tcell_agent 1.1.12 → 2.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/bin/tcell_agent +45 -137
- data/lib/tcell_agent.rb +12 -14
- data/lib/tcell_agent/agent.rb +108 -97
- data/lib/tcell_agent/agent/route_manager.rb +0 -16
- data/lib/tcell_agent/agent/static_agent.rb +9 -30
- data/lib/tcell_agent/config_initializer.rb +66 -0
- data/lib/tcell_agent/configuration.rb +69 -345
- data/lib/tcell_agent/hooks/login_fraud.rb +30 -33
- data/lib/tcell_agent/instrument_servers.rb +23 -0
- data/lib/tcell_agent/instrumentation.rb +12 -10
- data/lib/tcell_agent/instrumentation/cmdi.rb +29 -25
- data/lib/tcell_agent/instrumentation/lfi.rb +84 -0
- data/lib/tcell_agent/instrumentation/monkey_patches/file.rb +25 -0
- data/lib/tcell_agent/instrumentation/monkey_patches/io.rb +131 -0
- data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb +102 -0
- data/lib/tcell_agent/logger.rb +49 -114
- data/lib/tcell_agent/patches.rb +6 -7
- data/lib/tcell_agent/policies/appfirewall_policy.rb +26 -0
- data/lib/tcell_agent/policies/command_injection_policy.rb +28 -0
- data/lib/tcell_agent/policies/dataloss_policy.rb +44 -44
- data/lib/tcell_agent/policies/headers_policy.rb +25 -0
- data/lib/tcell_agent/policies/http_redirect_policy.rb +13 -79
- data/lib/tcell_agent/policies/js_agent_policy.rb +27 -0
- data/lib/tcell_agent/policies/local_file_access.rb +28 -0
- data/lib/tcell_agent/policies/login_policy.rb +43 -0
- data/lib/tcell_agent/policies/patches_policy.rb +27 -0
- data/lib/tcell_agent/policies/policies_manager.rb +68 -0
- data/lib/tcell_agent/policies/policy_polling.rb +58 -0
- data/lib/tcell_agent/policies/policy_types.rb +14 -0
- data/lib/tcell_agent/policies/system_enablements.rb +27 -0
- data/lib/tcell_agent/rails/auth/authlogic.rb +46 -75
- data/lib/tcell_agent/rails/auth/authlogic_helper.rb +20 -0
- data/lib/tcell_agent/rails/auth/devise.rb +100 -105
- data/lib/tcell_agent/rails/auth/devise_helper.rb +29 -0
- data/lib/tcell_agent/rails/auth/doorkeeper.rb +62 -76
- data/lib/tcell_agent/{userinfo.rb → rails/auth/userinfo.rb} +0 -0
- data/lib/tcell_agent/rails/csrf_exception.rb +2 -10
- data/lib/tcell_agent/rails/dlp.rb +35 -23
- data/lib/tcell_agent/rails/dlp_handler.rb +1 -2
- data/lib/tcell_agent/rails/js_agent_insert.rb +12 -13
- data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +4 -25
- data/lib/tcell_agent/rails/middleware/context_middleware.rb +2 -12
- data/lib/tcell_agent/rails/middleware/global_middleware.rb +1 -2
- data/lib/tcell_agent/rails/middleware/headers_middleware.rb +14 -34
- data/lib/tcell_agent/{rails.rb → rails/railties/tcell_agent_railties.rb} +11 -16
- data/lib/tcell_agent/rails/railties/tcell_agent_unicorn_railties.rb +8 -0
- data/lib/tcell_agent/rails/routes.rb +10 -12
- data/lib/tcell_agent/rails/routes/grape.rb +4 -14
- data/lib/tcell_agent/rails/routes/route_id.rb +3 -1
- data/lib/tcell_agent/rails/settings_reporter.rb +23 -36
- data/lib/tcell_agent/rails/tcell_body_proxy.rb +5 -4
- data/lib/tcell_agent/rust/agent_config.rb +60 -0
- data/lib/tcell_agent/rust/{libtcellagent-alpine-1.3.2.so → libtcellagent-5.0.2.dylib} +0 -0
- data/lib/tcell_agent/rust/{libtcellagent-1.3.2.so → libtcellagent-5.0.2.so} +0 -0
- data/lib/tcell_agent/rust/libtcellagent-alpine-5.0.2.so +0 -0
- data/lib/tcell_agent/rust/models.rb +6 -52
- data/lib/tcell_agent/rust/native_agent.rb +549 -0
- data/lib/tcell_agent/rust/native_agent_response.rb +42 -0
- data/lib/tcell_agent/rust/native_library.rb +69 -0
- data/lib/tcell_agent/rust/tcellagent-5.0.2.dll +0 -0
- data/lib/tcell_agent/sensor_events/agent_setting_event.rb +12 -0
