mirror of
https://github.com/openappsec/openappsec.git
synced 2025-11-16 01:12:18 +03:00
Compare commits
8 Commits
Jul_31_202
...
orianelou-
| Author | SHA1 | Date | |
|---|---|---|---|
|
92885cf2cd | ||
|
84327e0b19 | ||
|
|
b9723ba6ce | ||
|
|
00e183b8c6 | ||
|
|
e859c167ed | ||
|
|
805e958cb9 | ||
|
|
5bcd7cfcf1 | ||
|
|
ae6f2faeec |
1321
config/crds/open-appsec-crd-latest.yaml
Normal file
1321
config/crds/open-appsec-crd-latest.yaml
Normal file
File diff suppressed because it is too large
Load Diff
525
config/crds/open-appsec-crd-v1beta1.yaml
Normal file
525
config/crds/open-appsec-crd-v1beta1.yaml
Normal file
@@ -0,0 +1,525 @@
|
||||
Enter file contents hereapiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata :
|
||||
name : customresponses.openappsec.io
|
||||
|
||||
spec:
|
||||
group: openappsec.io
|
||||
versions:
|
||||
- name: v1beta1
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
properties:
|
||||
mode:
|
||||
type: string
|
||||
enum:
|
||||
- block-page
|
||||
#- redirect
|
||||
- response-code-only
|
||||
message-title:
|
||||
type: string
|
||||
message-body:
|
||||
type: string
|
||||
http-response-code:
|
||||
type: integer
|
||||
minimum: 100
|
||||
maximum: 599
|
||||
|
||||
scope: Cluster
|
||||
names:
|
||||
plural: customresponses
|
||||
singular: customresponse
|
||||
kind: CustomResponse
|
||||
shortNames:
|
||||
- customresponse
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: exceptions.openappsec.io
|
||||
|
||||
spec:
|
||||
group: openappsec.io
|
||||
versions:
|
||||
- name: v1beta1
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
required:
|
||||
- action
|
||||
properties:
|
||||
action:
|
||||
type: string
|
||||
enum:
|
||||
- skip
|
||||
- accept
|
||||
- drop
|
||||
- suppressLog
|
||||
sourceIp:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
url:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
sourceIdentifier:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
protectionName:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
paramValue:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
paramName:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
hostName:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
countryCode:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
countryName:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
comment:
|
||||
type: string
|
||||
|
||||
scope: Cluster
|
||||
names:
|
||||
plural: exceptions
|
||||
singular: exception
|
||||
kind: Exception
|
||||
shortNames:
|
||||
- exception
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata :
|
||||
name : logtriggers.openappsec.io
|
||||
|
||||
spec:
|
||||
group: openappsec.io
|
||||
versions:
|
||||
- name: v1beta1
|
||||
# Each version can be enabled/disabled by Served flag.
|
||||
served: true
|
||||
# One and only one version must be marked as the storage version.
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
properties:
|
||||
access-control-logging:
|
||||
type: object
|
||||
properties:
|
||||
allow-events:
|
||||
type: boolean
|
||||
drop-events:
|
||||
type: boolean
|
||||
appsec-logging:
|
||||
type: object
|
||||
properties:
|
||||
detect-events:
|
||||
type: boolean
|
||||
prevent-events:
|
||||
type: boolean
|
||||
all-web-requests:
|
||||
type: boolean
|
||||
additional-suspicious-events-logging:
|
||||
type: object
|
||||
properties:
|
||||
enabled:
|
||||
type: boolean
|
||||
minimum-severity:
|
||||
type: string
|
||||
enum:
|
||||
- high
|
||||
- critical
|
||||
response-body:
|
||||
type: boolean
|
||||
response-code:
|
||||
type: boolean
|
||||
extended-logging:
|
||||
type: object
|
||||
properties:
|
||||
url-path:
|
||||
type: boolean
|
||||
url-query:
|
||||
type: boolean
|
||||
http-headers:
|
||||
type: boolean
|
||||
request-body:
|
||||
type: boolean
|
||||
log-destination:
|
||||
type: object
|
||||
properties:
|
||||
cloud:
|
||||
type: boolean
|
||||
syslog-service: #change to object array
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
address:
|
||||
type: string
|
||||
port:
|
||||
type: integer
|
||||
file:
|
||||
type: string
|
||||
stdout:
|
||||
type: object
|
||||
properties:
|
||||
format:
|
||||
type: string
|
||||
enum:
|
||||
- json
|
||||
- json-formatted
|
||||
cef-service:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
address:
|
||||
type: string
|
||||
port:
|
||||
type: integer
|
||||
proto:
|
||||
type: string
|
||||
enum:
|
||||
- tcp
|
||||
- udp
|
||||
|
||||
scope: Cluster
|
||||
names:
|
||||
plural: logtriggers
|
||||
singular: logtrigger
|
||||
kind: LogTrigger
|
||||
shortNames:
|
||||
- logtrigger
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata :
|
||||
name : policies.openappsec.io
|
||||
|
||||
spec:
|
||||
group: openappsec.io
|
||||
versions:
