github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-11-17 09:45:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github_mirrors:1.1.25
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc
...
compare: github_mirrors:conf-collector-upload
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc

10 Commits
1.1.25 ... conf-colle

Author SHA1 Message Date
wiaamm
b4b70a71fc add conf collector 2025-06-12 15:40:32 +03:00
Daniel-Eisenberg
c4975497eb Update entry.sh 2025-06-12 12:55:27 +03:00
Daniel-Eisenberg
782dfeada6 Waf tag (#317) 
* add waf-tag to openappsec

* fix waf tag to openappsec

---------

Co-authored-by: wiaamm <wiaamm@checkpoint.com>
 2025-06-11 11:34:48 +03:00
wiaam96
bc1eac9d39 Fix Watchdog restarts (#319) 
* don't exit

* fix restarting agent

* fix watchdog restarts
 2025-06-09 16:11:45 +03:00
Daniel-Eisenberg
4dacd7d009 Prometheus support (#316) 
* Add prometheus support

* Add prometheus support

* Add prometheus support

* Add prometheus support

* Add prometheus support

---------

Co-authored-by: avigailo <avigailo@checkpoint.com>
 2025-06-05 16:28:57 +03:00
orianelou
3a34984def Merge pull request #293 from willseward/bugfix/fix-ipv6-cidr 
Fix IPv6 masking
 2025-05-27 13:43:59 +03:00
orianelou
5aaf787cfa Create schema_v1beta2.yaml 2025-05-13 16:21:13 +03:00
orianelou
2c7b5818e8 Update and rename schema_v1beta2.yaml to schema_v1beta1.yaml 2025-05-13 16:20:31 +03:00
orianelou
c8743d4d4b Create schema_v1beta2.yaml 2025-05-13 16:18:52 +03:00
Wills Ward
2678db9d2f fix IPv6 masking 2025-03-30 14:59:26 -05:00
32 changed files with 2243 additions and 28 deletions
Expand all files Collapse all files

35
build_system/docker/entry.sh
View File

@@ -6,6 +6,8 @@ HTTP_TRANSACTION_HANDLER_SERVICE="install-cp-nano-service-http-transaction-handl
ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh" ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh"
ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh" ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh"
CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh" CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh"
PROMETHEUS_INSTALLATION_SCRIPT="install-cp-nano-service-prometheus.sh"
NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT="install-cp-nano-central-nginx-manager.sh"
var_fog_address= var_fog_address=
var_proxy= var_proxy=
@@ -81,6 +83,14 @@ fi
/nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install /nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install
/nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install /nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install
if [ "$PROMETHEUS" == "true" ]; then
/nano-service-installers/$PROMETHEUS_INSTALLATION_SCRIPT --install
fi
if [ "$CENTRAL_NGINX_MANAGER" == "true" ]; then
/nano-service-installers/$NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT --install
fi
if [ "$CROWDSEC_ENABLED" == "true" ]; then if [ "$CROWDSEC_ENABLED" == "true" ]; then
/nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install /nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install
/nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install /nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install
@@ -93,25 +103,16 @@ if [ -f "$FILE" ]; then
fi fi
touch /etc/cp/watchdog/wd.startup touch /etc/cp/watchdog/wd.startup
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
active_watchdog_pid=$!
while true; do while true; do
if [ -z "$init" ]; then if [ -f /tmp/restart_watchdog ]; then
init=true
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
sleep 5
active_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
fi
current_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
if [ ! -f /tmp/restart_watchdog ] && [ "$current_watchdog_pid" != "$active_watchdog_pid" ]; then
echo "Error: Watchdog exited abnormally"
exit 1
elif [ -f /tmp/restart_watchdog ]; then
rm -f /tmp/restart_watchdog rm -f /tmp/restart_watchdog
kill -9 "$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")" kill -9 ${active_watchdog_pid}
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 & fi
sleep 5 if [ ! "$(ps -f | grep cp-nano-watchdog | grep ${active_watchdog_pid})" ]; then
active_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog") /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
active_watchdog_pid=$!
fi fi
sleep 5 sleep 5
done done

10
components/attachment-intakers/nginx_attachment/nginx_parser.cc
View File

@@ -28,6 +28,7 @@ USE_DEBUG_FLAG(D_NGINX_ATTACHMENT_PARSER);
Buffer NginxParser::tenant_header_key = Buffer(); Buffer NginxParser::tenant_header_key = Buffer();
static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC); static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC);
static const Buffer waf_tag_key("x-waf-tag", 9, Buffer::MemoryType::STATIC);
static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC); static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC);
bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr; bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr;
@@ -231,17 +232,20 @@ NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string>
static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n" static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n"
); );
if (NginxParser::tenant_header_key == header.getKey()) { const auto &header_key = header.getKey();
if (NginxParser::tenant_header_key == header_key) {
dbgDebug(D_NGINX_ATTACHMENT_PARSER) dbgDebug(D_NGINX_ATTACHMENT_PARSER)
<< "Identified active tenant header. Key: " << "Identified active tenant header. Key: "
<< dumpHex(header.getKey()) << dumpHex(header_key)
<< ", Value: " << ", Value: "
<< dumpHex(header.getValue()); << dumpHex(header.getValue());
auto active_tenant_and_profile = getActivetenantAndProfile(header.getValue()); auto active_tenant_and_profile = getActivetenantAndProfile(header.getValue());
opaque.setSessionTenantAndProfile(active_tenant_and_profile[0], active_tenant_and_profile[1]); opaque.setSessionTenantAndProfile(active_tenant_and_profile[0], active_tenant_and_profile[1]);
} else if (proxy_ip_header_key == header.getKey()) { } else if (proxy_ip_header_key == header_key) {
source_identifiers.setXFFValuesToOpaqueCtx(header, UsersAllIdentifiersConfig::ExtractType::PROXYIP); source_identifiers.setXFFValuesToOpaqueCtx(header, UsersAllIdentifiersConfig::ExtractType::PROXYIP);
} else if (waf_tag_key == header_key) {
source_identifiers.setWafTagValuesToOpaqueCtx(header);
} }
} }

18
components/attachment-intakers/nginx_attachment/user_identifiers_config.cc
View File

@@ -366,6 +366,24 @@ UsersAllIdentifiersConfig::setCustomHeaderToOpaqueCtx(const HttpHeader &header)
return; return;
} }
void
UsersAllIdentifiersConfig::setWafTagValuesToOpaqueCtx(const HttpHeader &header) const
{
auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
return;
}
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
opaque.setSavedData(HttpTransactionData::waf_tag_ctx, static_cast<string>(header.getValue()));
dbgDebug(D_NGINX_ATTACHMENT_PARSER)
<< "Added waf tag to context: "
<< static_cast<string>(header.getValue());
return;
}
Maybe<string> Maybe<string>
UsersAllIdentifiersConfig::parseCookieElement( UsersAllIdentifiersConfig::parseCookieElement(
const string::const_iterator &start, const string::const_iterator &start,

13
components/include/generic_rulebase/evaluators/http_transaction_data_eval.h
View File

@@ -45,6 +45,19 @@ private:
std::string host; std::string host;
}; };
class EqualWafTag : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
{
public:
EqualWafTag(const std::vector<std::string> &params);
static std::string getName() { return "EqualWafTag"; }
Maybe<bool, Context::Error> evalVariable() const override;
private:
std::string waf_tag;
};
class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment> class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
{ {
public: public:

1
components/include/http_transaction_data.h
View File

@@ -137,6 +137,7 @@ public:
static const std::string source_identifier; static const std::string source_identifier;
static const std::string proxy_ip_ctx; static const std::string proxy_ip_ctx;
static const std::string xff_vals_ctx; static const std::string xff_vals_ctx;
static const std::string waf_tag_ctx;
static const CompressionType default_response_content_encoding; static const CompressionType default_response_content_encoding;

30
components/include/prometheus_comp.h Executable file
View File

@@ -0,0 +1,30 @@
#ifndef __PROMETHEUS_COMP_H__
#define __PROMETHEUS_COMP_H__
#include <memory>
#include "component.h"
#include "singleton.h"
#include "i_rest_api.h"
#include "i_messaging.h"
#include "generic_metric.h"
class PrometheusComp
:
public Component,
Singleton::Consume<I_RestApi>,
Singleton::Consume<I_Messaging>
{
public:
PrometheusComp();
~PrometheusComp();
void init() override;
private:
class Impl;
std::unique_ptr<Impl> pimpl;
};
#endif // __PROMETHEUS_COMP_H__