- data/lib/tcell_agent/sensor_events/{app_config.rb → app_config_setting_event.rb} +0 -6
- data/lib/tcell_agent/sensor_events/dlp.rb +2 -6
- data/lib/tcell_agent/sensor_events/sensor.rb +0 -62
- data/lib/tcell_agent/sensor_events/server_agent.rb +13 -18
- data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +0 -108
- data/lib/tcell_agent/sensor_events/util/utils.rb +0 -2
- data/lib/tcell_agent/servers/passenger.rb +1 -28
- data/lib/tcell_agent/servers/puma.rb +3 -21
- data/lib/tcell_agent/servers/rails_server.rb +1 -2
- data/lib/tcell_agent/servers/thin.rb +2 -2
- data/lib/tcell_agent/servers/unicorn.rb +19 -80
- data/lib/tcell_agent/servers/webrick.rb +1 -2
- data/lib/tcell_agent/settings_reporter.rb +11 -90
- data/lib/tcell_agent/sinatra.rb +14 -16
- data/lib/tcell_agent/tcell_context.rb +40 -14
- data/lib/tcell_agent/utils/headers.rb +14 -0
- data/lib/tcell_agent/version.rb +1 -1
- data/spec/lib/tcell_agent/configuration_spec.rb +55 -346
- data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +46 -173
- data/spec/lib/tcell_agent/instrumentation/cmdi/io_cmdi_spec.rb +504 -0
- data/spec/lib/tcell_agent/instrumentation/cmdi/kernel_cmdi_spec.rb +435 -0
- data/spec/lib/tcell_agent/instrumentation/cmdi_spec.rb +201 -0
- data/spec/lib/tcell_agent/instrumentation/lfi/file_lfi_spec.rb +326 -0
- data/spec/lib/tcell_agent/instrumentation/lfi/io_lfi_spec.rb +562 -0
- data/spec/lib/tcell_agent/instrumentation/lfi/kernel_lfi_spec.rb +264 -0
- data/spec/lib/tcell_agent/instrumentation/lfi_spec.rb +150 -0
- data/spec/lib/tcell_agent/patches_spec.rb +25 -43
- data/spec/lib/tcell_agent/policies/appfirewall_policy_spec.rb +183 -0
- data/spec/lib/tcell_agent/policies/clickjacking_policy_spec.rb +57 -0
- data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +84 -773
- data/spec/lib/tcell_agent/policies/content_security_policy_spec.rb +161 -0
- data/spec/lib/tcell_agent/policies/dataloss_policy_spec.rb +9 -9
- data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +243 -198
- data/spec/lib/tcell_agent/policies/js_agent_policy_spec.rb +75 -0
- data/spec/lib/tcell_agent/policies/login_policy_spec.rb +165 -33
- data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +84 -277
- data/spec/lib/tcell_agent/policies/policies_manager_spec.rb +104 -0
- data/spec/lib/tcell_agent/policies/policy_polling_spec.rb +6 -0
- data/spec/lib/tcell_agent/policies/secure_headers_policy_spec.rb +56 -0
- data/spec/lib/tcell_agent/rails/csrf_exception_spec.rb +9 -18
- data/spec/lib/tcell_agent/rails/js_agent_insert_spec.rb +13 -30
- data/spec/lib/tcell_agent/rails/logger_spec.rb +27 -7
- data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +17 -12
- data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +14 -14
- data/spec/lib/tcell_agent/rust/agent_config_spec.rb +27 -0
- data/spec/lib/tcell_agent/sensor_events/util/sanitizer_utilities_spec.rb +0 -35
- data/spec/lib/tcell_agent/settings_reporter_spec.rb +56 -155
- data/spec/spec_helper.rb +1 -1
- data/spec/support/builders.rb +103 -0
- data/spec/support/force_logger_mocking.rb +38 -0
- data/spec/support/resources/lfi_sample_file.txt +2 -0
- data/spec/support/static_agent_overrides.rb +0 -15
- metadata +72 -83
- data/lib/tcell_agent/agent/event_processor.rb +0 -326
- data/lib/tcell_agent/agent/fork_pipe_manager.rb +0 -113
- data/lib/tcell_agent/agent/policy_manager.rb +0 -219
- data/lib/tcell_agent/agent/policy_types.rb +0 -30
- data/lib/tcell_agent/api.rb +0 -91
- data/lib/tcell_agent/appsensor/injections_reporter.rb +0 -24
- data/lib/tcell_agent/authlogic.rb +0 -26
