github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github_mirrors:main
Branches Tags
github_mirrors:main
github_mirrors:nginx_message_reader_improvements
github_mirrors:conf-collector-upload
github_mirrors:waf-tag
github_mirrors:watchdog
github_mirrors:prometheus_support
github_mirrors:exception-fix
github_mirrors:orianelou-patch-8
github_mirrors:orianelou-issue-tamplates
github_mirrors:Mar_17_2025-Dev
github_mirrors:docker-upgrade-issue
github_mirrors:namspace-crds
github_mirrors:Feb_27_2025-Dev
github_mirrors:Feb_10_2025-Dev
github_mirrors:oriane-23.12.24-adding-new-composes
github_mirrors:Jan_12_2025-Dev
github_mirrors:orianelou-patch-7
github_mirrors:Dec_29_2024-Dev
github_mirrors:Nov_28_2024-Dev
github_mirrors:Oct_14_2024-Dev
github_mirrors:Sep_17_2024-Dev
github_mirrors:Sep_15_2024-Dev
github_mirrors:Sep_13_2024-Dev
github_mirrors:Sep_11_2024-Dev
github_mirrors:Aug_20_2024-Dev
github_mirrors:orianelou-patch-6
github_mirrors:orianelou-patch-5
github_mirrors:orianelou-patch-4
github_mirrors:Jul_31_2024-Dev
github_mirrors:danielei-hotifx-candidate
github_mirrors:orianelou-crds
github_mirrors:or
github_mirrors:Jul_23_2024-Dev
github_mirrors:Jul_04_2024-Dev
github_mirrors:Jun_26_2024-Dev
github_mirrors:orianelou-new-policy-files
github_mirrors:Jun_09_2024-Dev
github_mirrors:May_27_2024-Dev
github_mirrors:Apr_21_2024-Dev
github_mirrors:Apr_14_2024-Dev
github_mirrors:Mar_21_2024-Dev
github_mirrors:orianelou-patch-3
github_mirrors:WrightNed-patch-1
github_mirrors:Feb_28_2024
github_mirrors:orianelou-patch-apisix
github_mirrors:Feb_13_2024
github_mirrors:Feb_06_2024-Dev
github_mirrors:Jan_31_2024-Dev
github_mirrors:Dec-24-2023
github_mirrors:Dec-12th-2023
github_mirrors:Nov_12_2023-Dev
github_mirrors:open_appsec_add_agent_cache_for_rate_limit
github_mirrors:orianelou-patch-2
github_mirrors:Sep_24_2023-Dev
github_mirrors:Aug_23_2023-Dev
github_mirrors:changing_socket_readiness_testing
github_mirrors:support-advance-model
github_mirrors:Jul_24_23_chart_update
github_mirrors:Jul_06_2023-Dev
github_mirrors:orianelou-patch-1
github_mirrors:workflow-08_05
github_mirrors:May_11_2023-Dev
github_mirrors:crowdsec
github_mirrors:Apr_27_2023-Dev
github_mirrors:Mar_26_2023-Dev
github_mirrors:Mar_13_2023-Dev
github_mirrors:Mar_02_2023-Dev
github_mirrors:Feb_22_2023-Dev
github_mirrors:Feb_15_2023-Dev
github_mirrors:Jan_22_2023-Dev
github_mirrors:Jan_18_2023-Dev
github_mirrors:Jan_16_2023
github_mirrors:1.1.26
github_mirrors:1.1.25
github_mirrors:1.1.24
github_mirrors:1.1.23
github_mirrors:1.1.22
github_mirrors:1.1.21
github_mirrors:1.1.20
github_mirrors:1.1.19
github_mirrors:1.1.18
github_mirrors:1.1.17
github_mirrors:1.1.16
github_mirrors:1.1.15
github_mirrors:1.1.14
github_mirrors:v1.1.3
github_mirrors:1.1.12
github_mirrors:1.1.11
github_mirrors:1.1.10
github_mirrors:1.1.9
github_mirrors:1.1.8
github_mirrors:1.1.7
github_mirrors:1.1.6
github_mirrors:1.1.5
github_mirrors:1.1.4
github_mirrors:1.1.3
github_mirrors:1.1.2
github_mirrors:1.1.0
github_mirrors:1.0.1
github_mirrors:1.0.0
github_mirrors:0.9.1-rc
github_mirrors:0.9.0-rc
github_mirrors:0.8.0-rc
..
compare: github_mirrors:1.1.25
Branches Tags
github_mirrors:nginx_message_reader_improvements
github_mirrors:main
github_mirrors:conf-collector-upload
github_mirrors:waf-tag
github_mirrors:watchdog
github_mirrors:prometheus_support
github_mirrors:exception-fix
github_mirrors:orianelou-patch-8
github_mirrors:orianelou-issue-tamplates
github_mirrors:Mar_17_2025-Dev
github_mirrors:docker-upgrade-issue
github_mirrors:namspace-crds
github_mirrors:Feb_27_2025-Dev
github_mirrors:Feb_10_2025-Dev
github_mirrors:oriane-23.12.24-adding-new-composes
github_mirrors:Jan_12_2025-Dev
github_mirrors:orianelou-patch-7
github_mirrors:Dec_29_2024-Dev
github_mirrors:Nov_28_2024-Dev
github_mirrors:Oct_14_2024-Dev
github_mirrors:Sep_17_2024-Dev
github_mirrors:Sep_15_2024-Dev
github_mirrors:Sep_13_2024-Dev
github_mirrors:Sep_11_2024-Dev
github_mirrors:Aug_20_2024-Dev
github_mirrors:orianelou-patch-6
github_mirrors:orianelou-patch-5
github_mirrors:orianelou-patch-4
github_mirrors:Jul_31_2024-Dev
github_mirrors:danielei-hotifx-candidate
github_mirrors:orianelou-crds
github_mirrors:or
github_mirrors:Jul_23_2024-Dev
github_mirrors:Jul_04_2024-Dev
github_mirrors:Jun_26_2024-Dev
github_mirrors:orianelou-new-policy-files
github_mirrors:Jun_09_2024-Dev
github_mirrors:May_27_2024-Dev
github_mirrors:Apr_21_2024-Dev
github_mirrors:Apr_14_2024-Dev
github_mirrors:Mar_21_2024-Dev
github_mirrors:orianelou-patch-3
github_mirrors:WrightNed-patch-1
github_mirrors:Feb_28_2024
github_mirrors:orianelou-patch-apisix
github_mirrors:Feb_13_2024
github_mirrors:Feb_06_2024-Dev
github_mirrors:Jan_31_2024-Dev
github_mirrors:Dec-24-2023
github_mirrors:Dec-12th-2023
github_mirrors:Nov_12_2023-Dev
github_mirrors:open_appsec_add_agent_cache_for_rate_limit
github_mirrors:orianelou-patch-2
github_mirrors:Sep_24_2023-Dev
github_mirrors:Aug_23_2023-Dev
github_mirrors:changing_socket_readiness_testing
github_mirrors:support-advance-model
github_mirrors:Jul_24_23_chart_update
github_mirrors:Jul_06_2023-Dev
github_mirrors:orianelou-patch-1
github_mirrors:workflow-08_05
github_mirrors:May_11_2023-Dev
github_mirrors:crowdsec
github_mirrors:Apr_27_2023-Dev
github_mirrors:Mar_26_2023-Dev
github_mirrors:Mar_13_2023-Dev
github_mirrors:Mar_02_2023-Dev
github_mirrors:Feb_22_2023-Dev
github_mirrors:Feb_15_2023-Dev
github_mirrors:Jan_22_2023-Dev
github_mirrors:Jan_18_2023-Dev
github_mirrors:Jan_16_2023
github_mirrors:1.1.26
github_mirrors:1.1.25
github_mirrors:1.1.24
github_mirrors:1.1.23
github_mirrors:1.1.22
github_mirrors:1.1.21
github_mirrors:1.1.20
github_mirrors:1.1.19
github_mirrors:1.1.18
github_mirrors:1.1.17
github_mirrors:1.1.16
github_mirrors:1.1.15
github_mirrors:1.1.14
github_mirrors:v1.1.3
github_mirrors:1.1.12
github_mirrors:1.1.11
github_mirrors:1.1.10
github_mirrors:1.1.9
github_mirrors:1.1.8
github_mirrors:1.1.7
github_mirrors:1.1.6
github_mirrors:1.1.5
github_mirrors:1.1.4
github_mirrors:1.1.3
github_mirrors:1.1.2
github_mirrors:1.1.0
github_mirrors:1.0.1
github_mirrors:1.0.0
github_mirrors:0.9.1-rc
github_mirrors:0.9.0-rc
github_mirrors:0.8.0-rc