1
components/include/user_identifiers_config.h
View File

@@ -30,6 +30,7 @@ public:
void parseRequestHeaders(const HttpHeader &header) const; void parseRequestHeaders(const HttpHeader &header) const;
std::vector<std::string> getHeaderValuesFromConfig(const std::string &header_key) const; std::vector<std::string> getHeaderValuesFromConfig(const std::string &header_key) const;
void setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const; void setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const;
void setWafTagValuesToOpaqueCtx(const HttpHeader &header) const;
private: private:
class UsersIdentifiersConfig class UsersIdentifiersConfig

1
components/security_apps/CMakeLists.txt
View File

@@ -3,6 +3,7 @@ add_subdirectory(ips)
add_subdirectory(layer_7_access_control) add_subdirectory(layer_7_access_control)
add_subdirectory(local_policy_mgmt_gen) add_subdirectory(local_policy_mgmt_gen)
add_subdirectory(orchestration) add_subdirectory(orchestration)
add_subdirectory(prometheus)
add_subdirectory(rate_limit) add_subdirectory(rate_limit)
add_subdirectory(waap) add_subdirectory(waap)
add_subdirectory(central_nginx_manager) add_subdirectory(central_nginx_manager)

2
components/security_apps/prometheus/CMakeLists.txt Executable file
View File

@@ -0,0 +1,2 @@
add_library(prometheus_comp prometheus_comp.cc)
add_subdirectory(prometheus_ut)

200
components/security_apps/prometheus/prometheus_comp.cc Executable file
View File

@@ -0,0 +1,200 @@
#include "prometheus_comp.h"
#include <string>
#include <map>
#include <vector>
#include <cereal/archives/json.hpp>
#include <cereal/types/map.hpp>
#include <cereal/types/vector.hpp>
#include <cereal/types/string.hpp>
#include <iostream>
#include <fstream>
#include "common.h"
#include "report/base_field.h"
#include "report/report_enums.h"
#include "log_generator.h"
#include "debug.h"
#include "rest.h"
#include "customized_cereal_map.h"
#include "i_messaging.h"
#include "prometheus_metric_names.h"
USE_DEBUG_FLAG(D_PROMETHEUS);
using namespace std;
using namespace ReportIS;
struct ServiceData
{
template <typename Archive>
void
serialize(Archive &ar)
{
ar(cereal::make_nvp("Service port", service_port));
}
int service_port;
};
class PrometheusMetricData
{
public:
PrometheusMetricData(const string &n, const string &t, const string &d) : name(n), type(t), description(d) {}
void
addElement(const string &labels, const string &value)
{
metric_labels_to_values[labels] = value;
}
ostream &
print(ostream &os)
{
if (metric_labels_to_values.empty()) return os;
string representative_name = "";
if (!name.empty()) {
auto metric_name = convertMetricName(name);
!metric_name.empty() ? representative_name = metric_name : representative_name = name;
}
if (!description.empty()) os << "# HELP " << representative_name << ' ' << description << '\n';
if (!name.empty()) os << "# TYPE " << representative_name << ' ' << type << '\n';
for (auto &entry : metric_labels_to_values) {
os << representative_name << entry.first << ' ' << entry.second << '\n';
}
os << '\n';
metric_labels_to_values.clear();
return os;
}
private:
string name;
string type;
string description;
map<string, string> metric_labels_to_values;
};
static ostream & operator<<(ostream &os, PrometheusMetricData &metric) { return metric.print(os); }
class PrometheusComp::Impl
{
public:
void
init()
{
Singleton::Consume<I_RestApi>::by<PrometheusComp>()->addGetCall(
"metrics",
[&] () { return getFormatedPrometheusMetrics(); }
);
}
void
addMetrics(const vector<PrometheusData> &metrics)
{
for(auto &metric : metrics) {
auto &metric_object = getDataObject(
metric.name,
metric.type,
metric.description
);
metric_object.addElement(metric.label, metric.value);
}
}
private:
PrometheusMetricData &
getDataObject(const string &name, const string &type, const string &description)
{
auto elem = prometheus_metrics.find(name);
if (elem == prometheus_metrics.end()) {
elem = prometheus_metrics.emplace(name, PrometheusMetricData(name, type, description)).first;
}
return elem->second;
}
map<string, ServiceData>
getServiceDetails()
{
map<string, ServiceData> registeredServices;
auto registered_services_file = getConfigurationWithDefault<string>(
getFilesystemPathConfig() + "/conf/orchestrations_registered_services.json",
"orchestration",
"Orchestration registered services"
);
ifstream file(registered_services_file);
if (!file.is_open()) {
dbgWarning(D_PROMETHEUS) << "Failed to open file: " << registered_services_file;
return registeredServices;
}
stringstream buffer;
buffer << file.rdbuf();
try {
cereal::JSONInputArchive archive(buffer);
archive(cereal::make_nvp("Registered Services", registeredServices));
} catch (const exception& e) {
dbgWarning(D_PROMETHEUS) << "Error parsing Registered Services JSON file: " << e.what();
}
return registeredServices;
}
void
getServicesMetrics()
{
dbgTrace(D_PROMETHEUS) << "Get all registered services metrics";
map<string, ServiceData> service_names_to_ports = getServiceDetails();
for (const auto &service : service_names_to_ports) {
I_Messaging *messaging = Singleton::Consume<I_Messaging>::by<PrometheusComp>();
MessageMetadata servie_metric_req_md("127.0.0.1", service.second.service_port);
servie_metric_req_md.setConnectioFlag(MessageConnectionConfig::ONE_TIME_CONN);
servie_metric_req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN);
auto res = messaging->sendSyncMessage(
HTTPMethod::GET,
"/service-metrics",
string(""),
MessageCategory::GENERIC,
servie_metric_req_md
);
if (!res.ok()) {
dbgWarning(D_PROMETHEUS) << "Failed to get service metrics. Service: " << service.first;
continue;
}
stringstream buffer;
buffer << res.unpack().getBody();
cereal::JSONInputArchive archive(buffer);
vector<PrometheusData> metrics;
archive(cereal::make_nvp("metrics", metrics));
addMetrics(metrics);
}
}
string
getFormatedPrometheusMetrics()
{
MetricScrapeEvent().notify();
getServicesMetrics();
stringstream result;
for (auto &metric : prometheus_metrics) {
result << metric.second;
}
dbgTrace(D_PROMETHEUS) << "Prometheus metrics: " << result.str();
return result.str();
}
map<string, PrometheusMetricData> prometheus_metrics;
};
PrometheusComp::PrometheusComp() : Component("Prometheus"), pimpl(make_unique<Impl>()) {}
PrometheusComp::~PrometheusComp() {}
void
PrometheusComp::init()
{
pimpl->init();
}

143
components/security_apps/prometheus/prometheus_metric_names.h Executable file
View File

