tcell_agent 0.2.2

data/lib/tcell_agent/policies/dataloss_policy.rb

@@ -0,0 +1,175 @@
+require 'set'
+
+module TCellAgent
+    module Policies
+        class DataLossPolicy
+            class FilterActions
+                attr_accessor :body_event
+                attr_accessor :body_redact
+                attr_accessor :body_hash
+
+                attr_accessor :log_event
+                attr_accessor :log_redact
+                attr_accessor :log_hash
+            end
+
+            attr_accessor :session_id_filter_actions
+            attr_accessor :request_filter_actions
+            attr_accessor :database_filter_actions
+
+            # {
+            #    {"context":[]}
+            # }
+
+            attr_accessor :policy_id
+
+            attr_accessor :table_field_actions
+            attr_accessor :session_id_actions
+
+            attr_accessor :field_redact_body
+            attr_accessor :field_alerts
+
+            def initialize
+                self.init_options
+            end
+            def init_options
+                @policy_id = nil
+
+                @table_field_actions = {}
+                @session_id_actions = []
+
+                @field_redact_body = Set.new #["work_infos.SSN"].to_set #
+                @field_alerts = Set.new
+
+                @session_id_filter_actions = nil
+                @request_filter_actions = {
+                    "form"=>Hash.new{|h,k| h[k] = FilterActions.new},
+                    "cookie"=>Hash.new{|h,k| h[k] = FilterActions.new},
+                    "header"=>Hash.new{|h,k| h[k] = FilterActions.new}
+                }
+                @log_actions = nil
+            end
+            def get_actions_for_session_id(route_id=nil)
+                return @session_id_filter_actions
+            end 
+            def get_actions_for_request(context, route_id=nil)
+                return @request_filter_actions.fetch(context)
+            end
+            def get_actions_for(table, field)
+                actions = Set.new
+                key = "#{table}.#{field}"
+                actions.merge(@table_field_actions.fetch(key,[].to_set))
+                #if (@field_redact_body.include?(key))
+                #    actions += ["body_redact"]
+                #end
+                #if (@field_redact_log.include?(key))
+                #    actions += ["log_redact"]
+                #end
+                return actions
+            end 
+            def self.fromJson(policy_json)
+                if (!policy_json)
+                    return nil
+                end
+                policy = DataLossPolicy.new
+                if policy_json.has_key?("policy_id")
+                    policy.policy_id = policy_json["policy_id"]
+                else
+                    raise "Policy ID missing"
+                end
+                if policy_json.has_key?("data")
+                    data_json = policy_json["data"]
+                    if data_json.has_key?("session_id_protection")
+                        session_id_protection = data_json["session_id_protection"]
+                        if session_id_protection.fetch("body",nil)
+                            if (session_id_protection["body"].include? "redact")
+                                policy.session_id_filter_actions ||= FilterActions.new
+                                policy.session_id_filter_actions.body_redact = true
+                            end
+                            if (session_id_protection["body"].include? "event")
+                                policy.session_id_filter_actions ||= FilterActions.new
+                                policy.session_id_filter_actions.body_event = true
+                            end
+                            if (session_id_protection["body"].include? "hash")
+                                policy.session_id_filter_actions ||= FilterActions.new
+                                policy.session_id_filter_actions.body_hash = true
+                            end
+                        end
+                        if session_id_protection.fetch("log",nil)
+                            if (session_id_protection["log"].include? "redact")
+                                policy.session_id_filter_actions ||= FilterActions.new
+                                policy.session_id_filter_actions.log_redact = true
+                            end
+                            if (session_id_protection["log"].include? "event")
+                                policy.session_id_filter_actions ||= FilterActions.new
+                                policy.session_id_filter_actions.log_event = true
+                            end
+                            if (session_id_protection["log"].include? "hash")
+                                policy.session_id_filter_actions ||= FilterActions.new
+                                policy.session_id_filter_actions.log_hash = true
+                            end
+                        end
+                    end
+                    if data_json.has_key?("request_protections")
+                        data_json["request_protections"].each do |protection|
+                            context = protection.fetch('context', nil)
+                            variable = protection.fetch('variable', nil)
+                            scope = protection.fetch('scope', "global")
+                            options = protection.fetch('options', nil)
+                            if scope != "global"
+                                next
+                            end
+                            if context && policy.request_filter_actions.has_key?(context) && variable && options
+                                if options.has_key?("log")
+                                    if (options["log"].include? "redact")
+                                        policy.request_filter_actions[context][variable].log_redact = true
+                                    end
+                                    if (options["log"].include? "event")
+                                        policy.request_filter_actions[context][variable].log_event = true
+                                    end
+                                    if (options["log"].include? "hash")
+                                        policy.request_filter_actions[context][variable].log_hash = true
+                                    end
+                                end
+                                if options.has_key?("body")
+                                    if (options["body"].include? "redact")
+                                        policy.request_filter_actions[context][variable].body_redact = true
+                                    end
+                                    if (options["body"].include? "event")
+                                        policy.request_filter_actions[context][variable].body_event = true
+                                    end
+                                    if (options["body"].include? "hash")
+                                        policy.request_filter_actions[context][variable].body_hash = true
+                                    end
+                                end
+                            end
+                        end
+                    end
+                    if data_json.has_key?("protections")
+                        protections_json = data_json["protections"]
+                        protections_json.each do |protection| 
+                            _table = protection.fetch("table", nil)
+                            _field = protection.fetch("field", nil)
+                            actions = protection.fetch("actions", {})
+                            if actions.fetch("body",nil)
+                                if (actions["body"].include? "redact")
+                                    if (_table && _field)
+                                        (policy.table_field_actions["#{_table}.#{_field}"] ||= []) << "body_redact"
+                                    end
+                                end
+                            end
+                            if actions.fetch("log",nil)
+                                if (actions["log"].include? "redact")
+                                    if (_table && _field)
+                                        (policy.table_field_actions["#{_table}.#{_field}"] ||= []) << "log_redact"
+                                    end
+                                end
+                            end
+                        end
+                    end
+                end
+                return policy
+            end
+        end
+    end
+end