No commits in common. "main" and "1.1.25" have entirely different histories.
main ... 1.1.25

39 changed files with 45 additions and 2056 deletions
Show Stats Expand all files Collapse all files

35
build_system/docker/entry.sh
View File

@ -6,8 +6,6 @@ HTTP_TRANSACTION_HANDLER_SERVICE="install-cp-nano-service-http-transaction-handl
ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh" ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh"
ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh" ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh"
CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh" CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh"
PROMETHEUS_INSTALLATION_SCRIPT="install-cp-nano-service-prometheus.sh"
NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT="install-cp-nano-central-nginx-manager.sh"
var_fog_address= var_fog_address=
var_proxy= var_proxy=
@ -83,14 +81,6 @@ fi
/nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install /nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install
/nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install /nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install
if [ "$PROMETHEUS" == "true" ]; then
/nano-service-installers/$PROMETHEUS_INSTALLATION_SCRIPT --install
fi
if [ "$CENTRAL_NGINX_MANAGER" == "true" ]; then
/nano-service-installers/$NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT --install
fi
if [ "$CROWDSEC_ENABLED" == "true" ]; then if [ "$CROWDSEC_ENABLED" == "true" ]; then
/nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install /nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install
/nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install /nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install
@ -103,16 +93,25 @@ if [ -f "$FILE" ]; then
fi fi
touch /etc/cp/watchdog/wd.startup touch /etc/cp/watchdog/wd.startup
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
active_watchdog_pid=$!
while true; do while true; do
if [ -f /tmp/restart_watchdog ]; then if [ -z "$init" ]; then
rm -f /tmp/restart_watchdog init=true
kill -9 ${active_watchdog_pid}
fi
if [ ! "$(ps -f | grep cp-nano-watchdog | grep ${active_watchdog_pid})" ]; then
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 & /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
active_watchdog_pid=$! sleep 5
active_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
fi fi
current_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
if [ ! -f /tmp/restart_watchdog ] && [ "$current_watchdog_pid" != "$active_watchdog_pid" ]; then
echo "Error: Watchdog exited abnormally"
exit 1
elif [ -f /tmp/restart_watchdog ]; then
rm -f /tmp/restart_watchdog
kill -9 "$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")"
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
sleep 5
active_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
fi
sleep 5 sleep 5
done done

10
components/attachment-intakers/nginx_attachment/nginx_parser.cc
View File

@ -28,7 +28,6 @@ USE_DEBUG_FLAG(D_NGINX_ATTACHMENT_PARSER);
Buffer NginxParser::tenant_header_key = Buffer(); Buffer NginxParser::tenant_header_key = Buffer();
static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC); static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC);
static const Buffer waf_tag_key("x-waf-tag", 9, Buffer::MemoryType::STATIC);
static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC); static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC);
bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr; bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr;
@ -232,20 +231,17 @@ NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string>
static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n" static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n"
); );
const auto &header_key = header.getKey(); if (NginxParser::tenant_header_key == header.getKey()) {
if (NginxParser::tenant_header_key == header_key) {
dbgDebug(D_NGINX_ATTACHMENT_PARSER) dbgDebug(D_NGINX_ATTACHMENT_PARSER)
<< "Identified active tenant header. Key: " << "Identified active tenant header. Key: "
<< dumpHex(header_key) << dumpHex(header.getKey())
<< ", Value: " << ", Value: "
<< dumpHex(header.getValue()); << dumpHex(header.getValue());
auto active_tenant_and_profile = getActivetenantAndProfile(header.getValue()); auto active_tenant_and_profile = getActivetenantAndProfile(header.getValue());
opaque.setSessionTenantAndProfile(active_tenant_and_profile[0], active_tenant_and_profile[1]); opaque.setSessionTenantAndProfile(active_tenant_and_profile[0], active_tenant_and_profile[1]);
} else if (proxy_ip_header_key == header_key) { } else if (proxy_ip_header_key == header.getKey()) {
source_identifiers.setXFFValuesToOpaqueCtx(header, UsersAllIdentifiersConfig::ExtractType::PROXYIP); source_identifiers.setXFFValuesToOpaqueCtx(header, UsersAllIdentifiersConfig::ExtractType::PROXYIP);
} else if (waf_tag_key == header_key) {
source_identifiers.setWafTagValuesToOpaqueCtx(header);
} }
} }

18
components/attachment-intakers/nginx_attachment/user_identifiers_config.cc
View File

@ -366,24 +366,6 @@ UsersAllIdentifiersConfig::setCustomHeaderToOpaqueCtx(const HttpHeader &header)
return; return;
} }
void
UsersAllIdentifiersConfig::setWafTagValuesToOpaqueCtx(const HttpHeader &header) const
{
auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
return;
}
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
opaque.setSavedData(HttpTransactionData::waf_tag_ctx, static_cast<string>(header.getValue()));
dbgDebug(D_NGINX_ATTACHMENT_PARSER)
<< "Added waf tag to context: "
<< static_cast<string>(header.getValue());
return;
}
Maybe<string> Maybe<string>
UsersAllIdentifiersConfig::parseCookieElement( UsersAllIdentifiersConfig::parseCookieElement(
const string::const_iterator &start, const string::const_iterator &start,

13
components/include/generic_rulebase/evaluators/http_transaction_data_eval.h
View File

@ -45,19 +45,6 @@ private:
std::string host; std::string host;
}; };
class EqualWafTag : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
{
public:
EqualWafTag(const std::vector<std::string> &params);
static std::string getName() { return "EqualWafTag"; }
Maybe<bool, Context::Error> evalVariable() const override;
private:
std::string waf_tag;
};
class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment> class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
{ {
public: public:

1
components/include/http_transaction_data.h
View File

@ -137,7 +137,6 @@ public:
static const std::string source_identifier; static const std::string source_identifier;
static const std::string proxy_ip_ctx; static const std::string proxy_ip_ctx;
static const std::string xff_vals_ctx; static const std::string xff_vals_ctx;
static const std::string waf_tag_ctx;
static const CompressionType default_response_content_encoding; static const CompressionType default_response_content_encoding;

30
components/include/prometheus_comp.h
View File

@ -1,30 +0,0 @@
#ifndef __PROMETHEUS_COMP_H__
#define __PROMETHEUS_COMP_H__
#include <memory>
#include "component.h"
#include "singleton.h"
#include "i_rest_api.h"
#include "i_messaging.h"
#include "generic_metric.h"
class PrometheusComp
:
public Component,
Singleton::Consume<I_RestApi>,
Singleton::Consume<I_Messaging>
{
public:
PrometheusComp();
~PrometheusComp();
void init() override;
private:
class Impl;
std::unique_ptr<Impl> pimpl;
};
#endif // __PROMETHEUS_COMP_H__

1
components/include/user_identifiers_config.h
View File

@ -30,7 +30,6 @@ public:
void parseRequestHeaders(const HttpHeader &header) const; void parseRequestHeaders(const HttpHeader &header) const;
std::vector<std::string> getHeaderValuesFromConfig(const std::string &header_key) const; std::vector<std::string> getHeaderValuesFromConfig(const std::string &header_key) const;
void setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const; void setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const;
void setWafTagValuesToOpaqueCtx(const HttpHeader &header) const;
private: private:
class UsersIdentifiersConfig class UsersIdentifiersConfig

1
components/security_apps/CMakeLists.txt
View File

@ -3,7 +3,6 @@ add_subdirectory(ips)
add_subdirectory(layer_7_access_control) add_subdirectory(layer_7_access_control)
add_subdirectory(local_policy_mgmt_gen) add_subdirectory(local_policy_mgmt_gen)
add_subdirectory(orchestration) add_subdirectory(orchestration)
add_subdirectory(prometheus)
add_subdirectory(rate_limit) add_subdirectory(rate_limit)
add_subdirectory(waap) add_subdirectory(waap)
add_subdirectory(central_nginx_manager) add_subdirectory(central_nginx_manager)

2
components/security_apps/prometheus/CMakeLists.txt
View File

@ -1,2 +0,0 @@
add_library(prometheus_comp prometheus_comp.cc)
add_subdirectory(prometheus_ut)