@@ -0,0 +1,143 @@
#ifndef __PROMETHEUS_METRIC_NAMES_H__
#define __PROMETHEUS_METRIC_NAMES_H__
#include <string>
#include <unordered_map>
#include "debug.h"
USE_DEBUG_FLAG(D_PROMETHEUS);
std::string
convertMetricName(const std::string &original_metric_name)
{
static const std::unordered_map<std::string, std::string> original_to_representative_names = {
// HybridModeMetric
{"watchdogProcessStartupEventsSum", "nano_service_restarts_counter"},
// nginxAttachmentMetric
{"inspectVerdictSum", "traffic_inspection_verdict_inspect_counter"},
{"acceptVeridctSum", "traffic_inspection_verdict_accept_counter"},
{"dropVerdictSum", "traffic_inspection_verdict_drop_counter"},
{"injectVerdictSum", "traffic_inspection_verdict_inject_counter"},
{"irrelevantVerdictSum", "traffic_inspection_verdict_irrelevant_counter"},
{"irrelevantVerdictSum", "traffic_inspection_verdict_irrelevant_counter"},
{"reconfVerdictSum", "traffic_inspection_verdict_reconf_counter"},
{"responseInspection", "response_body_inspection_counter"},
// nginxIntakerMetric
{"successfullInspectionTransactionsSum", "successful_Inspection_counter"},
{"failopenTransactionsSum", "fail_open_Inspection_counter"},
{"failcloseTransactionsSum", "fail_close_Inspection_counter"},
{"transparentModeTransactionsSum", "transparent_mode_counter"},
{"totalTimeInTransparentModeSum", "total_time_in_transparent_mode_counter"},
{"reachInspectVerdictSum", "inspect_verdict_counter"},
{"reachAcceptVerdictSum", "accept_verdict_counter"},
{"reachDropVerdictSum", "drop_verdict_counter"},
{"reachInjectVerdictSum", "inject_verdict_counter"},
{"reachIrrelevantVerdictSum", "irrelevant_verdict_counter"},
{"reachReconfVerdictSum", "reconf_verdict_counter"},
{"requestCompressionFailureSum", "failed_requests_compression_counter"},
{"responseCompressionFailureSum", "failed_response_compression_counter"},
{"requestDecompressionFailureSum", "failed_requests_decompression_counter"},
{"responseDecompressionFailureSum", "failed_response_decompression_counter"},
{"requestCompressionSuccessSum", "successful_request_compression_counter"},
{"responseCompressionSuccessSum", "successful_response_compression_counter"},
{"requestDecompressionSuccessSum", "successful_request_decompression_counter"},
{"responseDecompressionSuccessSum", "successful_response_decompression_counter"},
{"skippedSessionsUponCorruptedZipSum", "corrupted_zip_skipped_session_counter"},
{"attachmentThreadReachedTimeoutSum", "thread_exceeded_processing_time_counter"},
{"registrationThreadReachedTimeoutSum", "failed_registration_thread_counter"},
{"requestHeaderThreadReachedTimeoutSum", "request_headers_processing_thread_timeouts_counter"},
{"requestBodyThreadReachedTimeoutSum", "request_body_processing_thread_timeouts_counter"},
{"respondHeaderThreadReachedTimeoutSum", "response_headers_processing_thread_timeouts_counter"},
{"respondBodyThreadReachedTimeoutSum", "response_body_processing_thread_timeouts_counter"},
{"attachmentThreadFailureSum", "thread_failures_counter"},
{"httpRequestProcessingReachedTimeoutSum", "request_processing_timeouts_counter"},
{"httpRequestsSizeSum", "requests_total_size_counter"},
{"httpResponsesSizeSum", "response_total_size_counter"},
{"httpRequestFailedToReachWebServerUpstreamSum", "requests_failed_reach_upstram_counter"},
{"overallSessionProcessTimeToVerdictAvgSample", "overall_processing_time_until_verdict_average"},
{"overallSessionProcessTimeToVerdictMaxSample", "overall_processing_time_until_verdict_max"},
{"overallSessionProcessTimeToVerdictMinSample", "overall_processing_time_until_verdict_min"},
{"requestProcessTimeToVerdictAvgSample", "requests_processing_time_until_verdict_average"},
{"requestProcessTimeToVerdictMaxSample", "requests_processing_time_until_verdict_max"},
{"requestProcessTimeToVerdictMinSample", "requests_processing_time_until_verdict_min"},
{"responseProcessTimeToVerdictAvgSample", "response_processing_time_until_verdict_average"},
{"responseProcessTimeToVerdictMaxSample", "response_processing_time_until_verdict_max"},
{"responseProcessTimeToVerdictMinSample", "response_processing_time_until_verdict_min"},
{"requestBodySizeUponTimeoutAvgSample", "request_body_size_average"},
{"requestBodySizeUponTimeoutMaxSample", "request_body_size_max"},
{"requestBodySizeUponTimeoutMinSample", "request_body_size_min"},
{"responseBodySizeUponTimeoutAvgSample", "response_body_size_average"},
{"responseBodySizeUponTimeoutMaxSample", "response_body_size_max"},
{"responseBodySizeUponTimeoutMinSample", "response_body_size_min"},
// WaapTelemetrics
{"reservedNgenA", "total_requests_counter"},
{"reservedNgenB", "unique_sources_counter"},
{"reservedNgenC", "requests_blocked_by_force_and_exception_counter"},
{"reservedNgenD", "requests_blocked_by_waf_counter"},
{"reservedNgenE", "requests_blocked_by_open_api_counter"},
{"reservedNgenF", "requests_blocked_by_bot_protection_counter"},
{"reservedNgenG", "requests_threat_level_info_and_no_threat_counter"},
{"reservedNgenH", "requests_threat_level_low_counter"},
{"reservedNgenI", "requests_threat_level_medium_counter"},
{"reservedNgenJ", "requests_threat_level_high_counter"},
// WaapTrafficTelemetrics
{"reservedNgenA", "post_requests_counter"},
{"reservedNgenB", "get_requests_counter"},
{"reservedNgenC", "put_requests_counter"},
{"reservedNgenD", "patch_requests_counter"},
{"reservedNgenE", "delete_requests_counter"},
{"reservedNgenF", "other_requests_counter"},
{"reservedNgenG", "2xx_status_code_responses_counter"},
{"reservedNgenH", "4xx_status_code_responses_counter"},
{"reservedNgenI", "5xx_status_code_responses_counter"},
{"reservedNgenJ", "requests_time_latency_average"},
// WaapAttackTypesMetrics
{"reservedNgenA", "sql_injection_attacks_type_counter"},
{"reservedNgenB", "vulnerability_scanning_attacks_type_counter"},
{"reservedNgenC", "path_traversal_attacks_type_counter"},
{"reservedNgenD", "ldap_injection_attacks_type_counter"},
{"reservedNgenE", "evasion_techniques_attacks_type_counter"},
{"reservedNgenF", "remote_code_execution_attacks_type_counter"},
{"reservedNgenG", "xml_extern_entity_attacks_type_counter"},
{"reservedNgenH", "cross_site_scripting_attacks_type_counter"},
{"reservedNgenI", "general_attacks_type_counter"},
// AssetsMetric
{"numberOfProtectedApiAssetsSample", "api_assets_counter"},
{"numberOfProtectedWebAppAssetsSample", "web_api_assets_counter"},
{"numberOfProtectedAssetsSample", "all_assets_counter"},
// IPSMetric
{"preventEngineMatchesSample", "prevent_action_matches_counter"},
{"detectEngineMatchesSample", "detect_action_matches_counter"},
{"ignoreEngineMatchesSample", "ignore_action_matches_counter"},
// CPUMetric
{"cpuMaxSample", "cpu_usage_percentage_max"},
{"cpuAvgSample", "cpu_usage_percentage_average"},
{"cpuSample", "cpu_usage_percentage_last_value"},
// LogMetric
{"logQueueMaxSizeSample", "logs_queue_size_max"},
{"logQueueAvgSizeSample", "logs_queue_size_average"},
{"logQueueCurrentSizeSample", "logs_queue_size_last_value"},
{"sentLogsSum", "logs_sent_counter"},
{"sentLogsBulksSum", "bulk_logs_sent_counter"},
// MemoryMetric
{"serviceVirtualMemorySizeMaxSample", "service_virtual_memory_size_kb_max"},
{"serviceVirtualMemorySizeMinSample", "service_virtual_memory_size_kb_min"},
{"serviceVirtualMemorySizeAvgSample", "service_virtual_memory_size_kb_average"},
{"serviceRssMemorySizeMaxSample", "service_physical_memory_size_kb_max"},
{"serviceRssMemorySizeMinSample", "service_physical_memory_size_kb_min"},
{"serviceRssMemorySizeAvgSample", "service_physical_memory_size_kb_average"},
{"generalTotalMemorySizeMaxSample", "general_total_used_memory_max"},
{"generalTotalMemorySizeMinSample", "general_total_used_memory_min"},
{"generalTotalMemorySizeAvgSample", "general_total_used_memory_average"},
};
auto metric_names = original_to_representative_names.find(original_metric_name);
if (metric_names != original_to_representative_names.end()) return metric_names->second;
dbgDebug(D_PROMETHEUS)
<< "Metric don't have a representative name, originl name: "
<< original_metric_name;
return "";
}
#endif // __PROMETHEUS_METRIC_NAMES_H__

8
components/security_apps/prometheus/prometheus_ut/CMakeLists.txt Executable file
View File

@@ -0,0 +1,8 @@
link_directories(${BOOST_ROOT}/lib)
link_directories(${BOOST_ROOT}/lib ${CMAKE_BINARY_DIR}/core/shmem_ipc)
add_unit_test(
prometheus_ut
"prometheus_ut.cc"
"prometheus_comp;logging;agent_details;waap_clib;table;singleton;time_proxy;metric;event_is;connkey;http_transaction_data;generic_rulebase;generic_rulebase_evaluators;ip_utilities;intelligence_is_v2;-lboost_regex;messaging;"
)