- data/lib/tcell_agent/config/child_process_events.rb +0 -8
- data/lib/tcell_agent/config/unknown_options.rb +0 -123
- data/lib/tcell_agent/devise.rb +0 -35
- data/lib/tcell_agent/instrumentation/cmdi/backtick.rb +0 -10
- data/lib/tcell_agent/instrumentation/cmdi/exec.rb +0 -14
- data/lib/tcell_agent/instrumentation/cmdi/popen.rb +0 -28
- data/lib/tcell_agent/instrumentation/cmdi/spawn.rb +0 -11
- data/lib/tcell_agent/instrumentation/cmdi/system.rb +0 -11
- data/lib/tcell_agent/policies/http_tx_policy.rb +0 -60
- data/lib/tcell_agent/policies/login_fraud_policy.rb +0 -45
- data/lib/tcell_agent/policies/rust_policies.rb +0 -110
- data/lib/tcell_agent/rails/on_start.rb +0 -41
- data/lib/tcell_agent/rust/libtcellagent-1.3.2.dylib +0 -0
- data/lib/tcell_agent/rust/tcellagent-1.3.2.dll +0 -0
- data/lib/tcell_agent/rust/whisperer.rb +0 -308
- data/lib/tcell_agent/sensor_events/appsensor_event.rb +0 -52
- data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +0 -45
- data/lib/tcell_agent/sensor_events/command_injection.rb +0 -75
- data/lib/tcell_agent/sensor_events/honeytokens.rb +0 -16
- data/lib/tcell_agent/sensor_events/login_fraud.rb +0 -60
- data/lib/tcell_agent/sensor_events/metrics.rb +0 -123
- data/lib/tcell_agent/sensor_events/patches.rb +0 -21
- data/lib/tcell_agent/start_background_thread.rb +0 -55
- data/lib/tcell_agent/system_info.rb +0 -11
- data/lib/tcell_agent/utils/io.rb +0 -38
- data/lib/tcell_agent/utils/passwords.rb +0 -28
- data/lib/tcell_agent/utils/queue_with_timeout.rb +0 -142
- data/spec/lib/tcell_agent/agent/fork_pipe_manager_spec.rb +0 -100
- data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +0 -535
- data/spec/lib/tcell_agent/agent/static_agent_spec.rb +0 -133
- data/spec/lib/tcell_agent/api/api_spec.rb +0 -39
- data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +0 -187
- data/spec/lib/tcell_agent/cmdi_spec.rb +0 -736
- data/spec/lib/tcell_agent/config/unknown_options_spec.rb +0 -213
- data/spec/lib/tcell_agent/instrumentation_spec.rb +0 -225
- data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +0 -517
- data/spec/lib/tcell_agent/policies/http_tx_policy_spec.rb +0 -22
- data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +0 -293
- data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +0 -198
- data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +0 -180
- data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +0 -116
- data/spec/lib/tcell_agent/rust/models_spec.rb +0 -120
- data/spec/lib/tcell_agent/rust/whisperer_spec.rb +0 -704
- data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +0 -45
- data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +0 -272
- data/spec/lib/tcell_agent/utils/bounded_queue_spec.rb +0 -52
- data/spec/lib/tcell_agent/utils/passwords_spec.rb +0 -143
@@ -1,24 +0,0 @@
|
|
1
|
-
require 'tcell_agent/sensor_events/appsensor_event'
|
2
|
-
|
3
|
-
module TCellAgent
|
4
|
-
module AppSensor
|
5
|
-
module InjectionsReporter
|
6
|
-
def self.report_and_log(events)
|
7
|
-
(events || []).each do |event|
|
8
|
-
TCellAgent.send_event(
|
9
|
-
TCellAgent::SensorEvents::TCellAppSensorEvent.build_from_native_lib_event(event)
|
10
|
-
)
|
11
|
-
|
12
|
-
next unless event.key?('full_payload')
|
13
|
-
event_to_log = {}.merge(event)
|
14
|
-
event_to_log['payload'] = event_to_log.delete('full_payload')
|
15
|
-
|
16
|
-
cleaned_event = TCellAgent::SensorEvents::TCellAppSensorEvent.build_from_native_lib_event(
|
17
|
-
event_to_log
|
18
|
-
)
|
19
|
-
TCellAgent.logger.info(JSON.dump(cleaned_event))