200
components/security_apps/prometheus/prometheus_comp.cc
View File

@ -1,200 +0,0 @@
#include "prometheus_comp.h"
#include <string>
#include <map>
#include <vector>
#include <cereal/archives/json.hpp>
#include <cereal/types/map.hpp>
#include <cereal/types/vector.hpp>
#include <cereal/types/string.hpp>
#include <iostream>
#include <fstream>
#include "common.h"
#include "report/base_field.h"
#include "report/report_enums.h"
#include "log_generator.h"
#include "debug.h"
#include "rest.h"
#include "customized_cereal_map.h"
#include "i_messaging.h"
#include "prometheus_metric_names.h"
USE_DEBUG_FLAG(D_PROMETHEUS);
using namespace std;
using namespace ReportIS;
struct ServiceData
{
template <typename Archive>
void
serialize(Archive &ar)
{
ar(cereal::make_nvp("Service port", service_port));
}
int service_port;
};
class PrometheusMetricData
{
public:
PrometheusMetricData(const string &n, const string &t, const string &d) : name(n), type(t), description(d) {}
void
addElement(const string &labels, const string &value)
{
metric_labels_to_values[labels] = value;
}
ostream &
print(ostream &os)
{
if (metric_labels_to_values.empty()) return os;
string representative_name = "";
if (!name.empty()) {
auto metric_name = convertMetricName(name);
!metric_name.empty() ? representative_name = metric_name : representative_name = name;
}
if (!description.empty()) os << "# HELP " << representative_name << ' ' << description << '\n';
if (!name.empty()) os << "# TYPE " << representative_name << ' ' << type << '\n';
for (auto &entry : metric_labels_to_values) {
os << representative_name << entry.first << ' ' << entry.second << '\n';
}
os << '\n';
metric_labels_to_values.clear();
return os;
}
private:
string name;
string type;
string description;
map<string, string> metric_labels_to_values;
};
static ostream & operator<<(ostream &os, PrometheusMetricData &metric) { return metric.print(os); }
class PrometheusComp::Impl
{
public:
void
init()
{
Singleton::Consume<I_RestApi>::by<PrometheusComp>()->addGetCall(
"metrics",
[&] () { return getFormatedPrometheusMetrics(); }
);
}
void
addMetrics(const vector<PrometheusData> &metrics)
{
for(auto &metric : metrics) {
auto &metric_object = getDataObject(
metric.name,
metric.type,
metric.description
);
metric_object.addElement(metric.label, metric.value);
}
}
private:
PrometheusMetricData &
getDataObject(const string &name, const string &type, const string &description)
{
auto elem = prometheus_metrics.find(name);
if (elem == prometheus_metrics.end()) {
elem = prometheus_metrics.emplace(name, PrometheusMetricData(name, type, description)).first;
}
return elem->second;
}
map<string, ServiceData>
getServiceDetails()
{
map<string, ServiceData> registeredServices;
auto registered_services_file = getConfigurationWithDefault<string>(
getFilesystemPathConfig() + "/conf/orchestrations_registered_services.json",
"orchestration",
"Orchestration registered services"
);
ifstream file(registered_services_file);
if (!file.is_open()) {
dbgWarning(D_PROMETHEUS) << "Failed to open file: " << registered_services_file;
return registeredServices;
}
stringstream buffer;
buffer << file.rdbuf();
try {
cereal::JSONInputArchive archive(buffer);
archive(cereal::make_nvp("Registered Services", registeredServices));
} catch (const exception& e) {
dbgWarning(D_PROMETHEUS) << "Error parsing Registered Services JSON file: " << e.what();
}
return registeredServices;
}
void
getServicesMetrics()
{
dbgTrace(D_PROMETHEUS) << "Get all registered services metrics";
map<string, ServiceData> service_names_to_ports = getServiceDetails();
for (const auto &service : service_names_to_ports) {
I_Messaging *messaging = Singleton::Consume<I_Messaging>::by<PrometheusComp>();
MessageMetadata servie_metric_req_md("127.0.0.1", service.second.service_port);
servie_metric_req_md.setConnectioFlag(MessageConnectionConfig::ONE_TIME_CONN);
servie_metric_req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN);
auto res = messaging->sendSyncMessage(
HTTPMethod::GET,
"/service-metrics",
string(""),
MessageCategory::GENERIC,
servie_metric_req_md
);
if (!res.ok()) {
dbgWarning(D_PROMETHEUS) << "Failed to get service metrics. Service: " << service.first;
continue;
}
stringstream buffer;
buffer << res.unpack().getBody();
cereal::JSONInputArchive archive(buffer);
vector<PrometheusData> metrics;
archive(cereal::make_nvp("metrics", metrics));
addMetrics(metrics);
}
}
string
getFormatedPrometheusMetrics()
{
MetricScrapeEvent().notify();
getServicesMetrics();
stringstream result;
for (auto &metric : prometheus_metrics) {
result << metric.second;
}
dbgTrace(D_PROMETHEUS) << "Prometheus metrics: " << result.str();
return result.str();
}
map<string, PrometheusMetricData> prometheus_metrics;
};
PrometheusComp::PrometheusComp() : Component("Prometheus"), pimpl(make_unique<Impl>()) {}
PrometheusComp::~PrometheusComp() {}
void
PrometheusComp::init()
{
pimpl->init();
}