79
components/security_apps/prometheus/prometheus_ut/prometheus_ut.cc Executable file
View File

@@ -0,0 +1,79 @@
#include "prometheus_comp.h"
#include <sstream>
#include <fstream>
#include <vector>
#include "cmock.h"
#include "cptest.h"
#include "maybe_res.h"
#include "debug.h"
#include "config.h"
#include "environment.h"
#include "config_component.h"
#include "agent_details.h"
#include "time_proxy.h"
#include "mock/mock_mainloop.h"
#include "mock/mock_rest_api.h"
#include "mock/mock_messaging.h"
using namespace std;
using namespace testing;
USE_DEBUG_FLAG(D_PROMETHEUS);
class PrometheusCompTest : public Test
{
public:
PrometheusCompTest()
{
EXPECT_CALL(mock_rest, mockRestCall(_, "declare-boolean-variable", _)).WillOnce(Return(false));
env.preload();
config.preload();
env.init();
EXPECT_CALL(
mock_rest,
addGetCall("metrics", _)
).WillOnce(DoAll(SaveArg<1>(&get_metrics_func), Return(true)));
prometheus_comp.init();
}
::Environment env;
ConfigComponent config;
PrometheusComp prometheus_comp;
StrictMock<MockRestApi> mock_rest;
StrictMock<MockMainLoop> mock_ml;
NiceMock<MockMessaging> mock_messaging;
unique_ptr<ServerRest> agent_uninstall;
function<string()> get_metrics_func;
CPTestTempfile status_file;
string registered_services_file_path;
};
TEST_F(PrometheusCompTest, checkAddingMetric)
{
registered_services_file_path = cptestFnameInSrcDir(string("registered_services.json"));
setConfiguration(registered_services_file_path, "orchestration", "Orchestration registered services");
string metric_body = "{\n"
" \"metrics\": [\n"
" {\n"
" \"metric_name\": \"watchdogProcessStartupEventsSum\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{method=\\\"post\\\",code=\\\"200\\\"}\",\n"
" \"value\": \"1534\"\n"
" }\n"
" ]\n"
"}";
string message_body;
EXPECT_CALL(mock_messaging, sendSyncMessage(_, "/service-metrics", _, _, _))
.Times(2).WillRepeatedly(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, metric_body)));
string metric_str = "# TYPE nano_service_restarts_counter counter\n"
"nano_service_restarts_counter{method=\"post\",code=\"200\"} 1534\n\n";
EXPECT_EQ(metric_str, get_metrics_func());
}

32
components/security_apps/prometheus/prometheus_ut/registered_services.json Executable file
View File

@@ -0,0 +1,32 @@
{
"Registered Services": {
"cp-nano-orchestration": {
"Service name": "cp-nano-orchestration",
"Service ID": "cp-nano-orchestration",
"Service port": 7777,
"Relevant configs": [
"zones",
"triggers",
"rules",
"registration-data",
"parameters",
"orchestration",
"exceptions",
"agent-intelligence"
]
},
"cp-nano-prometheus": {
"Service name": "cp-nano-prometheus",
"Service ID": "cp-nano-prometheus",
"Service port": 7465,
"Relevant configs": [
"zones",
"triggers",
"rules",
"parameters",
"exceptions",
"agent-intelligence"
]
}
}
}

3
components/security_apps/waap/waap_clib/CidrMatch.cc
View File

@@ -41,6 +41,7 @@ static in6_addr applyMaskV6(const in6_addr& addr, uint8_t prefixLength) {
in6_addr maskedAddr = addr; in6_addr maskedAddr = addr;
int fullBytes = prefixLength / 8; int fullBytes = prefixLength / 8;
int remainingBits = prefixLength % 8; int remainingBits = prefixLength % 8;
uint8_t partialByte = maskedAddr.s6_addr[fullBytes];
// Mask full bytes // Mask full bytes
for (int i = fullBytes; i < 16; ++i) { for (int i = fullBytes; i < 16; ++i) {
@@ -50,7 +51,7 @@ static in6_addr applyMaskV6(const in6_addr& addr, uint8_t prefixLength) {
// Mask remaining bits // Mask remaining bits
if (remainingBits > 0) { if (remainingBits > 0) {
uint8_t mask = ~((1 << (8 - remainingBits)) - 1); uint8_t mask = ~((1 << (8 - remainingBits)) - 1);
maskedAddr.s6_addr[fullBytes] &= mask; maskedAddr.s6_addr[fullBytes] = partialByte & mask;
} }
return maskedAddr; return maskedAddr;

29
components/utils/generic_rulebase/evaluators/http_transaction_data_eval.cc
View File

@@ -103,6 +103,35 @@ WildcardHost::evalVariable() const
return lower_host_ctx == lower_host; return lower_host_ctx == lower_host;
} }
EqualWafTag::EqualWafTag(const vector<string> &params)
{
if (params.size() != 1) reportWrongNumberOfParams("EqualWafTag", params.size(), 1, 1);
waf_tag = params[0];
}
Maybe<bool, Context::Error>
EqualWafTag::evalVariable() const
{
I_Environment *env = Singleton::Consume<I_Environment>::by<EqualWafTag>();
auto maybe_waf_tag_ctx = env->get<string>(HttpTransactionData::waf_tag_ctx);
if (!maybe_waf_tag_ctx.ok())
{
dbgTrace(D_RULEBASE_CONFIG) << "didnt find waf tag in current context";
return false;
}
auto waf_tag_ctx = maybe_waf_tag_ctx.unpack();
dbgTrace(D_RULEBASE_CONFIG)
<< "trying to match waf tag context with its corresponding waf tag: "
<< waf_tag_ctx
<< ". Matcher waf tag: "
<< waf_tag;
return waf_tag_ctx == waf_tag;
}
EqualListeningIP::EqualListeningIP(const vector<string> &params) EqualListeningIP::EqualListeningIP(const vector<string> &params)
{ {
if (params.size() != 1) reportWrongNumberOfParams("EqualListeningIP", params.size(), 1, 1); if (params.size() != 1) reportWrongNumberOfParams("EqualListeningIP", params.size(), 1, 1);

1
components/utils/generic_rulebase/generic_rulebase.cc
View File

@@ -80,6 +80,7 @@ GenericRulebase::Impl::preload()
addMatcher<IpProtocolMatcher>(); addMatcher<IpProtocolMatcher>();
addMatcher<UrlMatcher>(); addMatcher<UrlMatcher>();
addMatcher<EqualHost>(); addMatcher<EqualHost>();
addMatcher<EqualWafTag>();
addMatcher<WildcardHost>(); addMatcher<WildcardHost>();
addMatcher<EqualListeningIP>(); addMatcher<EqualListeningIP>();
addMatcher<EqualListeningPort>(); addMatcher<EqualListeningPort>();

1
components/utils/http_transaction_data/http_transaction_data.cc
View File

@@ -53,6 +53,7 @@ const string HttpTransactionData::req_body = "transaction_request_body
const string HttpTransactionData::source_identifier = "sourceIdentifiers"; const string HttpTransactionData::source_identifier = "sourceIdentifiers";
const string HttpTransactionData::proxy_ip_ctx = "proxy_ip"; const string HttpTransactionData::proxy_ip_ctx = "proxy_ip";
const string HttpTransactionData::xff_vals_ctx = "xff_vals"; const string HttpTransactionData::xff_vals_ctx = "xff_vals";
const string HttpTransactionData::waf_tag_ctx = "waf_tag";
const CompressionType HttpTransactionData::default_response_content_encoding = CompressionType::NO_COMPRESSION; const CompressionType HttpTransactionData::default_response_content_encoding = CompressionType::NO_COMPRESSION;

216
components/utils/utilities/nginx_conf_collector/nginx_conf_collector.cc
View File