|
20
|
-
end
|
21
|
-
end
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
@@ -1,26 +0,0 @@
|
|
1
|
-
# See the file "LICENSE" for the full license governing this code.
|
2
|
-
|
3
|
-
require 'tcell_agent/userinfo'
|
4
|
-
require 'tcell_agent/logger'
|
5
|
-
require 'tcell_agent/sensor_events/honeytokens'
|
6
|
-
|
7
|
-
module TCellAgent
|
8
|
-
if defined?(Authlogic)
|
9
|
-
TCellAgent::UserInformation.class_eval do
|
10
|
-
class << self
|
11
|
-
alias_method :original_get_user_from_request, :get_user_from_request
|
12
|
-
def get_user_from_request(request)
|
13
|
-
orig_user_id = original_get_user_from_request(request)
|
14
|
-
begin
|
15
|
-
if request.session && request.session.key?('user_credentials_id')
|
16
|
-
return request.session['user_credentials_id'].to_s
|
17
|
-
end
|
18
|
-
rescue StandardError
|
19
|
-
return orig_user_id
|
20
|
-
end
|
21
|
-
orig_user_id
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
@@ -1,123 +0,0 @@
|
|
1
|
-
require 'set'
|
2
|
-
|
3
|
-
module TCellAgent
|
4
|
-
module Config
|
5
|
-
module Validate
|
6
|
-
def self.get_unknown_options(config_json)
|
7
|
-
messages = []
|
8
|
-
|
9
|
-
known_tcell_env_vars = Set.new(
|
10
|
-
[
|
11
|
-
'TCELL_AGENT_SERVER', # this is only meant for specs
|
12
|
-
'TCELL_AGENT_APP_ID',
|
13
|
-
'TCELL_AGENT_API_KEY',
|
14
|
-
'TCELL_HMAC_KEY',
|
15
|
-
'TCELL_PASSWORD_HMAC_KEY',
|
16
|
-
'TCELL_AGENT_HOST_IDENTIFIER',
|
17
|
-
'TCELL_API_URL',
|
18
|
-
'TCELL_INPUT_URL',
|
19
|
-
'TCELL_DEMOMODE',
|
20
|
-
'TCELL_AGENT_HOME',
|
21
|
-
'TCELL_AGENT_LOG_DIR',
|
22
|
-
'TCELL_AGENT_CONFIG',
|
23
|
-
'TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS',
|
24
|
-
'TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS',
|
25
|
-
'TCELL_AGENT_ALLOW_PAYLOADS',
|
26
|
-
'TCELL_AGENT_HOME_OWNER',
|
27
|
-
'TCELL_AGENT_ENABLED'
|
28
|
-
]
|
29
|
-
)
|
30
|
-
|
31
|
-
ENV.keys.each do |environment_key|
|
32
|
-
if environment_key =~ /^TCELL_/ && !known_tcell_env_vars.include?(environment_key)
|
33
|
-
messages << "Unrecognized environment parameter (TCELL_*) found: #{environment_key}"
|
34
|
-
end
|
35
|
-
end
|
36
|
-
|
37
|
-
begin
|
38
|
-
key_differences = []
|
39
|
-
|
40
|
-
if config_json
|
41
|
-
first_level_keys = %w[version applications]
|
42
|
-
|
43
|
-
key_differences = config_json.keys - first_level_keys
|