143
components/security_apps/prometheus/prometheus_metric_names.h
View File

@ -1,143 +0,0 @@
#ifndef __PROMETHEUS_METRIC_NAMES_H__
#define __PROMETHEUS_METRIC_NAMES_H__
#include <string>
#include <unordered_map>
#include "debug.h"
USE_DEBUG_FLAG(D_PROMETHEUS);
std::string
convertMetricName(const std::string &original_metric_name)
{
static const std::unordered_map<std::string, std::string> original_to_representative_names = {
// HybridModeMetric
{"watchdogProcessStartupEventsSum", "nano_service_restarts_counter"},
// nginxAttachmentMetric
{"inspectVerdictSum", "traffic_inspection_verdict_inspect_counter"},
{"acceptVeridctSum", "traffic_inspection_verdict_accept_counter"},
{"dropVerdictSum", "traffic_inspection_verdict_drop_counter"},
{"injectVerdictSum", "traffic_inspection_verdict_inject_counter"},
{"irrelevantVerdictSum", "traffic_inspection_verdict_irrelevant_counter"},
{"irrelevantVerdictSum", "traffic_inspection_verdict_irrelevant_counter"},
{"reconfVerdictSum", "traffic_inspection_verdict_reconf_counter"},
{"responseInspection", "response_body_inspection_counter"},
// nginxIntakerMetric
{"successfullInspectionTransactionsSum", "successful_Inspection_counter"},
{"failopenTransactionsSum", "fail_open_Inspection_counter"},
{"failcloseTransactionsSum", "fail_close_Inspection_counter"},
{"transparentModeTransactionsSum", "transparent_mode_counter"},
{"totalTimeInTransparentModeSum", "total_time_in_transparent_mode_counter"},
{"reachInspectVerdictSum", "inspect_verdict_counter"},
{"reachAcceptVerdictSum", "accept_verdict_counter"},
{"reachDropVerdictSum", "drop_verdict_counter"},
{"reachInjectVerdictSum", "inject_verdict_counter"},
{"reachIrrelevantVerdictSum", "irrelevant_verdict_counter"},
{"reachReconfVerdictSum", "reconf_verdict_counter"},
{"requestCompressionFailureSum", "failed_requests_compression_counter"},
{"responseCompressionFailureSum", "failed_response_compression_counter"},
{"requestDecompressionFailureSum", "failed_requests_decompression_counter"},
{"responseDecompressionFailureSum", "failed_response_decompression_counter"},
{"requestCompressionSuccessSum", "successful_request_compression_counter"},
{"responseCompressionSuccessSum", "successful_response_compression_counter"},
{"requestDecompressionSuccessSum", "successful_request_decompression_counter"},
{"responseDecompressionSuccessSum", "successful_response_decompression_counter"},
{"skippedSessionsUponCorruptedZipSum", "corrupted_zip_skipped_session_counter"},
{"attachmentThreadReachedTimeoutSum", "thread_exceeded_processing_time_counter"},
{"registrationThreadReachedTimeoutSum", "failed_registration_thread_counter"},
{"requestHeaderThreadReachedTimeoutSum", "request_headers_processing_thread_timeouts_counter"},
{"requestBodyThreadReachedTimeoutSum", "request_body_processing_thread_timeouts_counter"},
{"respondHeaderThreadReachedTimeoutSum", "response_headers_processing_thread_timeouts_counter"},
{"respondBodyThreadReachedTimeoutSum", "response_body_processing_thread_timeouts_counter"},
{"attachmentThreadFailureSum", "thread_failures_counter"},
{"httpRequestProcessingReachedTimeoutSum", "request_processing_timeouts_counter"},
{"httpRequestsSizeSum", "requests_total_size_counter"},
{"httpResponsesSizeSum", "response_total_size_counter"},
{"httpRequestFailedToReachWebServerUpstreamSum", "requests_failed_reach_upstram_counter"},
{"overallSessionProcessTimeToVerdictAvgSample", "overall_processing_time_until_verdict_average"},
{"overallSessionProcessTimeToVerdictMaxSample", "overall_processing_time_until_verdict_max"},
{"overallSessionProcessTimeToVerdictMinSample", "overall_processing_time_until_verdict_min"},
{"requestProcessTimeToVerdictAvgSample", "requests_processing_time_until_verdict_average"},
{"requestProcessTimeToVerdictMaxSample", "requests_processing_time_until_verdict_max"},
{"requestProcessTimeToVerdictMinSample", "requests_processing_time_until_verdict_min"},
{"responseProcessTimeToVerdictAvgSample", "response_processing_time_until_verdict_average"},
{"responseProcessTimeToVerdictMaxSample", "response_processing_time_until_verdict_max"},
{"responseProcessTimeToVerdictMinSample", "response_processing_time_until_verdict_min"},
{"requestBodySizeUponTimeoutAvgSample", "request_body_size_average"},
{"requestBodySizeUponTimeoutMaxSample", "request_body_size_max"},
{"requestBodySizeUponTimeoutMinSample", "request_body_size_min"},
{"responseBodySizeUponTimeoutAvgSample", "response_body_size_average"},
{"responseBodySizeUponTimeoutMaxSample", "response_body_size_max"},
{"responseBodySizeUponTimeoutMinSample", "response_body_size_min"},
// WaapTelemetrics
{"reservedNgenA", "total_requests_counter"},
{"reservedNgenB", "unique_sources_counter"},
{"reservedNgenC", "requests_blocked_by_force_and_exception_counter"},
{"reservedNgenD", "requests_blocked_by_waf_counter"},
{"reservedNgenE", "requests_blocked_by_open_api_counter"},
{"reservedNgenF", "requests_blocked_by_bot_protection_counter"},
{"reservedNgenG", "requests_threat_level_info_and_no_threat_counter"},
{"reservedNgenH", "requests_threat_level_low_counter"},
{"reservedNgenI", "requests_threat_level_medium_counter"},
{"reservedNgenJ", "requests_threat_level_high_counter"},
// WaapTrafficTelemetrics
{"reservedNgenA", "post_requests_counter"},
{"reservedNgenB", "get_requests_counter"},
{"reservedNgenC", "put_requests_counter"},
{"reservedNgenD", "patch_requests_counter"},
{"reservedNgenE", "delete_requests_counter"},
{"reservedNgenF", "other_requests_counter"},
{"reservedNgenG", "2xx_status_code_responses_counter"},
{"reservedNgenH", "4xx_status_code_responses_counter"},
{"reservedNgenI", "5xx_status_code_responses_counter"},
{"reservedNgenJ", "requests_time_latency_average"},
// WaapAttackTypesMetrics
{"reservedNgenA", "sql_injection_attacks_type_counter"},
{"reservedNgenB", "vulnerability_scanning_attacks_type_counter"},
{"reservedNgenC", "path_traversal_attacks_type_counter"},
{"reservedNgenD", "ldap_injection_attacks_type_counter"},
{"reservedNgenE", "evasion_techniques_attacks_type_counter"},
{"reservedNgenF", "remote_code_execution_attacks_type_counter"},
{"reservedNgenG", "xml_extern_entity_attacks_type_counter"},
{"reservedNgenH", "cross_site_scripting_attacks_type_counter"},
{"reservedNgenI", "general_attacks_type_counter"},
// AssetsMetric
{"numberOfProtectedApiAssetsSample", "api_assets_counter"},
{"numberOfProtectedWebAppAssetsSample", "web_api_assets_counter"},
{"numberOfProtectedAssetsSample", "all_assets_counter"},
// IPSMetric
{"preventEngineMatchesSample", "prevent_action_matches_counter"},
{"detectEngineMatchesSample", "detect_action_matches_counter"},
{"ignoreEngineMatchesSample", "ignore_action_matches_counter"},
// CPUMetric
{"cpuMaxSample", "cpu_usage_percentage_max"},
{"cpuAvgSample", "cpu_usage_percentage_average"},
{"cpuSample", "cpu_usage_percentage_last_value"},
// LogMetric
{"logQueueMaxSizeSample", "logs_queue_size_max"},
{"logQueueAvgSizeSample", "logs_queue_size_average"},
{"logQueueCurrentSizeSample", "logs_queue_size_last_value"},
{"sentLogsSum", "logs_sent_counter"},
{"sentLogsBulksSum", "bulk_logs_sent_counter"},
// MemoryMetric
{"serviceVirtualMemorySizeMaxSample", "service_virtual_memory_size_kb_max"},
{"serviceVirtualMemorySizeMinSample", "service_virtual_memory_size_kb_min"},
{"serviceVirtualMemorySizeAvgSample", "service_virtual_memory_size_kb_average"},
{"serviceRssMemorySizeMaxSample", "service_physical_memory_size_kb_max"},
{"serviceRssMemorySizeMinSample", "service_physical_memory_size_kb_min"},
{"serviceRssMemorySizeAvgSample", "service_physical_memory_size_kb_average"},
{"generalTotalMemorySizeMaxSample", "general_total_used_memory_max"},
{"generalTotalMemorySizeMinSample", "general_total_used_memory_min"},
{"generalTotalMemorySizeAvgSample", "general_total_used_memory_average"},
};
auto metric_names = original_to_representative_names.find(original_metric_name);
if (metric_names != original_to_representative_names.end()) return metric_names->second;
dbgDebug(D_PROMETHEUS)
<< "Metric don't have a representative name, originl name: "
<< original_metric_name;
return "";
}
#endif // __PROMETHEUS_METRIC_NAMES_H__

8
components/security_apps/prometheus/prometheus_ut/CMakeLists.txt
View File

@ -1,8 +0,0 @@
link_directories(${BOOST_ROOT}/lib)
link_directories(${BOOST_ROOT}/lib ${CMAKE_BINARY_DIR}/core/shmem_ipc)
add_unit_test(
prometheus_ut
"prometheus_ut.cc"
"prometheus_comp;logging;agent_details;waap_clib;table;singleton;time_proxy;metric;event_is;connkey;http_transaction_data;generic_rulebase;generic_rulebase_evaluators;ip_utilities;intelligence_is_v2;-lboost_regex;messaging;"
)

79
components/security_apps/prometheus/prometheus_ut/prometheus_ut.cc
View File

@ -1,79 +0,0 @@
#include "prometheus_comp.h"
#include <sstream>
#include <fstream>
#include <vector>
#include "cmock.h"
#include "cptest.h"
#include "maybe_res.h"
#include "debug.h"
#include "config.h"
#include "environment.h"
#include "config_component.h"
#include "agent_details.h"
#include "time_proxy.h"
#include "mock/mock_mainloop.h"
#include "mock/mock_rest_api.h"
#include "mock/mock_messaging.h"
using namespace std;
using namespace testing;
USE_DEBUG_FLAG(D_PROMETHEUS);
class PrometheusCompTest : public Test
{
public:
PrometheusCompTest()
{
EXPECT_CALL(mock_rest, mockRestCall(_, "declare-boolean-variable", _)).WillOnce(Return(false));
env.preload();
config.preload();
env.init();
EXPECT_CALL(
mock_rest,
addGetCall("metrics", _)
).WillOnce(DoAll(SaveArg<1>(&get_metrics_func), Return(true)));
prometheus_comp.init();
}
::Environment env;
ConfigComponent config;
PrometheusComp prometheus_comp;
StrictMock<MockRestApi> mock_rest;
StrictMock<MockMainLoop> mock_ml;
NiceMock<MockMessaging> mock_messaging;
unique_ptr<ServerRest> agent_uninstall;
function<string()> get_metrics_func;
CPTestTempfile status_file;
string registered_services_file_path;
};
TEST_F(PrometheusCompTest, checkAddingMetric)
{
registered_services_file_path = cptestFnameInSrcDir(string("registered_services.json"));
setConfiguration(registered_services_file_path, "orchestration", "Orchestration registered services");
string metric_body = "{\n"
" \"metrics\": [\n"
" {\n"
" \"metric_name\": \"watchdogProcessStartupEventsSum\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{method=\\\"post\\\",code=\\\"200\\\"}\",\n"
" \"value\": \"1534\"\n"
" }\n"
" ]\n"
"}";
string message_body;
EXPECT_CALL(mock_messaging, sendSyncMessage(_, "/service-metrics", _, _, _))
.Times(2).WillRepeatedly(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, metric_body)));
string metric_str = "# TYPE nano_service_restarts_counter counter\n"
"nano_service_restarts_counter{method=\"post\",code=\"200\"} 1534\n\n";
EXPECT_EQ(metric_str, get_metrics_func());
}