@@ -1,5 +1,5 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. // Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at // You may obtain a copy of the License at
// //
@@ -13,9 +13,11 @@
#include <iostream> #include <iostream>
#include <unistd.h> #include <unistd.h>
#include <sstream>
#include "agent_core_utilities.h" #include "agent_core_utilities.h"
#include "debug.h" #include "debug.h"
#include "getopt.h"
#include "internal/shell_cmd.h" #include "internal/shell_cmd.h"
#include "mainloop.h" #include "mainloop.h"
#include "nginx_utils.h" #include "nginx_utils.h"
@@ -43,6 +45,7 @@ public:
environment.fini(); environment.fini();
time_proxy.fini(); time_proxy.fini();
} }
private: private:
ShellCmd shell_cmd; ShellCmd shell_cmd;
MainloopComponent mainloop; MainloopComponent mainloop;
@@ -50,6 +53,153 @@ private:
TimeProxyComponent time_proxy; TimeProxyComponent time_proxy;
}; };
class FogConnection
{
public:
FogConnection(const std::string& token, const std::string& fog)
: var_token(token), var_fog(fog) {}
bool registerAgent() {
std::string curl_cmd = "curl -s --noproxy \"*\" "
"--header \"User-Agent: Infinity Next (a7030abf93a4c13)\" "
"--header \"Content-Type: application/json\" "
"--request POST "
"--data '{\"authenticationData\": [{\"authenticationMethod\": \"token\", \"data\": \""
+ var_token + "\"}], "
"\"metaData\": {\"agentName\": \"ConfCollector\", \"agentType\":"
"\"Embedded\", \"platform\": \"linux\", "
"\"architecture\": \"x86\", \"additionalMetaData\": {\"agentVendor\": \"python\"}}}' "
+ var_fog + "/agents";
std::string response = executeCommand(curl_cmd);
std::string error_check = "echo '" + response + "' | grep referenceId";
std::string error_result = executeCommand(error_check);
if (!error_result.empty()) {
std::cerr << "Couldn't register to the FOG" << std::endl;
return false;
}
agent_id = extractJsonValue(response, "agentId");
clientId = extractJsonValue(response, "clientId");
clientSecret = extractJsonValue(response, "clientSecret");
tenant_id = extractJsonValue(response, "tenantId");
profile_id = extractJsonValue(response, "profileId");
removeNewlines(agent_id);
removeNewlines(clientId);
removeNewlines(clientSecret);
removeNewlines(tenant_id);
removeNewlines(profile_id);
return true;
}
bool getJWT() {
std::string curl_cmd = "curl -s --noproxy \"*\" "
"--header \"User-Agent: Infinity Next (a7030abf93a4c13)\" "
"--header \"Content-Type: application/json\" "
"-d '{\"login\":\"" + clientId + "\", \"password\":\"" + clientSecret + "\"}' "
"--user \"" + clientId + ":" + clientSecret + "\" "
"--request POST "
"--data '{}' "
+ var_fog + "/oauth/token?grant_type=client_credentials";
std::string response = executeCommand(curl_cmd);
std::string error_check = "echo '" + response + "' | grep referenceId";
std::string error_result = executeCommand(error_check);
if (!error_result.empty()) {
std::cerr << "Couldn't receive JWT" << std::endl;
return false;
}
ra_token = extractJsonValue(response, "access_token");
removeNewlines(ra_token);
return true;
}
bool uploadNginxConfig(const std::string& config_file_path)
{
if (tenant_id.empty() || profile_id.empty() || ra_token.empty()) {
std::cerr << "Missing required data for upload (tenant_id, profile_id, or JWT token)" << std::endl;
return false;
}
std::ifstream file_check(config_file_path);
if (!file_check.is_open()) {
std::cerr << "Cannot open config file for upload: " << config_file_path << std::endl;
return false;
}
file_check.close();
std::string upload_url = var_fog + "/agents-core/storage/" + tenant_id + "/" + "nginx/" + profile_id +
"/1/nginx.conf";
std::string curl_cmd = "curl -s --noproxy \"*\" "
"--header \"User-Agent: Infinity Next (a7030abf93a4c13)\" "
"--header \"Authorization: Bearer " + ra_token + "\" "
"--header \"Content-Type: text/plain\" "
"--request PUT "
"--data-binary @" + config_file_path + " "
"-w \"%{http_code}\" "
+ upload_url;
std::string response = executeCommand(curl_cmd);
std::string status_code = "";
if (response.length() >= 3) {
status_code = response.substr(response.length() - 3);
response = response.substr(0, response.length() - 3);
}
if (status_code.empty() || status_code[0] != '2') {
std::cerr << "Upload failed with HTTP status code: " << status_code << std::endl;
return false;
}
std::cout << "Successfully uploaded nginx config to: " << upload_url << " (HTTP " << status_code << ")"
<< std::endl;
return true;
}
private:
std::string var_token;
std::string var_fog;
std::string agent_id;
std::string tenant_id;
std::string profile_id;
std::string ra_token;
std::string clientId;
std::string clientSecret;
std::string executeCommand(const std::string& command) {
std::string result;
FILE* pipe = popen(command.c_str(), "r");
if (!pipe) {
throw std::runtime_error("popen() failed!");
}
char buffer[128];
while (fgets(buffer, sizeof(buffer), pipe) != nullptr) {
result += buffer;
}
pclose(pipe);
return result;
}
std::string extractJsonValue(const std::string& response, const std::string& key) {
std::string command = "echo '" + response + "' | grep -o '\"" + key + "\":\"[^\"]*' | grep -o '[^\"]*$'";
return executeCommand(command);
}
void removeNewlines(std::string& str) {
str.erase(std::remove(str.begin(), str.end(), '\n'), str.end());
str.erase(std::remove(str.begin(), str.end(), '\r'), str.end());
}
};
void void
printVersion() printVersion()
{ {
@@ -63,12 +213,16 @@ printVersion()
void void
printUsage(const char *prog_name) printUsage(const char *prog_name)
{ {
cout << "Usage: " << prog_name << " [-v] [-i /path/to/nginx.conf] [-o /path/to/output.conf]" << '\n'; cout << "Usage: " << prog_name << " [-v] [-i /path/to/nginx.conf] [-o /path/to/output.conf]" <<
"[--upload --token <token> [--fog <address>]]" << '\n';
cout << " -V Print version" << '\n'; cout << " -V Print version" << '\n';
cout << " -v Enable verbose output" << '\n'; cout << " -v Enable verbose output" << '\n';
cout << " -i input_file Specify input file (default is /etc/nginx/nginx.conf)" << '\n'; cout << " -i input_file Specify input file (default is /etc/nginx/nginx.conf)" << '\n';
cout << " -o output_file Specify output file (default is ./full_nginx.conf)" << '\n'; cout << " -o output_file Specify output file (default is ./full_nginx.conf)" << '\n';
cout << " -h Print this help message" << '\n'; cout << " -h Print this help message" << '\n';
cout << " --upload Upload configuration to FOG (requires --token)" << '\n';
cout << " --token <token> profile token for FOG upload" << '\n';
cout << " --fog <address> FOG server address (default: inext-agents.cloud.ngen.checkpoint.com)" << '\n';
} }
int int
@@ -76,9 +230,19 @@ main(int argc, char *argv[])
{ {
string nginx_input_file = "/etc/nginx/nginx.conf"; string nginx_input_file = "/etc/nginx/nginx.conf";
string nginx_output_file = "full_nginx.conf"; string nginx_output_file = "full_nginx.conf";
string fog_address = "inext-agents.cloud.ngen.checkpoint.com";
string token;
bool upload_flag = false;
int opt; int opt;
while ((opt = getopt(argc, argv, "Vvhi:o:h")) != -1) {
static struct option long_options[] = {
{"upload", no_argument, 0, 'u'},
{"token", required_argument, 0, 1001},
{"fog", required_argument, 0, 1002},
{0, 0, 0, 0}
};
while ((opt = getopt_long(argc, argv, "Vvhi:o:", long_options, nullptr)) != -1) {
switch (opt) { switch (opt) {
case 'V': case 'V':
printVersion(); printVersion();
@@ -95,18 +259,33 @@ main(int argc, char *argv[])
case 'h': case 'h':
printUsage(argv[0]); printUsage(argv[0]);
return 0; return 0;
case 'u':
upload_flag = true;
break;
case 1001: // --token
token = optarg;
break;
case 1002: // --fog
fog_address = optarg;
break;
default: default:
printUsage(argv[0]); printUsage(argv[0]);
return 1; return 1;
} }
} }
for (int i = optind; i < argc;) { for (int i = optind; i < argc; i++) {
cerr << "Unknown argument: " << argv[i] << '\n'; cerr << "Unknown argument: " << argv[i] << '\n';
printUsage(argv[0]); printUsage(argv[0]);
return 1; return 1;
} }
if (upload_flag && token.empty()) {
cerr << "Error: --upload requires --token to be specified" << '\n';
printUsage(argv[0]);
return 1;
}
dbgTrace(D_NGINX_MANAGER) << "Starting nginx configuration collector"; dbgTrace(D_NGINX_MANAGER) << "Starting nginx configuration collector";
MainComponent main_component; MainComponent main_component;
@@ -144,5 +323,30 @@ main(int argc, char *argv[])
cout << "Full nginx configuration file was successfully generated: " << result.unpack() << '\n'; cout << "Full nginx configuration file was successfully generated: " << result.unpack() << '\n';
if (upload_flag) {
cout << "Uploading configuration to FOG server: " << fog_address << '\n';
string full_fog_url = fog_address;
if (fog_address.find("http://") != 0 && fog_address.find("https://") != 0) {
full_fog_url = "https://" + fog_address;
}
FogConnection fog_connection(token, full_fog_url);
if (!fog_connection.registerAgent()) {
cerr << "Failed to register agent with the FOG." << '\n';
return 1;
}
if (!fog_connection.getJWT()) {
cerr << "Failed to get JWT token." << '\n';
return 1;
}
if (!fog_connection.uploadNginxConfig(result.unpack())) {
cerr << "Failed to upload nginx config file to FOG." << '\n';
return 1;
}
}
return 0; return 0;
} }

