${FILESYSTEM_PATH}/${CONF_PATH}/manifest.json"
 }
 
 set_cloud_storage()
@@ -785,8 +785,9 @@ upgrade_conf_if_needed()
 
         [ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && . "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
 
-        previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//')
+        [ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && \
- 		if ! [ -z "$previous_mode" ]; then
+	previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//')
+	if ! [ -z "$previous_mode" ]; then
             var_orchestration_mode=${previous_mode}
         fi
 
@@ -1020,7 +1021,9 @@ install_orchestration()
         fi
 
         [ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && . "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
-        previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//')
+
+	[ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && \
+	previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//')
 
         if ! [ -z "$previous_mode" ]; then
             var_orchestration_mode=${previous_mode}
@@ -1044,7 +1047,8 @@ install_orchestration()
             rm -f "${FILESYSTEM_PATH}/${CONF_PATH}/default_orchestration_flags"
         fi
 
-        upgrade_conf_if_needed
+        update_openappsec_manifest
+	upgrade_conf_if_needed
 
         cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --un-register ${FILESYSTEM_PATH}/${SERVICE_PATH}/cp-nano-orchestration $var_arch_flag"
         if [ "$IS_K8S_ENV" = "true" ]; then
@@ -1100,7 +1104,7 @@ install_orchestration()
     cp_exec "mkdir -p ${LOG_FILE_PATH}/${LOG_PATH}"
     cp_exec "mkdir -p ${FILESYSTEM_PATH}/${DATA_PATH}"
 
-    update_cloudguard_appsec_manifest
+    update_openappsec_manifest
 
     if [ ! -f ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH} ]; then
         echo "{\"agentSettings\": []}" >  ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH}

nodes/orchestration/package/watchdog/watchdog

@@ -53,7 +53,12 @@ var_upgarde=false
 get_profile_agent_setting_with_default() {
     key="$1"
     default_value="$2"
-    value=$(grep -oP "\"key\":\s*\"$key\".*?\"value\":\s*\"[^\"]+\"" $SETTINGS_FILE | sed -E 's/.*"value":\s*"([^"]+)".*/\1/')
+
+    value=$(grep -o "\"key\":\s*\"$key\".*?\"value\":\s*\"[^\"]*\"" $SETTINGS_FILE | sed -E 's/.*"value":\s*"([^"]*)".*/\1/')
+    if [ -z "$value" ]; then
+        value=$(grep -o "\"$key\":\s*\"[^\"]*\"" $SETTINGS_FILE | sed -E 's/.*"'"$key"'":\s*"([^"]*)".*/\1/')
+    fi
+
     if [ "$value" = "null" ] || [ -z "$value" ]; then
         echo "$default_value"
     else