32
components/security_apps/prometheus/prometheus_ut/registered_services.json
View File

@ -1,32 +0,0 @@
{
"Registered Services": {
"cp-nano-orchestration": {
"Service name": "cp-nano-orchestration",
"Service ID": "cp-nano-orchestration",
"Service port": 7777,
"Relevant configs": [
"zones",
"triggers",
"rules",
"registration-data",
"parameters",
"orchestration",
"exceptions",
"agent-intelligence"
]
},
"cp-nano-prometheus": {
"Service name": "cp-nano-prometheus",
"Service ID": "cp-nano-prometheus",
"Service port": 7465,
"Relevant configs": [
"zones",
"triggers",
"rules",
"parameters",
"exceptions",
"agent-intelligence"
]
}
}
}

3
components/security_apps/waap/waap_clib/CidrMatch.cc
View File

@ -41,7 +41,6 @@ static in6_addr applyMaskV6(const in6_addr& addr, uint8_t prefixLength) {
in6_addr maskedAddr = addr; in6_addr maskedAddr = addr;
int fullBytes = prefixLength / 8; int fullBytes = prefixLength / 8;
int remainingBits = prefixLength % 8; int remainingBits = prefixLength % 8;
uint8_t partialByte = maskedAddr.s6_addr[fullBytes];
// Mask full bytes // Mask full bytes
for (int i = fullBytes; i < 16; ++i) { for (int i = fullBytes; i < 16; ++i) {
@ -51,7 +50,7 @@ static in6_addr applyMaskV6(const in6_addr& addr, uint8_t prefixLength) {
// Mask remaining bits // Mask remaining bits
if (remainingBits > 0) { if (remainingBits > 0) {
uint8_t mask = ~((1 << (8 - remainingBits)) - 1); uint8_t mask = ~((1 << (8 - remainingBits)) - 1);
maskedAddr.s6_addr[fullBytes] = partialByte & mask; maskedAddr.s6_addr[fullBytes] &= mask;
} }
return maskedAddr; return maskedAddr;

29
components/utils/generic_rulebase/evaluators/http_transaction_data_eval.cc
View File

@ -103,35 +103,6 @@ WildcardHost::evalVariable() const
return lower_host_ctx == lower_host; return lower_host_ctx == lower_host;
} }
EqualWafTag::EqualWafTag(const vector<string> &params)
{
if (params.size() != 1) reportWrongNumberOfParams("EqualWafTag", params.size(), 1, 1);
waf_tag = params[0];
}
Maybe<bool, Context::Error>
EqualWafTag::evalVariable() const
{
I_Environment *env = Singleton::Consume<I_Environment>::by<EqualWafTag>();
auto maybe_waf_tag_ctx = env->get<string>(HttpTransactionData::waf_tag_ctx);
if (!maybe_waf_tag_ctx.ok())
{
dbgTrace(D_RULEBASE_CONFIG) << "didnt find waf tag in current context";
return false;
}
auto waf_tag_ctx = maybe_waf_tag_ctx.unpack();
dbgTrace(D_RULEBASE_CONFIG)
<< "trying to match waf tag context with its corresponding waf tag: "
<< waf_tag_ctx
<< ". Matcher waf tag: "
<< waf_tag;
return waf_tag_ctx == waf_tag;
}
EqualListeningIP::EqualListeningIP(const vector<string> &params) EqualListeningIP::EqualListeningIP(const vector<string> &params)
{ {
if (params.size() != 1) reportWrongNumberOfParams("EqualListeningIP", params.size(), 1, 1); if (params.size() != 1) reportWrongNumberOfParams("EqualListeningIP", params.size(), 1, 1);

1
components/utils/generic_rulebase/generic_rulebase.cc
View File

@ -80,7 +80,6 @@ GenericRulebase::Impl::preload()
addMatcher<IpProtocolMatcher>(); addMatcher<IpProtocolMatcher>();
addMatcher<UrlMatcher>(); addMatcher<UrlMatcher>();
addMatcher<EqualHost>(); addMatcher<EqualHost>();
addMatcher<EqualWafTag>();
addMatcher<WildcardHost>(); addMatcher<WildcardHost>();
addMatcher<EqualListeningIP>(); addMatcher<EqualListeningIP>();
addMatcher<EqualListeningPort>(); addMatcher<EqualListeningPort>();

1
components/utils/http_transaction_data/http_transaction_data.cc
View File

@ -53,7 +53,6 @@ const string HttpTransactionData::req_body = "transaction_request_body
const string HttpTransactionData::source_identifier = "sourceIdentifiers"; const string HttpTransactionData::source_identifier = "sourceIdentifiers";
const string HttpTransactionData::proxy_ip_ctx = "proxy_ip"; const string HttpTransactionData::proxy_ip_ctx = "proxy_ip";
const string HttpTransactionData::xff_vals_ctx = "xff_vals"; const string HttpTransactionData::xff_vals_ctx = "xff_vals";
const string HttpTransactionData::waf_tag_ctx = "waf_tag";
const CompressionType HttpTransactionData::default_response_content_encoding = CompressionType::NO_COMPRESSION; const CompressionType HttpTransactionData::default_response_content_encoding = CompressionType::NO_COMPRESSION;

434
config/linux/v1beta1/schema/schema_v1beta1.yaml
View File

@ -1,434 +0,0 @@
ype: object
properties:
policies:
type: object
properties:
default:
type: object
properties:
custom-response:
type: string
exceptions:
items:
type: string
type: array
mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
practices:
items:
type: string
type: array
source-identifiers:
type: string
triggers:
items:
type: string
type: array
trusted-sources:
type: string
required:
- mode
- practices
- triggers
specific-rules:
type: array
items:
properties:
host:
type: string
custom-response:
type: string
exceptions:
items:
type: string
type: array
mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
practices:
items:
type: string
type: array
source-identifiers:
type: string
triggers:
items:
type: string
type: array
trusted-sources:
type: string
required:
- mode
- host
- practices
- triggers
type: object
practices:
type: array
items:
properties:
name:
type: string
anti-bot:
properties:
injected-URIs:
items:
properties:
uri:
type: string
type: object
type: array
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
default: "inactive"
validated-URIs:
items:
properties:
uri:
type: string
type: object
type: array
type: object
openapi-schema-validation:
properties:
files:
items:
type: string
type: array
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
type: object
snort-signatures:
properties:
files:
items:
type: string
type: array
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
type: object
web-attacks:
properties:
max-body-size-kb:
type: integer
max-header-size-bytes:
type: integer
max-object-depth:
type: integer
max-url-size-bytes:
type: integer
minimum-confidence:
enum:
- medium
- high
- critical
type: string
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
protections:
properties:
csrf-enabled:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
error-disclosure-enabled:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
non-valid-http-methods:
type: boolean
open-redirect-enabled:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
type: object
type: object
required:
- name
custom-responses:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
http-response-code:
maximum: 599
minimum: 100
default: 403
type: integer
message-body:
type: string
default: "Attack blocked by web application protection"
message-title:
type: string
default: "Openappsec's <b>Application Security</b> has detected an attack and blocked it."
mode:
enum:
- block-page
- response-code-only
type: string
required:
- name
log-triggers:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
access-control-logging:
properties:
allow-events:
type: boolean
default: false
drop-events:
type: boolean
default: false
type: object
additional-suspicious-events-logging:
properties:
enabled:
type: boolean
default true:
minimum-severity:
enum:
- high
- critical
type: string
default: "high"
response-body:
type: boolean
default: false
response-code:
type: boolean
default: true
type: object
appsec-logging:
properties:
all-web-requests:
type: boolean
default: false
detect-events:
type: boolean
default: false
prevent-events:
type: boolean
default: true
type: object
extended-logging:
properties:
http-headers:
type: boolean
default: false
request-body:
type: boolean
default: false
url-path:
type: boolean
default: false
url-query:
type: boolean
default: false
type: object
log-destination:
properties:
cef-service:
minItems: 0
items:
properties:
address:
type: string
port:
type: integer
proto:
enum:
- tcp
- udp
type: string
type: object
type: array
cloud:
type: boolean
default: false
stdout:
properties:
format:
enum:
- json
- json-formatted
type: string
default: json
type: object
syslog-service:
minItems: 0
items:
properties:
address:
type: string
port:
type: integer
type: object
type: array
type: object
required:
- name
exceptions:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
action:
enum:
- skip
- accept
- drop
- suppressLog
type: string
comment:
type: string
countryCode:
items:
type: string
type: array
countryName:
items:
type: string
type: array
hostName:
items:
type: string
type: array
paramName:
items:
type: string
type: array
paramValue:
items:
type: string
type: array
protectionName:
items:
type: string
type: array
sourceIdentifier:
items:
type: string
type: array
sourceIp:
items:
type: string
type: array
url:
items:
type: string
type: array
required:
- name
- action
trusted-sources:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
minNumOfSources:
type: integer
minimum: 1
default: 3
sources-identifiers:
items:
type: string
type: array
required:
- name
- sources-identifiers
source-identifiers:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
identifiers:
type: array
minItems: 1
items:
type: object
source-identifier:
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
type: string
value:
items:
type: string
type: array
required:
- source-identifier
required:
- name
- identifiers
additionalProperties: false