434
config/linux/v1beta1/schema/schema_v1beta1.yaml Normal file
View File

@@ -0,0 +1,434 @@
ype: object
properties:
policies:
type: object
properties:
default:
type: object
properties:
custom-response:
type: string
exceptions:
items:
type: string
type: array
mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
practices:
items:
type: string
type: array
source-identifiers:
type: string
triggers:
items:
type: string
type: array
trusted-sources:
type: string
required:
- mode
- practices
- triggers
specific-rules:
type: array
items:
properties:
host:
type: string
custom-response:
type: string
exceptions:
items:
type: string
type: array
mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
practices:
items:
type: string
type: array
source-identifiers:
type: string
triggers:
items:
type: string
type: array
trusted-sources:
type: string
required:
- mode
- host
- practices
- triggers
type: object
practices:
type: array
items:
properties:
name:
type: string
anti-bot:
properties:
injected-URIs:
items:
properties:
uri:
type: string
type: object
type: array
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
default: "inactive"
validated-URIs:
items:
properties:
uri:
type: string
type: object
type: array
type: object
openapi-schema-validation:
properties:
files:
items:
type: string
type: array
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
type: object
snort-signatures:
properties:
files:
items:
type: string
type: array
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
type: object
web-attacks:
properties:
max-body-size-kb:
type: integer
max-header-size-bytes:
type: integer
max-object-depth:
type: integer
max-url-size-bytes:
type: integer
minimum-confidence:
enum:
- medium
- high
- critical
type: string
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
protections:
properties:
csrf-enabled:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
error-disclosure-enabled:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
non-valid-http-methods:
type: boolean
open-redirect-enabled:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
type: object
type: object
required:
- name
custom-responses:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
http-response-code:
maximum: 599
minimum: 100
default: 403
type: integer
message-body:
type: string
default: "Attack blocked by web application protection"
message-title:
type: string
default: "Openappsec's <b>Application Security</b> has detected an attack and blocked it."
mode:
enum:
- block-page
- response-code-only
type: string
required:
- name
log-triggers:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
access-control-logging:
properties:
allow-events:
type: boolean
default: false
drop-events:
type: boolean
default: false
type: object
additional-suspicious-events-logging:
properties:
enabled:
type: boolean
default true:
minimum-severity:
enum:
- high
- critical
type: string
default: "high"
response-body:
type: boolean
default: false
response-code:
type: boolean
default: true
type: object
appsec-logging:
properties:
all-web-requests:
type: boolean
default: false
detect-events:
type: boolean
default: false
prevent-events:
type: boolean
default: true
type: object
extended-logging:
properties:
http-headers:
type: boolean
default: false
request-body:
type: boolean
default: false
url-path:
type: boolean
default: false
url-query:
type: boolean
default: false
type: object
log-destination:
properties:
cef-service:
minItems: 0
items:
properties:
address:
type: string
port:
type: integer
proto:
enum:
- tcp
- udp
type: string
type: object
type: array
cloud:
type: boolean
default: false
stdout:
properties:
format:
enum:
- json
- json-formatted
type: string
default: json
type: object
syslog-service:
minItems: 0
items:
properties:
address:
type: string
port:
type: integer
type: object
type: array
type: object
required:
- name
exceptions:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
action:
enum:
- skip
- accept
- drop
- suppressLog
type: string
comment:
type: string
countryCode:
items:
type: string
type: array
countryName:
items:
type: string
type: array
hostName:
items:
type: string
type: array
paramName:
items:
type: string
type: array
paramValue:
items:
type: string
type: array
protectionName:
items:
type: string
type: array
sourceIdentifier:
items:
type: string
type: array
sourceIp:
items:
type: string
type: array
url:
items:
type: string
type: array
required:
- name
- action
trusted-sources:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
minNumOfSources:
type: integer
minimum: 1
default: 3
sources-identifiers:
items:
type: string
type: array
required:
- name
- sources-identifiers
source-identifiers:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
identifiers:
type: array
minItems: 1
items:
type: object
source-identifier:
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
type: string
value:
items:
type: string
type: array
required:
- source-identifier
required:
- name
- identifiers
additionalProperties: false