44
|
-
|
45
|
-
applications = config_json.fetch('applications', nil)
|
46
|
-
if applications
|
47
|
-
|
48
|
-
if applications.size > 1
|
49
|
-
messages << 'Multiple applications detected in config file'
|
50
|
-
|
51
|
-
elsif applications.size == 1
|
52
|
-
application = applications[0]
|
53
|
-
|
54
|
-
second_level_keys = %w[
|
55
|
-
name
|
56
|
-
app_id
|
57
|
-
api_key
|
58
|
-
fetch_policies_from_tcell
|
59
|
-
preload_policy_filename
|
60
|
-
log_dir
|
61
|
-
tcell_api_url
|
62
|
-
tcell_input_url
|
63
|
-
host_identifier
|
64
|
-
hipaaSafeMode
|
65
|
-
hmac_key
|
66
|
-
password_hmac_key
|
67
|
-
js_agent_api_base_url
|
68
|
-
js_agent_url
|
69
|
-
max_csp_header_bytes
|
70
|
-
event_batch_size_limit
|
71
|
-
allow_unencrypted_appsensor_payloads
|
72
|
-
allow_unencrypted_appfirewall_payloads
|
73
|
-
allow_payloads
|
74
|
-
reverse_proxy
|
75
|
-
reverse_proxy_ip_address_header
|
76
|
-
demomode
|
77
|
-
logging_options
|
78
|
-
data_exposure
|
79
|
-
disable_all
|
80
|
-
enabled
|
81
|
-
enable_event_manager
|
82
|
-
enable_event_consumer
|
83
|
-
enable_policy_polling
|
84
|
-
enable_instrumentation
|
85
|
-
enable_intercept_requests
|
86
|
-
instrument_for_events
|
87
|
-
agent_home_owner
|
88
|
-
enabled_instrumentations
|
89
|
-
]
|
90
|
-
|
91
|
-
key_differences += (application.keys - second_level_keys)
|
92
|
-
|
93
|
-
if application.fetch('logging_options', nil)
|
94
|
-
logging_options = application['logging_options']
|
95
|
-
key_differences += (logging_options.keys - %w[enabled level filename])
|
96
|
-
end
|
97
|
-
|
98
|
-
if application.fetch('data_exposure', nil)
|
99
|
-
data_exposure = application['data_exposure']
|
100
|
-
key_differences += (data_exposure.keys - ['max_data_ex_db_records_per_request'])
|
101
|
-
end
|
102
|
-
|
103
|
-
if application.fetch('enabled_instrumentations', nil)
|
104
|
-
enabled_instrumentations = application['enabled_instrumentations']
|
105
|
-
key_differences += (enabled_instrumentations.keys - %w[doorkeeper devise authlogic])
|
106
|
-
end
|
107
|
-
end
|
108
|
-
end
|
109
|
-
|
110
|
-
key_differences.each do |key|
|
111
|
-
messages << "Unrecognized config setting key: #{key}"
|
112
|
-
end
|
113
|
-
|
114
|
-
end
|
115
|
-
rescue StandardError => exception
|
116
|
-
messages << "Something went wrong verifying config file: #{exception}"