752
config/linux/v1beta2/schema/schema_v1beta2.yaml
View File

@ -1,752 +0,0 @@
type: object
properties:
apiVersion:
type: string
enum:
- v1beta1
- v1beta2
policies:
type: object
properties:
appsecClassName:
type: string
default:
type: object
required:
- mode
- threatPreventionPractices
- accessControlPractices
properties:
mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
default: detect-learn
threatPreventionPractices:
type: array
items:
type: string
accessControlPractices:
type: array
items:
type: string
customResponse:
type: string
default: "403"
triggers:
type: array
items:
type: string
sourceIdentifiers:
type: string
trustedSources:
type: string
exceptions:
type: array
items:
type: string
specificRules:
type: array
items:
type: object
properties:
name:
type: string
host:
type: string
mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
default: detect-learn
threatPreventionPractices:
type: array
items:
type: string
accessControlPractices:
type: array
items:
type: string
triggers:
type: array
items:
type: string
customResponse:
type: string
sourceIdentifiers:
type: string
trustedSources:
type: string
exceptions:
type: array
items:
type: string
logTriggers:
type: array
items:
type: object
required:
- accessControlLogging
- appsecLogging
- additionalSuspiciousEventsLogging
- extendedLogging
- logDestination
properties:
appsecClassName:
type: string
name:
type: string
accessControlLogging:
type: object
properties:
allowEvents:
type: boolean
default: false
dropEvents:
type: boolean
default: true
appsecLogging:
type: object
properties:
detectEvents:
type: boolean
default: true
preventEvents:
type: boolean
default: true
allWebRequests:
type: boolean
default: false
additionalSuspiciousEventsLogging:
type: object
properties:
enabled:
type: boolean
default: true
minSeverity:
type: string
enum:
- high
- critical
default: high
responseBody:
type: boolean
default: false
responseCode:
type: boolean
default: true
extendedLogging:
type: object
properties:
urlPath:
type: boolean
default: false
urlQuery:
type: boolean
default: false
httpHeaders:
type: boolean
default: false
requestBody:
type: boolean
default: false
logDestination:
type: object
properties:
cloud:
type: boolean
default: false
local-tuning:
type: boolean
default: false
syslogService:
type: array
items:
type: object
properties:
address:
type: string
port:
type: integer
logToAgent:
type: boolean
default: true
stdout:
type: object
properties:
format:
type: string
enum:
- json
- json-formatted
default: json
cefService:
type: array
items:
type: object
properties:
address:
type: string
port:
type: integer
proto:
type: string
enum:
- tcp
- udp
threatPreventionPractices:
type: array
items:
type: object
required:
- webAttacks
- intrusionPrevention
- fileSecurity
- snortSignatures
properties:
appsecClassName:
type: string
name:
type: string
practiceMode:
type: string
enum:
- inherited
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
default: inherited
webAttacks:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
minimumConfidence:
type: string
enum:
- medium
- high
- critical
default: high
maxUrlSizeBytes:
type: integer
default: 32768
maxObjectDepth:
type: integer
default: 40
maxBodySizeKb:
type: integer
default: 1000000
maxHeaderSizeBytes:
type: integer
default: 102400
protections:
type: object
properties:
csrfProtection:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
errorDisclosure:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
openRedirect:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
nonValidHttpMethods:
type: boolean
default: false
antiBot:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
injectedUris:
type: array
items:
type: object
properties:
uri:
type: string
validatedUris:
type: array
items:
type: object
properties:
uri:
type: string
snortSignatures:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
configmap:
type: array
items:
type: string
files:
type: array
items:
type: string
schemaValidation:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
enforcementLevel:
type: string
configmap:
type: array
items:
type: string
files:
type: array
items:
type: string
intrusionPrevention:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
maxPerformanceImpact:
type: string
enum:
- low
- medium
- high
default: medium
minSeverityLevel:
type: string
enum:
- low
- medium
- high
- critical
default: medium
minCveYear:
type: integer
default: 2016
highConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inherited
mediumConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inherited
lowConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: detect
fileSecurity:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- inherited
default: inactive
minSeverityLevel:
type: string
enum:
- low
- medium
- high
- critical
default: medium
highConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inherited
mediumConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inherited
lowConfidenceEventAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: detect
archiveInspection:
type: object
properties:
extractArchiveFiles:
type: boolean
default: false
scanMaxFileSize:
type: integer
default: 10
scanMaxFileSizeUnit:
type: string
enum:
- bytes
- KB
- MB
- GB
default: MB
archivedFilesWithinArchivedFiles:
type: string
enum:
- prevent
- detect
- inactive
- inherited #as set in overrideMode for fileSecurity
default: inherited
archivedFilesWhereContentExtractionFailed:
type: string
enum:
- prevent
- detect
- inactive
- inherited #as set in overrideMode for fileSecurity
default: inherited
largeFileInspection:
type: object
properties:
fileSizeLimit:
type: integer
default: 10
fileSizeLimitUnit:
type: string
enum:
- bytes
- KB
- MB
- GB
default: MB
filesExceedingSizeLimitAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited #as set in overrideMode for fileSecurity
default: inherited
unnamedFilesAction:
type: string
enum:
- prevent
- detect
- inactive
- inherited #as set in overrideMode for fileSecurity
default: inherited
threatEmulationEnabled:
type: boolean
default: false
accessControlPractices:
type: array
items:
type: object
required:
- rateLimit
properties:
appsecClassName:
type: string
name:
type: string
practiceMode:
type: string
enum:
- inherited #inherited from mode set in policy
- prevent
- detect
- inactive
default: inherited
rateLimit:
type: object
required:
- overrideMode
properties:
overrideMode:
type: string
enum:
- prevent
- detect
- inactive
- inherited
default: inactive
rules:
type: array
items:
type: object
properties:
action: # currently not supported
type: string
enum:
- inherited
- prevent
- detect
default: inherited
condition: # currently not supported
type: array
items:
type: object
required:
- key
- value
properties:
key:
type: string
value:
type: string
uri:
type: string
limit:
type: integer
unit:
type: string
enum:
- minute
- second
default: minute
triggers:
type: array
items:
type: string
comment:
type: string
customResponses:
type: array
items:
type: object
required:
- mode
properties:
appsecClassName:
type: string
name:
type: string
mode:
type: string
enum:
- block-page
- redirect
- response-code-only
default: response-code-only
messageTitle:
type: string
messageBody:
type: string
httpResponseCode:
type: integer
minimum: 100
maximum: 599
default: 403
redirectUrl:
type: string
redirectAddXEventId:
type: boolean
default: false
sourcesIdentifiers:
type: array
items:
type: object
required:
- sourcesIdentifiers
properties:
name:
type: string
sourcesIdentifiers:
type: array
items:
type: object
required:
- identifier
properties:
identifier:
type: string
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
default: sourceip
value:
type: array
items:
type: string
exceptions:
type: array
items:
type: object
required:
- action
- condition
properties:
appsecClassName:
type: string
name:
type: string
action:
type: string
enum:
- skip
- accept
- drop
- suppressLog
default: accept
condition:
type: array
items:
type: object
required:
- key
- value
properties:
key:
type: string
value:
type: string
trustedSources:
type: array
items:
type: object
required:
- minNumOfSources
- sourcesIdentifiers
properties:
appsecClassName:
type: string
name:
type: string
minNumOfSources:
type: integer
default: 3
sourcesIdentifiers:
type: array
items:
type: string
policyActivations:
type: array
items:
type: object
properties:
appsecClassName:
type: string
enabledPolicies:
type: array
items:
type: object
properties:
name:
type: string
hosts:
type: array
items:
type: string
required:
- hosts
required:
- enabledPolicies
additionalProperties: false