data/lib/tcell_agent/policies/honeytokens_policy.rb

@@ -0,0 +1,67 @@
+# See the file "LICENSE" for the full license governing this code.
+
+#String sh_policy_string = ""
+#+"{"
+#+"\"policy_id\":\"00a1\","
+#+"\"token_salt\":\"salt123\","
+#+"\"tokens\": ["
+#+"              {\"type\":\"cred\", \"id\":\"deny\", \"token\":\"abcdefgh\"}"
+#+"             ]"
+#+"}";
+require 'pbkdf2'
+require 'openssl'
+
+module TCellAgent
+    module Policies
+        class HoneytokensPolicy
+            attr_accessor :policy_id
+            attr_accessor :token_salt
+            attr_accessor :cred_tokens
+
+            def id_for_credentialstring(credential_string)
+                if cred_tokens
+                    credential_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha512'), token_salt, credential_string)
+                    if cred_tokens.has_key?(credential_hmac)
+                        return cred_tokens[credential_hmac]
+                    end
+                end
+                return nil
+            end
+
+            def self.fromJson(policy_json)
+                if (!policy_json) 
+                    return nil
+                end
+
+                honeytokens_policy = HoneytokensPolicy.new
+                if policy_json.has_key?("policy_id")
+                    honeytokens_policy.policy_id = policy_json["policy_id"]
+                else
+                    raise "Policy ID missing"
+                end
+
+                if policy_json.has_key?("token_salt")
+                    honeytokens_policy.token_salt = policy_json["token_salt"]
+                else
+                    raise "Token Salt missing"
+                end
+
+                if policy_json.has_key?("tokens")
+                    tokens = policy_json["tokens"]
+                    tokens.each do |token|
+                        if (token.has_key?("type") && token.has_key?("id") && token.has_key?("token"))
+                            if (token["type"] == "cred")
+                                if honeytokens_policy.cred_tokens == nil
+                                    honeytokens_policy.cred_tokens = {}
+                                end
+                                honeytokens_policy.cred_tokens[token["token"]] = token["id"]
+                            end
+                        end
+                    end
+                end
+
+                return honeytokens_policy
+            end
+        end
+    end
+end