752
config/linux/v1beta2/schema/schema_v1beta2.yaml Normal file
View File

@@ -0,0 +1,752 @@
type: object
properties:
apiVersion:
type: string
enum:
- v1beta1
- v1beta2
policies:
type: object
properties:
appsecClassName:
type: string
default:
type: object
required:
- mode
- threatPreventionPractices
- accessControlPractices
properties:
mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
default: detect-learn
threatPreventionPractices:
type: array
items:
type: string
accessControlPractices:
type: array
items:
type: string
customResponse:
type: string
default: "403"
triggers:
type: array
items:
type: string
sourceIdentifiers:
type: string
trustedSources:
type: string
exceptions:
type: array
items:
type: string
specificRules:
type: array
items:
type: object
properties:
name:
type: string
host:
type: string
mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
default: detect-learn
threatPreventionPractices:
type: array
items:
type: string
accessControlPractices:
type: array
items:
type: string
triggers:
type: array
items:
type: string
customResponse:
type: string
sourceIdentifiers:
type: string
trustedSources:
type: string
exceptions:
type: array
items:
type: string
logTriggers:
type: array
items:
type: object
required:
- accessControlLogging
- appsecLogging
- additionalSuspiciousEventsLogging
- extendedLogging
- logDestination
properties:
appsecClassName:
type: string
name:
type: string
accessControlLogging:
type: object
properties:
allowEvents:
type: boolean
default: false
dropEvents:
type: boolean
default: true
appsecLogging:
type: object
properties:
detectEvents:
type: boolean
default: true
preventEvents:
type: boolean
default: true
allWebRequests:
type: boolean
default: false
additionalSuspiciousEventsLogging:
type: object
properties:
enabled:
type: boolean
default: true
minSeverity:
type: string
enum:
- high
- critical
default: high
responseBody:
type: boolean
default: false
responseCode:
type: boolean
default: true
extendedLogging:
type: object
properties:
urlPath:
type: boolean
default: false
urlQuery:
type: boolean
default: false
httpHeaders:
type: boolean
default: false
requestBody:
type: boolean
default: false
logDestination:
type: object
properties:
cloud:
type: boolean
default: false
local-tuning:
type: boolean
default: false
syslogService:
type: array
items:
type: object
properties:
address:
type: string
port:
type: integer
logToAgent:
type: boolean
default: true
stdout:
type: object
properties:
format:
type: string
enum:
- json
- json-formatted
default: json
cefService:
type: array
items:
type: object
properties:
address:
type: string
port:
type: integer
proto:
type: string
enum:
- tcp
- udp
threatPreventionPractices:
type: array
items:
type: object
required:
- webAttacks
- intrusionPrevention
- fileSecurity
- snortSignatures
properties:
appsecClassName:
type: string
name:
type: string
practiceMode:
type: string
enum:
- inherited
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
default: inherited
webAttacks:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
minimumConfidence:
type: string
enum:
- medium
- high
- critical
default: high
maxUrlSizeBytes:
type: integer
default: 32768
maxObjectDepth:
type: integer
default: 40
maxBodySizeKb:
type: integer
default: 1000000
maxHeaderSizeBytes:
type: integer
default: 102400
protections:
type: object
properties:
csrfProtection:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
errorDisclosure:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
openRedirect:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
nonValidHttpMethods:
type: boolean
default: false
antiBot:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
injectedUris:
type: array
items:
type: object
properties:
uri:
type: string
validatedUris:
type: array
items:
type: object
properties:
uri:
type: string
snortSignatures:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
configmap:
type: array
items:
type: string
files:
type: array
items:
type: string
schemaValidation:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
enforcementLevel:
type: string
configmap:
type: array
items:
type: string
files:
type: array
items:
type: string
intrusionPrevention:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
maxPerformanceImpact:
type: string
enum:
- low
- medium
- high
default: medium
minSeverityLevel:
type: string
enum:
- low
- medium
- high
- critical
default: medium
minCveYear:
type: integer
default: 2016
highConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inherited
mediumConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inherited
lowConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: detect
fileSecurity:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
minSeverityLevel:
type: string
enum:
- low
- medium
- high
- critical
default: medium
highConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inherited
mediumConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inherited
lowConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: detect
archiveInspection:
type: object
properties:
extractArchiveFiles:
type: boolean
default: false
scanMaxFileSize:
type: integer
default: 10
scanMaxFileSizeUnit:
type: string
enum:
- bytes
- KB
- MB
- GB
default: MB
archivedFilesWithinArchivedFiles:
type: string
enum:
- prevent
- detect
- inactive
- inherited #as set in overrideMode for fileSecurity
default: inherited
archivedFilesWhereContentExtractionFailed:
type: string
enum:
- prevent
- detect
- inactive
- inherited #as set in overrideMode for fileSecurity
default: inherited
largeFileInspection:
type: object
properties:
fileSizeLimit:
type: integer
default: 10
fileSizeLimitUnit:
type: string
enum:
- bytes
- KB
- MB
- GB
default: MB
filesExceedingSizeLimitAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited #as set in overrideMode for fileSecurity
default: inherited
unnamedFilesAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited #as set in overrideMode for fileSecurity
default: inherited
threatEmulationEnabled:
type: boolean
default: false
accessControlPractices:
type: array
items:
type: object
required:
- rateLimit
properties:
appsecClassName:
type: string
name:
type: string
practiceMode:
type: string
enum:
- inherited #inherited from mode set in policy
- prevent
- detect
- inactive
default: inherited
rateLimit:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inactive
rules:
type: array
items:
type: object
properties:
action: # currently not supported
type: string
enum:
- inherited
- prevent
- detect
default: inherited
condition: # currently not supported
type: array
items:
type: object
required:
- key
- value
properties:
key:
type: string
value:
type: string
uri:
type: string
limit:
type: integer
unit:
type: string
enum:
- minute
- second
default: minute
triggers:
type: array
items:
type: string
comment:
type: string
customResponses:
type: array
items:
type: object
required:
- mode
properties:
appsecClassName:
type: string
name:
type: string
mode:
type: string
enum:
- block-page
- redirect
- response-code-only
default: response-code-only
messageTitle:
type: string
messageBody:
type: string
httpResponseCode:
type: integer
minimum: 100
maximum: 599
default: 403
redirectUrl:
type: string
redirectAddXEventId:
type: boolean
default: false
sourcesIdentifiers:
type: array
items:
type: object
required:
- sourcesIdentifiers
properties:
name:
type: string
sourcesIdentifiers:
type: array
items:
type: object
required:
- identifier
properties:
identifier:
type: string
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
default: sourceip
value:
type: array
items:
type: string
exceptions:
type: array
items:
type: object
required:
- action
- condition
properties:
appsecClassName:
type: string
name:
type: string
action:
type: string
enum:
- skip
- accept
- drop
- suppressLog
default: accept
condition:
type: array
items:
type: object
required:
- key
- value
properties:
key:
type: string
value:
type: string
trustedSources:
type: array
items:
type: object
required:
- minNumOfSources
- sourcesIdentifiers
properties:
appsecClassName:
type: string
name:
type: string
minNumOfSources:
type: integer
default: 3
sourcesIdentifiers:
type: array
items:
type: string
policyActivations:
type: array
items:
type: object
properties:
appsecClassName:
type: string
enabledPolicies:
type: array
items:
type: object
properties:
name:
type: string
hosts:
type: array
items:
type: string
required:
- hosts
required:
- enabledPolicies
additionalProperties: false

12
core/metric/generic_metric.cc
View File

@@ -332,7 +332,17 @@ vector<PrometheusData>
GenericMetric::getPromMetricsData() GenericMetric::getPromMetricsData()
{ {
vector<PrometheusData> all_metrics; vector<PrometheusData> all_metrics;
if (!getProfileAgentSettingWithDefault(false, "prometheus")) return all_metrics; bool enable_prometheus = false;
auto prometheus_settings = getProfileAgentSetting<bool>("prometheus");
if (prometheus_settings.ok()) {
enable_prometheus = prometheus_settings.unpack();
} else {
const char *prometheus_env = getenv("PROMETHEUS");
if (prometheus_env != nullptr) {
enable_prometheus = string(prometheus_env) == "true";
}
}
if (!enable_prometheus) return all_metrics;
dbgTrace(D_METRICS) << "Get prometheus metrics"; dbgTrace(D_METRICS) << "Get prometheus metrics";
for (auto &calc : prometheus_calcs) { for (auto &calc : prometheus_calcs) {

1
nodes/CMakeLists.txt
View File

@@ -11,6 +11,7 @@ set(COMMON_LIBRARIES "-lngen_core;-lcompression_utils;-lssl;-lcrypto;-lz;-lboost
include(packaging.cmake) include(packaging.cmake)
add_subdirectory(orchestration) add_subdirectory(orchestration)
add_subdirectory(prometheus)
add_subdirectory(agent_cache) add_subdirectory(agent_cache)
add_subdirectory(http_transaction_handler) add_subdirectory(http_transaction_handler)
add_subdirectory(attachment_registration_manager) add_subdirectory(attachment_registration_manager)

1
nodes/orchestration/package/cp-nano-package-list
View File

@@ -29,4 +29,5 @@ cpview_metric_provider="cpviewMetricProvider 8282"
hello_world="hello_world" hello_world="hello_world"
crowdsec_aux="crowdsecAux 8081" crowdsec_aux="crowdsecAux 8081"
central_nginx_manager="centralNginxManager 7555" central_nginx_manager="centralNginxManager 7555"
prometheus="prometheus 7465"
# ## Please do not remove this comment - newline at end of file required. # ## Please do not remove this comment - newline at end of file required.

3
nodes/orchestration/package/orchestration_package.sh
View File

@@ -647,6 +647,9 @@ install_watchdog()
echo "ExecStart=ip netns exec CTX0000${VS_ID} ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE} echo "ExecStart=ip netns exec CTX0000${VS_ID} ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
fi fi
echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE} echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
if [ -n "${PROMETHEUS}" ] ; then
echo "Environment=\"PROMETHEUS=${PROMETHEUS}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
fi
cp_exec "systemctl daemon-reload" cp_exec "systemctl daemon-reload"
cp_exec "systemctl enable nano_agent" cp_exec "systemctl enable nano_agent"

30
nodes/prometheus/CMakeLists.txt Executable file
View File

@@ -0,0 +1,30 @@
add_subdirectory(package)
add_executable(prometheus main.cc)
target_link_libraries(prometheus
-Wl,--start-group
${COMMON_LIBRARIES}
generic_rulebase
generic_rulebase_evaluators
ip_utilities
version
signal_handler
prometheus_comp
http_transaction_data
-Wl,--end-group
)
add_dependencies(prometheus ngen_core)
install(TARGETS prometheus DESTINATION bin)
install(TARGETS prometheus DESTINATION prometheus_service/bin)
gen_package(
install-cp-nano-service-prometheus.sh
prometheus_service
./install-cp-nano-prometheus.sh
Check Point Prometheus Agent Version ${PACKAGE_VERSION} Install Package
)