12
core/metric/generic_metric.cc
View File

@ -332,17 +332,7 @@ vector<PrometheusData>
GenericMetric::getPromMetricsData() GenericMetric::getPromMetricsData()
{ {
vector<PrometheusData> all_metrics; vector<PrometheusData> all_metrics;
bool enable_prometheus = false; if (!getProfileAgentSettingWithDefault(false, "prometheus")) return all_metrics;
auto prometheus_settings = getProfileAgentSetting<bool>("prometheus");
if (prometheus_settings.ok()) {
enable_prometheus = prometheus_settings.unpack();
} else {
const char *prometheus_env = getenv("PROMETHEUS");
if (prometheus_env != nullptr) {
enable_prometheus = string(prometheus_env) == "true";
}
}
if (!enable_prometheus) return all_metrics;
dbgTrace(D_METRICS) << "Get prometheus metrics"; dbgTrace(D_METRICS) << "Get prometheus metrics";
for (auto &calc : prometheus_calcs) { for (auto &calc : prometheus_calcs) {

6
deployment/docker-compose/apisix/docker-compose.yaml
View File

@ -29,7 +29,7 @@ services:
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=APISIX - registered_server=APISIX
ipc: host ipc: shareable
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_CONFIG}:/etc/cp/conf
@ -41,7 +41,7 @@ services:
appsec-apisix: appsec-apisix:
image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION} image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION}
container_name: appsec-apisix container_name: appsec-apisix
ipc: host ipc: service:appsec-agent
restart: always restart: always
environment: environment:
- APISIX_STAND_ALONE=true - APISIX_STAND_ALONE=true
@ -69,7 +69,7 @@ services:
- standalone - standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage container_name: appsec-shared-storage
ipc: host ipc: service:appsec-agent
restart: always restart: always
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

6
deployment/docker-compose/envoy/docker-compose.yaml
View File

@ -29,7 +29,7 @@ services:
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="Envoy" - registered_server="Envoy"
ipc: host ipc: shareable
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_CONFIG}:/etc/cp/conf
@ -41,7 +41,7 @@ services:
appsec-envoy: appsec-envoy:
image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION} image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION}
container_name: appsec-envoy container_name: appsec-envoy
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
environment: environment:
- ENVOY_UID=0 - ENVOY_UID=0
@ -75,7 +75,7 @@ services:
- standalone - standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage container_name: appsec-shared-storage
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

6
deployment/docker-compose/kong/docker-compose.yaml
View File

@ -29,7 +29,7 @@ services:
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=Kong - registered_server=Kong
ipc: host ipc: shareable
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_CONFIG}:/etc/cp/conf
@ -41,7 +41,7 @@ services:
appsec-kong: appsec-kong:
image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION} image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
container_name: appsec-kong container_name: appsec-kong
ipc: host ipc: service:appsec-agent
## This docker compose deploys Kong in DB-less mode with declarative Kong configuration ## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
## please make sure to have a valid config present in {KONG_CONFIG}: ## please make sure to have a valid config present in {KONG_CONFIG}:
environment: environment:
@ -72,7 +72,7 @@ services:
- standalone - standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage container_name: appsec-shared-storage
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

6
deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml
View File

@ -22,7 +22,7 @@ services:
appsec-agent: appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION} image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent container_name: appsec-agent
ipc: host ipc: shareable
restart: unless-stopped restart: unless-stopped
environment: environment:
- SHARED_STORAGE_HOST=appsec-shared-storage - SHARED_STORAGE_HOST=appsec-shared-storage
@ -43,7 +43,7 @@ services:
appsec-nginx-proxy-manager: appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION} image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION}
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
ports: ports:
- 80:80 # Public HTTP Port - 80:80 # Public HTTP Port
@ -69,7 +69,7 @@ services:
- standalone - standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage container_name: appsec-shared-storage
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

6
deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml
View File

@ -22,7 +22,7 @@ services:
appsec-agent: appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION} image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent container_name: appsec-agent
ipc: host ipc: service:appsec-nginx-proxy-manager
network_mode: service:appsec-nginx-proxy-manager network_mode: service:appsec-nginx-proxy-manager
restart: unless-stopped restart: unless-stopped
environment: environment:
@ -44,7 +44,7 @@ services:
appsec-nginx-proxy-manager: appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION} image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION}
ipc: host ipc: shareable
restart: unless-stopped restart: unless-stopped
ports: ports:
- 80:80 # Public HTTP Port - 80:80 # Public HTTP Port
@ -72,7 +72,7 @@ services:
- standalone - standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage container_name: appsec-shared-storage
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

4
deployment/docker-compose/nginx-unified/docker-compose.yaml
View File

@ -29,7 +29,7 @@ services:
- user_email=${APPSEC_USER_EMAIL} - user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
ipc: host ipc: shareable
volumes: volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data - ${APPSEC_DATA}:/etc/cp/data
@ -62,7 +62,7 @@ services:
- standalone - standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage container_name: appsec-shared-storage
ipc: host ipc: service:appsec-agent-nginx-unified
restart: unless-stopped restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

6
deployment/docker-compose/nginx/docker-compose.yaml
View File

@ -29,7 +29,7 @@ services:
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="NGINX" - registered_server="NGINX"
ipc: host ipc: shareable
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_CONFIG}:/etc/cp/conf
@ -42,7 +42,7 @@ services:
appsec-nginx: appsec-nginx:
image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION} image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION}
container_name: appsec-nginx container_name: appsec-nginx
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- ${NGINX_CONFIG}:/etc/nginx/conf.d - ${NGINX_CONFIG}:/etc/nginx/conf.d
@ -74,7 +74,7 @@ services:
- standalone - standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage container_name: appsec-shared-storage
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

6
deployment/docker-compose/swag/docker-compose.yaml
View File

@ -30,7 +30,7 @@ services:
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN} - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD} - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=SWAG - registered_server=SWAG
ipc: host ipc: shareable
volumes: volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf - ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data - ${APPSEC_DATA}:/etc/cp/data
@ -41,7 +41,7 @@ services:
appsec-swag: appsec-swag:
image: ghcr.io/openappsec/swag-attachment:latest image: ghcr.io/openappsec/swag-attachment:latest
container_name: appsec-swag container_name: appsec-swag
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
@ -83,7 +83,7 @@ services:
- standalone - standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION} image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage container_name: appsec-shared-storage
ipc: host ipc: service:appsec-agent
restart: unless-stopped restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

1
nodes/CMakeLists.txt
View File

@ -11,7 +11,6 @@ set(COMMON_LIBRARIES "-lngen_core;-lcompression_utils;-lssl;-lcrypto;-lz;-lboost
include(packaging.cmake) include(packaging.cmake)
add_subdirectory(orchestration) add_subdirectory(orchestration)
add_subdirectory(prometheus)
add_subdirectory(agent_cache) add_subdirectory(agent_cache)
add_subdirectory(http_transaction_handler) add_subdirectory(http_transaction_handler)
add_subdirectory(attachment_registration_manager) add_subdirectory(attachment_registration_manager)

1
nodes/orchestration/package/cp-nano-package-list
View File

@ -29,5 +29,4 @@ cpview_metric_provider="cpviewMetricProvider 8282"
hello_world="hello_world" hello_world="hello_world"
crowdsec_aux="crowdsecAux 8081" crowdsec_aux="crowdsecAux 8081"
central_nginx_manager="centralNginxManager 7555" central_nginx_manager="centralNginxManager 7555"
prometheus="prometheus 7465"
# ## Please do not remove this comment - newline at end of file required. # ## Please do not remove this comment - newline at end of file required.