data/lib/tcell_agent/policies/http_redirect_policy.rb

@@ -0,0 +1,84 @@
+# See the file "LICENSE" for the full license governing this code.
+require 'uri'
+require 'tcell_agent/logger'
+require 'tcell_agent/sensor_events/util/redirect_utils'
+# See the file "LICENSE" for the full license governing this code.
+
+#{}"http-tx": {
+#        "policy_id":"afh023",
+#        "types": {
+#               "firehose": { enabled: true },
+#{}"auth_framework_only": {enabled: true},
+#{}"{}structure": {enabled: true },
+#{}"fingerprint": {enabled: true }
+#}
+#},
+
+module TCellAgent
+  module Policies
+    class HttpRedirectPolicy
+      attr_accessor :policy_id
+      attr_accessor :enabled
+      attr_accessor :whitelist
+      attr_accessor :block
+      def initialize
+        @policy_id = nil
+        @enabled = false
+        @whitelist = []
+        @block = false
+      end
+      def check(host, current_host)
+        if (!(host) || host == "" || host == current_host)
+          # local redirect
+          return false
+        end
+        if (whitelist)
+          whitelist.each do |domain|
+            if (TCellAgent::SensorEvents::Util.wildcardMatch(host, domain))
+              return false
+            end
+          end
+        end
+        return true
+      end
+      def enforce(target_url, current_host, current_path, method, status_code, remote_addr)
+        if @enabled == false
+          return nil
+        end
+        uri = URI.parse(target_url)
+        host = uri.host
+        if self.check(host, current_host) == false
+          return nil
+        end
+        begin
+          event = TCellAgent::SensorEvents::TCellRedirectSensorEvent.new(host, current_host, current_path, method, status_code, remote_addr)
+          TCellAgent.send_event(event)
+        rescue Exception => ie
+          TCellAgent.logger.error("uncaught exception while creating redirect event: #{ie.message}")
+        end
+        if @block == true
+          return "/"
+        end
+        return nil
+      end
+      def self.fromJson(policy_json)
+        if (!policy_json) 
+          return nil
+        end
+        http_redirect_policy = HttpRedirectPolicy.new
+        if policy_json.has_key?("policy_id")
+          http_redirect_policy.policy_id = policy_json["policy_id"]
+        else
+          raise "Policy ID missing"
+        end
+        if policy_json.has_key?("data")
+          policy_data_json = policy_json["data"]
+          http_redirect_policy.enabled = policy_data_json.fetch("enabled", false)
+          http_redirect_policy.whitelist = policy_data_json.fetch("whitelist", [])
+          http_redirect_policy.block = policy_data_json.fetch("block", false)
+        end
+        return http_redirect_policy
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/http_tx_policy.rb

@@ -0,0 +1,60 @@
+#{}"http-tx": {
+#        "policy_id":"afh023",
+#        "types": {
+#               "firehose": { enabled: true },
+#{}"auth_framework_only": {enabled: true},
+#{}"{}structure": {enabled: true },
+#{}"fingerprint": {enabled: true }
+#}
+#},
+
+module TCellAgent
+    module Policies
+        class HttpTxPolicy
+            attr_accessor :policy_id
+            attr_accessor :firehose
+            attr_accessor :auth_framework
+            attr_accessor :profile
+            attr_accessor :fingerprint
+
+            def initialize()
+                @firehose = {"enabled"=>false, "lite"=>false }
+                @auth_framework = {"enabled"=>false, "lite"=>false }
+                @profile = {"enabled"=>false }
+                @fingerprint = {"enabled"=>false, "hmacUserAgent"=>false, "hmacUserId"=>false, "sampling"=>nil }
+            end
+            def self.fromJson(policy_json)
+                if (!policy_json) 
+                    return nil
+                end
+                http_tx_policy = HttpTxPolicy.new
+                if policy_json.has_key?("policy_id")
+                    http_tx_policy.policy_id = policy_json["policy_id"]
+                else
+                    raise "Policy ID missing"
+                end
+                if policy_json.has_key?("types")
+                    types = policy_json["types"]
+                    if types.has_key?("firehose")
+                        http_tx_policy.firehose["enabled"] = types["firehose"].fetch("enabled", false)
+                        http_tx_policy.firehose["lite"] = types["firehose"].fetch("lite", false)
+                    end
+                    if types.has_key?("auth_framework")
+                        http_tx_policy.auth_framework["enabled"] = types["auth_framework"].fetch("enabled", false)
+                        http_tx_policy.auth_framework["lite"] = types["auth_framework"].fetch("lite", false)
+                    end
+                    if types.has_key?("profile")
+                        http_tx_policy.profile["enabled"] = types["profile"].fetch("enabled", false)
+                    end
+                    if types.has_key?("fingerprint")
+                        http_tx_policy.fingerprint["enabled"] = types["fingerprint"].fetch("enabled", false)
+                        http_tx_policy.fingerprint["hmacUserAgent"] = types["fingerprint"].fetch("hmacUserAgent", false)
+                        http_tx_policy.fingerprint["hmacUserId"] = types["fingerprint"].fetch("hmacUserId", false)
+                        http_tx_policy.fingerprint["sampling"] = types["fingerprint"].fetch("sampling", 0)
+                    end
+                end
+                return http_tx_policy
+            end
+        end
+    end
+end