|
||||
- name: v1beta1
|
||||
# Each version can be enabled/disabled by Served flag.
|
||||
served: true
|
||||
# One and only one version must be marked as the storage version.
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
properties:
|
||||
default:
|
||||
type: object
|
||||
properties:
|
||||
mode:
|
||||
type: string
|
||||
enum:
|
||||
- prevent-learn
|
||||
- detect-learn
|
||||
- prevent
|
||||
- detect
|
||||
- inactive
|
||||
practices:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
triggers:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
custom-response:
|
||||
type: string
|
||||
source-identifiers:
|
||||
type: string
|
||||
trusted-sources:
|
||||
type: string
|
||||
exceptions:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
specific-rules:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
host:
|
||||
type: string
|
||||
mode:
|
||||
type: string
|
||||
enum:
|
||||
- prevent-learn
|
||||
- detect-learn
|
||||
- prevent
|
||||
- detect
|
||||
- inactive
|
||||
practices:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
triggers:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
custom-response:
|
||||
type: string
|
||||
source-identifiers:
|
||||
type: string
|
||||
trusted-sources:
|
||||
type: string
|
||||
exceptions:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
|
||||
scope: Cluster
|
||||
names:
|
||||
plural: policies
|
||||
singular: policy
|
||||
kind: Policy
|
||||
shortNames:
|
||||
- policy
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata :
|
||||
name : practices.openappsec.io
|
||||
|
||||
spec:
|
||||
group: openappsec.io
|
||||
versions:
|
||||
- name: v1beta1
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
properties:
|
||||
web-attacks:
|
||||
type: object
|
||||
properties:
|
||||
override-mode:
|
||||
type: string
|
||||
enum:
|
||||
- prevent-learn
|
||||
- detect-learn
|
||||
- prevent
|
||||
- detect
|
||||
- inactive
|
||||
minimum-confidence:
|
||||
type: string
|
||||
enum:
|
||||
- medium
|
||||
- high
|
||||
- critical
|
||||
max-url-size-bytes:
|
||||
type: integer
|
||||
max-object-depth:
|
||||
type: integer
|
||||
max-body-size-kb:
|
||||
type: integer
|
||||
max-header-size-bytes:
|
||||
type: integer
|
||||
protections:
|
||||
type: object
|
||||
properties:
|
||||
csrf-enabled:
|
||||
type: string
|
||||
enum:
|
||||
- prevent-learn
|
||||
- detect-learn
|
||||
- prevent
|
||||
- detect
|
||||
- inactive
|
||||
error-disclosure-enabled:
|
||||
type: string
|
||||
enum:
|
||||
- prevent-learn
|
||||
- detect-learn
|
||||
- prevent
|
||||
- detect
|
||||
- inactive
|
||||
open-redirect-enabled:
|
||||
type: string
|
||||
enum:
|
||||
- prevent-learn
|
||||
- detect-learn
|
||||
- prevent
|
||||
- detect
|
||||
- inactive
|
||||
non-valid-http-methods:
|
||||
type: boolean
|
||||
anti-bot:
|
||||
type: object
|
||||
properties:
|
||||
override-mode:
|
||||
type: string
|
||||
enum:
|
||||
- prevent-learn
|
||||
- detect-learn
|
||||
- prevent
|
||||
- detect
|
||||
- inactive
|
||||
injected-URIs:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
uri:
|
||||
type: string
|
||||
validated-URIs:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
uri:
|
||||
type: string
|
||||
snort-signatures:
|
||||
type: object
|
||||
properties:
|
||||
override-mode:
|
||||
type: string
|
||||
enum:
|
||||
- prevent-learn
|
||||
- detect-learn
|
||||
- prevent
|
||||
- detect
|
||||
- inactive
|
||||
configmap:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
openapi-schema-validation:
|
||||
type: object
|
||||
properties:
|
||||