3
nodes/orchestration/package/orchestration_package.sh
View File

@ -647,9 +647,6 @@ install_watchdog()
echo "ExecStart=ip netns exec CTX0000${VS_ID} ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE} echo "ExecStart=ip netns exec CTX0000${VS_ID} ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
fi fi
echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE} echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
if [ -n "${PROMETHEUS}" ] ; then
echo "Environment=\"PROMETHEUS=${PROMETHEUS}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
fi
cp_exec "systemctl daemon-reload" cp_exec "systemctl daemon-reload"
cp_exec "systemctl enable nano_agent" cp_exec "systemctl enable nano_agent"

30
nodes/prometheus/CMakeLists.txt
View File

@ -1,30 +0,0 @@
add_subdirectory(package)
add_executable(prometheus main.cc)
target_link_libraries(prometheus
-Wl,--start-group
${COMMON_LIBRARIES}
generic_rulebase
generic_rulebase_evaluators
ip_utilities
version
signal_handler
prometheus_comp
http_transaction_data
-Wl,--end-group
)
add_dependencies(prometheus ngen_core)
install(TARGETS prometheus DESTINATION bin)
install(TARGETS prometheus DESTINATION prometheus_service/bin)
gen_package(
install-cp-nano-service-prometheus.sh
prometheus_service
./install-cp-nano-prometheus.sh
Check Point Prometheus Agent Version ${PACKAGE_VERSION} Install Package
)

15
nodes/prometheus/main.cc
View File

@ -1,15 +0,0 @@
#include "components_list.h"
#include "prometheus_comp.h"
int
main(int argc, char **argv)
{
NodeComponents<PrometheusComp> comps;
comps.registerGlobalValue<bool>("Is Rest primary routine", true);
comps.registerGlobalValue<uint>("Nano service API Port Primary", 7465);
comps.registerGlobalValue<uint>("Nano service API Port Alternative", 7466);
comps.registerGlobalValue<bool>("Nano service API Allow Get From External IP", true);
return comps.run("Prometheus Service", argc, argv);
}

4
nodes/prometheus/package/CMakeLists.txt
View File

@ -1,4 +0,0 @@
install(FILES install-cp-nano-prometheus.sh DESTINATION prometheus_service/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-prometheus.cfg DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-prometheus-conf.json DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-prometheus-debug-conf.json DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)

21
nodes/prometheus/package/cp-nano-prometheus-conf.json
View File

@ -1,21 +0,0 @@
{
"connection": {
"Nano service API Port Primary": [
{
"value": 7465
}
],
"Nano service API Port Alternative": [
{
"value": 7466
}
]
},
"message": {
"Connection timeout": [
{
"value": 10000000
}
]
}
}

11
nodes/prometheus/package/cp-nano-prometheus-debug-conf.json
View File

@ -1,11 +0,0 @@
{
"Debug": [
{
"Streams": [
{
"Output": "nano_agent/cp-nano-prometheus.dbg"
}
]
}
]
}

0
nodes/prometheus/package/cp-nano-prometheus.cfg
View File

164
nodes/prometheus/package/install-cp-nano-prometheus.sh
View File

@ -1,164 +0,0 @@
#!/bin/sh
#Nano Service Details
NANO_SERVICE_NAME="prometheus"
NANO_SERVICE_BIN_NAME="cp-nano-prometheus"
NANO_SERVICE_INSTALLATION_FOLDER="prometheus"
ATTACHMENT_BIN_NAME="cp-nano-prometheus"
#Installable Names
CFG_FILE_NAME="cp-nano-prometheus.cfg"
DBG_CONF_FILE_NAME="cp-nano-prometheus-debug-conf.json"
SERVICE_CONF_FILE_NAME="cp-nano-prometheus-conf.json"
NANO_SERVICE_BIN="prometheus"
ATTACHMENT_BIN="prometheus_attachment"
#Const variables
FORCE_STDOUT=true
INSTALLATION_TIME=$(date)
CP_NANO_LOG_PATH="/var/log/nano_agent"
CP_NANO_CONF_PATH="/etc/cp/conf"
NANO_SERVICE_INSTALLATION_PATH="/etc/cp/${NANO_SERVICE_INSTALLATION_FOLDER}"
NANO_SERVICE_BIN_PATH=${NANO_SERVICE_INSTALLATION_PATH}/${NANO_SERVICE_BIN_NAME}
NANO_SERVICE_CFG_PATH=${NANO_SERVICE_BIN_PATH}.cfg
ATTACHMENT_BIN_PATH=${NANO_SERVICE_INSTALLATION_PATH}/${ATTACHMENT_BIN_NAME}
DBG_CONF_PATH=${CP_NANO_CONF_PATH}/${NANO_SERVICE_BIN_NAME}-debug-conf.json
SERVICE_CONF_PATH=${CP_NANO_CONF_PATH}/${NANO_SERVICE_BIN_NAME}-conf.json
DBG_FILE_PATH=${CP_NANO_LOG_PATH}/${NANO_SERVICE_BIN_NAME}.dbg
INSTALLATION_LOG_FILE=${CP_NANO_LOG_PATH}/${NANO_SERVICE_BIN_NAME}-install.log
mkdir -p ${CP_NANO_LOG_PATH}
touch ${DBG_FILE_PATH}
cp_print()
{
var_text=$1
var_std_out=$2
touch $INSTALLATION_LOG_FILE
if [ -n "$var_std_out" ]; then
if [ "$var_std_out" = "true" ]; then
printf "%b\n" "$var_text"
fi
fi
printf "%b\n" "$var_text" >> $INSTALLATION_LOG_FILE
}
cp_exec()
{
var_cmd=$1
var_std_out=$2
# Send exec output to RES
RES=$($var_cmd 2>&1)
if [ -n "$RES" ]; then
cp_print "$RES" "$var_std_out"
fi
}
set_configuration()
{
cp_exec "cp -n conf/${DBG_CONF_FILE_NAME} $DBG_CONF_PATH"
cp_exec "/etc/cp/scripts/cpnano_debug --default --service prometheus"
cp_exec "cp -n conf/${SERVICE_CONF_FILE_NAME} $SERVICE_CONF_PATH"
}
run_installation()
{
cp_print "Starting installation of Check Point ${NANO_SERVICE_NAME} Nano service [$INSTALLATION_TIME]\n" $FORCE_STDOUT
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${ATTACHMENT_BIN_PATH}"
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${NANO_SERVICE_BIN_PATH}"
att_path=$ATTACHMENT_BIN_PATH
cmd_pid_att=$(ps -eo pid,cmd,args | awk -v srv=${att_path} '{if($2 ~ srv || $3 ~ srv) print $1}')
srv_path=$NANO_SERVICE_BIN_NAME
cmd_pid_srv=$(ps -eo pid,cmd,args | awk -v srv=${srv_path} '{if($2 ~ srv || $3 ~ srv) print $1}')
if [ -n "$cmd_pid_att" ]; then
cp_print "Killing running instance(pid=$cmd_pid_att) of the prometheus attachment on installation"
kill -9 "$cmd_pid_att"
fi
if [ -n "$cmd_pid_srv" ]; then
cp_print "Killing running instance(pid=$cmd_pid_srv) of the prometheus service on installation"
kill -9 "$cmd_pid_srv"
fi
cp_exec "mkdir -p ${NANO_SERVICE_INSTALLATION_PATH}"
cp_exec "cp -f bin/${NANO_SERVICE_BIN} ${NANO_SERVICE_BIN_PATH}"
cp_exec "chmod +x ${NANO_SERVICE_BIN_PATH}"
cp_exec "cp -f conf/${CFG_FILE_NAME} ${NANO_SERVICE_CFG_PATH}"
cp_exec "chmod 600 ${NANO_SERVICE_CFG_PATH}"
set_configuration
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --register ${NANO_SERVICE_BIN_PATH}"
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --register ${ATTACHMENT_BIN_PATH}"
cp_print "Installation completed successfully." $FORCE_STDOUT
}
usage()
{
echo "Check Point: available flags are"
echo "--install : install ${NANO_SERVICE_NAME} Nano Service"
echo "--uninstall : remove ${NANO_SERVICE_NAME} Nano Service"
echo "--pre_install_test : run Pre-installation test for ${NANO_SERVICE_NAME} Nano Service install package"
echo "--post_install_test : run Post-installation test for ${NANO_SERVICE_NAME} Nano Service install package"
exit 255
}
run_uninstall()
{
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${ATTACHMENT_BIN_PATH}"
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${NANO_SERVICE_BIN_PATH}"
cp_exec "rm -rf ${NANO_SERVICE_INSTALLATION_PATH}"
cp_exec "rm -rf ${NANO_SERVICE_CONF_DIR}"
}
run_pre_install_test()
{
cp_print "Starting Pre-installation test of Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
cp_print "Successfully finished pre-installation test for Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
exit 0
}
run_post_install_test()
{
cp_print "Starting Post-installation test of Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
if ! cat /etc/cp/watchdog/wd.services | grep -q ${NANO_SERVICE_BIN_PATH}; then
cp_print "Failed to register ${NANO_SERVICE_NAME} Nano service to the watchdog\n" $FORCE_STDOUT
exit 255
fi
cp_print "Successfully finished post-installation test for Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
exit 0
}
run()
{
if [ '--install' = "$1" ]; then
run_installation "${@}"
elif [ '--uninstall' = "$1" ]; then
run_uninstall
elif [ '--pre_install_test' = "$1" ]; then
run_pre_install_test
elif [ '--post_install_test' = "$1" ]; then
run_post_install_test
else
usage
exit 1
fi
}
if [ "$(id -u)" != "0" ]; then
echo "Administrative privileges required for this Package (use su or sudo)"
exit 1
fi
shift
run "${@}"
exit 0