data/lib/tcell_agent/policies/login_fraud_policy.rb

@@ -0,0 +1,42 @@
+module TCellAgent
+    module Policies
+        class LoginFraudPolicy
+            attr_accessor :policy_id            
+
+            attr_accessor :login_success_enabled
+            attr_accessor :login_failed_enabled
+
+            def initialize
+                self.init_options
+            end
+            def init_options
+                @policy_id = nil
+                @login_success_enabled = false
+                @login_failed_enabled = false
+            end
+            def enabled
+                @login_success_enabled || @login_failed_enabled
+            end
+            def self.fromJson(policy_json)
+                if (!policy_json)
+                    return nil
+                end
+                sensor_policy = LoginFraudPolicy.new
+                if policy_json.has_key?("policy_id")
+                    sensor_policy.policy_id = policy_json["policy_id"]
+                else
+                    raise "Policy ID missing"
+                end
+                if policy_json.has_key?("data")
+                    data_json = policy_json["data"]
+                    if data_json.has_key?("options")
+                        options_json = data_json["options"]
+                        sensor_policy.login_failed_enabled = options_json.fetch("login_failed_enabled", false)
+                        sensor_policy.login_success_enabled = options_json.fetch("login_success_enabled", false)
+                    end
+                end
+                return sensor_policy
+            end
+        end
+    end
+end

data/lib/tcell_agent/policies/secure_headers_policy.rb

@@ -0,0 +1,64 @@
+# encoding: utf-8
+# See the file "LICENSE" for the full license governing this code.
+module TCellAgent
+    module Policies
+        class SecureHeadersPolicy
+            class SecurityHeader
+                @@approved_headers = [
+                    "strict-transport-security",
+                    "x-frame-options",
+                    "x-xss-protection",
+                    "x-content-type-options",
+                    "x-permitted-cross-domain-policies",
+                    "x-download-options"
+                ]
+                attr_accessor :name
+                attr_accessor :value
+                def initialize(name, value)
+                    if !(name && value)
+                        raise "Name and value were not set"
+                    end
+                    if not @@approved_headers.include?(name.downcase)
+                        raise "Name was not included in approved_headers"
+                    end
+                    if value != value.gsub(/[^\p{L}\w\d\-_\ :\/,;.'\*"%?@#=$]/,'')
+                        raise "Value is not valid"
+                    end
+                    self.name = name
+                    self.value = value
+                end
+            end
+
+            attr_accessor :headers
+            attr_accessor :policy_id
+
+            def self.fromJson(policy_json)
+                if (!policy_json) 
+                    return nil
+                end
+                security_headers_policy = SecureHeadersPolicy.new
+                if policy_json.has_key?("policy_id")
+                    security_headers_policy.policy_id = policy_json["policy_id"]
+                else
+                    raise "Policy ID missing"
+                end
+                security_headers = []
+                if policy_json.has_key?("headers")
+                    headers = policy_json["headers"]
+                    headers.each do |header|
+                        if header.has_key?("name") && header.has_key?("value")
+                            begin
+                                security_header = SecurityHeader.new(header["name"], header["value"])
+                                security_headers.push(security_header)
+                            rescue Exception => secure_header_exception
+                                TCellAgent.logger.debug("Could not load secure header:" + secure_header_exception.message)
+                            end
+                        end
+                    end
+                end
+                security_headers_policy.headers = security_headers
+                return security_headers_policy
+            end
+        end
+    end
+end