override-mode:
|
||||
type: string
|
||||
enum:
|
||||
- prevent-learn
|
||||
- detect-learn
|
||||
- prevent
|
||||
- detect
|
||||
- inactive
|
||||
configmap:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
|
||||
scope: Cluster
|
||||
names:
|
||||
plural: practices
|
||||
singular: practice
|
||||
kind: Practice
|
||||
shortNames:
|
||||
- practice
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata :
|
||||
name : sourcesidentifiers.openappsec.io
|
||||
|
||||
spec:
|
||||
group: openappsec.io
|
||||
versions:
|
||||
- name: v1beta1
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
sourceIdentifier:
|
||||
type: string
|
||||
enum:
|
||||
- headerkey
|
||||
- JWTKey
|
||||
- cookie
|
||||
- sourceip
|
||||
- x-forwarded-for
|
||||
value:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
|
||||
scope: Cluster
|
||||
names:
|
||||
plural: sourcesidentifiers
|
||||
singular: sourcesidentifier
|
||||
kind: SourcesIdentifier
|
||||
shortNames:
|
||||
- sourcesidentifier
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata :
|
||||
name : trustedsources.openappsec.io
|
||||
|
||||
spec:
|
||||
group: openappsec.io
|
||||
versions:
|
||||
- name: v1beta1
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
properties:
|
||||
minNumOfSources:
|
||||
type: integer
|
||||
sourcesIdentifiers:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
|
||||
scope: Cluster
|
||||
names:
|
||||
plural: trustedsources
|
||||
singular: trustedsource
|
||||
kind: TrustedSource
|
||||
shortNames:
|
||||
- trustedsource
|
||||
1321
config/crds/open-appsec-crd-v1beta2.yaml
Normal file
1321
config/crds/open-appsec-crd-v1beta2.yaml
Normal file
File diff suppressed because it is too large
Load Diff
48
deployment/swag/docker-compose.yaml
Normal file
48
deployment/swag/docker-compose.yaml
Normal file
@@ -0,0 +1,48 @@
|
||||
services:
|
||||
swag-attachment:
|
||||
image: ghcr.io/openappsec/swag-attachment:latest
|
||||
ipc: host
|
||||
restart: unless-stopped
|
||||
container_name: swag-attachment
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
environment:
|
||||
- PUID=1000
|
||||
- PGID=1000
|
||||
- TZ=Etc/UTC
|
||||
- URL=yourdomain.url # replace yourdomain.url with your own domain
|
||||
# make sure your domain's public IP resolves to
|
||||
# the docker host for Let's Encrypt cert generation to succeed
|
||||
- VALIDATION=http
|
||||
# see https://docs.linuxserver.io/images/docker-swag/ for
|
||||
# more cert generation/validation options
|
||||
- STAGING=true # switch to 'false' after successful testing
|
||||
volumes:
|
||||
- ./swag-config:/config
|
||||
ports:
|
||||
- 443:443
|
||||
- 80:80 #optional
|
||||
|
||||
appsec-agent:
|
||||
container_name: appsec-agent
|
||||
image: ghcr.io/openappsec/agent:latest
|
||||
network_mode: service:swag-attachment
|
||||
ipc: host
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- user_email=user@email.com # adjust with your own email
|
||||
- registered_server='SWAG'
|
||||
# if autoPolicyLoad is set to true, open-appsec will apply
|
||||
# changes in local_policy.yaml automatically
|
||||
- autoPolicyLoad=true
|
||||
# To connect to open-appsec central management WebUI
|
||||
## create your WebUI profile at https://my.openappsec.io,
|
||||
## enforce policy, copy the profile token from WebUI and add it below
|
||||
- AGENT_TOKEN=
|
||||
|
||||
volumes:
|
||||
- ./appsec-config:/etc/cp/conf
|
||||
- ./appsec-data:/etc/cp/data
|
||||
- ./appsec-logs:/var/log/nano_agent
|
||||
- ./appsec-localconfig:/ext/appsec
|
||||
command: /cp-nano-agent
|
||||
Reference in New Issue
Block a user