15
nodes/prometheus/main.cc Executable file
View File

@@ -0,0 +1,15 @@
#include "components_list.h"
#include "prometheus_comp.h"
int
main(int argc, char **argv)
{
NodeComponents<PrometheusComp> comps;
comps.registerGlobalValue<bool>("Is Rest primary routine", true);
comps.registerGlobalValue<uint>("Nano service API Port Primary", 7465);
comps.registerGlobalValue<uint>("Nano service API Port Alternative", 7466);
comps.registerGlobalValue<bool>("Nano service API Allow Get From External IP", true);
return comps.run("Prometheus Service", argc, argv);
}

4
nodes/prometheus/package/CMakeLists.txt Executable file
View File

@@ -0,0 +1,4 @@
install(FILES install-cp-nano-prometheus.sh DESTINATION prometheus_service/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-prometheus.cfg DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-prometheus-conf.json DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-prometheus-debug-conf.json DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)

21
nodes/prometheus/package/cp-nano-prometheus-conf.json Executable file
View File

@@ -0,0 +1,21 @@
{
"connection": {
"Nano service API Port Primary": [
{
"value": 7465
}
],
"Nano service API Port Alternative": [
{
"value": 7466
}
]
},
"message": {
"Connection timeout": [
{
"value": 10000000
}
]
}
}

11
nodes/prometheus/package/cp-nano-prometheus-debug-conf.json Executable file
View File

@@ -0,0 +1,11 @@
{
"Debug": [
{
"Streams": [
{
"Output": "nano_agent/cp-nano-prometheus.dbg"
}
]
}
]
}

0
nodes/prometheus/package/cp-nano-prometheus.cfg Executable file
View File

164
nodes/prometheus/package/install-cp-nano-prometheus.sh Executable file
View File

@@ -0,0 +1,164 @@
#!/bin/sh
#Nano Service Details
NANO_SERVICE_NAME="prometheus"
NANO_SERVICE_BIN_NAME="cp-nano-prometheus"
NANO_SERVICE_INSTALLATION_FOLDER="prometheus"
ATTACHMENT_BIN_NAME="cp-nano-prometheus"
#Installable Names
CFG_FILE_NAME="cp-nano-prometheus.cfg"
DBG_CONF_FILE_NAME="cp-nano-prometheus-debug-conf.json"
SERVICE_CONF_FILE_NAME="cp-nano-prometheus-conf.json"
NANO_SERVICE_BIN="prometheus"
ATTACHMENT_BIN="prometheus_attachment"
#Const variables
FORCE_STDOUT=true
INSTALLATION_TIME=$(date)
CP_NANO_LOG_PATH="/var/log/nano_agent"
CP_NANO_CONF_PATH="/etc/cp/conf"
NANO_SERVICE_INSTALLATION_PATH="/etc/cp/${NANO_SERVICE_INSTALLATION_FOLDER}"
NANO_SERVICE_BIN_PATH=${NANO_SERVICE_INSTALLATION_PATH}/${NANO_SERVICE_BIN_NAME}
NANO_SERVICE_CFG_PATH=${NANO_SERVICE_BIN_PATH}.cfg
ATTACHMENT_BIN_PATH=${NANO_SERVICE_INSTALLATION_PATH}/${ATTACHMENT_BIN_NAME}
DBG_CONF_PATH=${CP_NANO_CONF_PATH}/${NANO_SERVICE_BIN_NAME}-debug-conf.json
SERVICE_CONF_PATH=${CP_NANO_CONF_PATH}/${NANO_SERVICE_BIN_NAME}-conf.json
DBG_FILE_PATH=${CP_NANO_LOG_PATH}/${NANO_SERVICE_BIN_NAME}.dbg
INSTALLATION_LOG_FILE=${CP_NANO_LOG_PATH}/${NANO_SERVICE_BIN_NAME}-install.log
mkdir -p ${CP_NANO_LOG_PATH}
touch ${DBG_FILE_PATH}
cp_print()
{
var_text=$1
var_std_out=$2
touch $INSTALLATION_LOG_FILE
if [ -n "$var_std_out" ]; then
if [ "$var_std_out" = "true" ]; then
printf "%b\n" "$var_text"
fi
fi
printf "%b\n" "$var_text" >> $INSTALLATION_LOG_FILE
}
cp_exec()
{
var_cmd=$1
var_std_out=$2
# Send exec output to RES
RES=$($var_cmd 2>&1)
if [ -n "$RES" ]; then
cp_print "$RES" "$var_std_out"
fi
}
set_configuration()
{
cp_exec "cp -n conf/${DBG_CONF_FILE_NAME} $DBG_CONF_PATH"
cp_exec "/etc/cp/scripts/cpnano_debug --default --service prometheus"
cp_exec "cp -n conf/${SERVICE_CONF_FILE_NAME} $SERVICE_CONF_PATH"
}
run_installation()
{
cp_print "Starting installation of Check Point ${NANO_SERVICE_NAME} Nano service [$INSTALLATION_TIME]\n" $FORCE_STDOUT
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${ATTACHMENT_BIN_PATH}"
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${NANO_SERVICE_BIN_PATH}"
att_path=$ATTACHMENT_BIN_PATH
cmd_pid_att=$(ps -eo pid,cmd,args | awk -v srv=${att_path} '{if($2 ~ srv || $3 ~ srv) print $1}')
srv_path=$NANO_SERVICE_BIN_NAME
cmd_pid_srv=$(ps -eo pid,cmd,args | awk -v srv=${srv_path} '{if($2 ~ srv || $3 ~ srv) print $1}')
if [ -n "$cmd_pid_att" ]; then
cp_print "Killing running instance(pid=$cmd_pid_att) of the prometheus attachment on installation"
kill -9 "$cmd_pid_att"
fi
if [ -n "$cmd_pid_srv" ]; then
cp_print "Killing running instance(pid=$cmd_pid_srv) of the prometheus service on installation"
kill -9 "$cmd_pid_srv"
fi
cp_exec "mkdir -p ${NANO_SERVICE_INSTALLATION_PATH}"
cp_exec "cp -f bin/${NANO_SERVICE_BIN} ${NANO_SERVICE_BIN_PATH}"
cp_exec "chmod +x ${NANO_SERVICE_BIN_PATH}"
cp_exec "cp -f conf/${CFG_FILE_NAME} ${NANO_SERVICE_CFG_PATH}"
cp_exec "chmod 600 ${NANO_SERVICE_CFG_PATH}"
set_configuration
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --register ${NANO_SERVICE_BIN_PATH}"
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --register ${ATTACHMENT_BIN_PATH}"
cp_print "Installation completed successfully." $FORCE_STDOUT
}
usage()
{
echo "Check Point: available flags are"
echo "--install : install ${NANO_SERVICE_NAME} Nano Service"
echo "--uninstall : remove ${NANO_SERVICE_NAME} Nano Service"
echo "--pre_install_test : run Pre-installation test for ${NANO_SERVICE_NAME} Nano Service install package"
echo "--post_install_test : run Post-installation test for ${NANO_SERVICE_NAME} Nano Service install package"
exit 255
}
run_uninstall()
{
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${ATTACHMENT_BIN_PATH}"
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${NANO_SERVICE_BIN_PATH}"
cp_exec "rm -rf ${NANO_SERVICE_INSTALLATION_PATH}"
cp_exec "rm -rf ${NANO_SERVICE_CONF_DIR}"
}
run_pre_install_test()
{
cp_print "Starting Pre-installation test of Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
cp_print "Successfully finished pre-installation test for Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
exit 0
}
run_post_install_test()
{
cp_print "Starting Post-installation test of Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
if ! cat /etc/cp/watchdog/wd.services | grep -q ${NANO_SERVICE_BIN_PATH}; then
cp_print "Failed to register ${NANO_SERVICE_NAME} Nano service to the watchdog\n" $FORCE_STDOUT
exit 255
fi
cp_print "Successfully finished post-installation test for Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
exit 0
}
run()
{
if [ '--install' = "$1" ]; then
run_installation "${@}"
elif [ '--uninstall' = "$1" ]; then
run_uninstall
elif [ '--pre_install_test' = "$1" ]; then
run_pre_install_test
elif [ '--post_install_test' = "$1" ]; then
run_post_install_test
else
usage
exit 1
fi
}
if [ "$(id -u)" != "0" ]; then
echo "Administrative privileges required for this Package (use su or sudo)"
exit 1
fi
shift
run "${@}"
exit 0