|
117
|
-
end
|
118
|
-
|
119
|
-
messages
|
120
|
-
end
|
121
|
-
end
|
122
|
-
end
|
123
|
-
end
|
data/lib/tcell_agent/devise.rb
DELETED
@@ -1,35 +0,0 @@
|
|
1
|
-
# See the file "LICENSE" for the full license governing this code.
|
2
|
-
|
3
|
-
require 'devise'
|
4
|
-
require 'devise/rails'
|
5
|
-
require 'devise/strategies/database_authenticatable'
|
6
|
-
require 'tcell_agent/userinfo'
|
7
|
-
require 'tcell_agent/logger'
|
8
|
-
require 'tcell_agent/sensor_events/honeytokens'
|
9
|
-
|
10
|
-
module TCellAgent
|
11
|
-
if defined?(Devise)
|
12
|
-
TCellAgent::UserInformation.class_eval do
|
13
|
-
class << self
|
14
|
-
alias_method :original_get_user_from_request, :get_user_from_request
|
15
|
-
def get_user_from_request(request)
|
16
|
-
orig_user_id = original_get_user_from_request(request)
|
17
|
-
begin
|
18
|
-
if request.session && request.session.key?('warden.user.user.key')
|
19
|
-
userkey = request.session['warden.user.user.key']
|
20
|
-
user_id = if userkey.length == 2
|
21
|
-
userkey[0][0]
|
22
|
-
else
|
23
|
-
userkey[1][0]
|
24
|
-
end
|
25
|
-
return user_id.to_s if user_id.is_a? Integer
|
26
|
-
end
|
27
|
-
rescue StandardError
|
28
|
-
return orig_user_id
|
29
|
-
end
|
30
|
-
orig_user_id
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
@@ -1,14 +0,0 @@
|
|
1
|
-
module Kernel
|
2
|
-
alias_method :tcell_original_exec, :exec
|
3
|
-
|
4
|
-
private
|
5
|
-
|
6
|
-
def exec(*args)
|
7
|
-
cmd = TCellAgent::Cmdi.parse_command(*args)
|
8
|
-
if TCellAgent::Cmdi.block_command?(cmd)
|
9
|
-
raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
|
10
|
-
end
|
11
|
-
|
12
|
-
tcell_original_exec(*args)
|
13
|
-
end
|
14
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
class IO
|
2
|
-
class << self
|
3
|
-
alias_method :tcell_original_popen, :popen
|
4
|
-
def popen(*args, &block)
|
5
|
-
unless args.empty?
|
6
|
-
cmd = ''
|
7
|
-
|
8
|
-
TCellAgent::Instrumentation.safe_block('CMDI Parsing popen *args') do
|
9
|
-
args_copy = Array.new(args)
|
10
|
-
args_copy.shift if args_copy.first.is_a?(Hash)
|
11
|
-
args_copy.pop if args_copy.last.is_a?(Hash)
|
12
|
-
|
13
|
-
cmd = if args_copy.first.is_a?(String)
|
14
|
-
args_copy.shift
|
15
|
-
else
|
16
|
-
TCellAgent::Cmdi.parse_command(*args_copy.shift)
|
17
|
-
end
|
18
|
-
end
|
19
|
-
|
20
|
-
if TCellAgent::Cmdi.block_command?(cmd)
|
21
|
-
raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
|
22
|
-
end
|
23
|
-
end
|
24
|
-
|
25
|
-
tcell_original_popen(*args, &block)
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
@@ -1,11 +0,0 @@
|
|
1
|
-
module Kernel
|
2
|
-
alias_method :tcell_original_spawn, :spawn
|
3
|
-
def spawn(*args)
|
4
|
-
cmd = TCellAgent::Cmdi.parse_command(*args)
|
5
|
-
if TCellAgent::Cmdi.block_command?(cmd)
|
6
|
-
raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
|
7
|
-
end
|
8
|
-
|
9
|
-
tcell_original_spawn(*args)
|
10
|
-
end
|
11
|
-
end
|
@@ -1,11 +0,0 @@
|
|
1
|
-
module Kernel
|
2
|
-
alias_method :tcell_original_system, :system
|
3
|
-
def system(*args)
|
4
|
-
cmd = TCellAgent::Cmdi.parse_command(*args)
|
5
|
-
if TCellAgent::Cmdi.block_command?(cmd)
|
6
|
-
raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
|
7
|
-
end
|
8
|
-
|
9
|
-
tcell_original_system(*args)
|
10
|
-
end
|
11
|
-
end
|
@@ -1,60 +0,0 @@
|
|
1
|
-
# {}"http-tx": {
|
2
|
-
# "policy_id":"afh023",
|
3
|
-
# "types": {
|
4
|
-
# "firehose": { enabled: true },
|
5
|
-
# {}"auth_framework_only": {enabled: true},
|
6
|
-
# {}"{}structure": {enabled: true },
|
7
|
-
# {}"fingerprint": {enabled: true }
|
8
|
-
# }
|
9
|
-
# },
|
10
|
-
|
11
|
-
require 'tcell_agent/policies/policy'
|
12
|
-
|
13
|
-
module TCellAgent
|
14
|
-
module Policies
|
15
|
-
class HttpTxPolicy < Policy
|
16
|
-
attr_accessor :policy_id, :firehose, :auth_framework, :profile, :fingerprint
|
17
|
-
|
18
|
-
def initialize
|
19
|
-
@firehose = { 'enabled' => false, 'lite' => false }
|
20
|
-
@auth_framework = { 'enabled' => false, 'lite' => false }
|
21
|
-
@profile = { 'enabled' => false }
|
22
|
-
@fingerprint = { 'enabled' => false, 'hmacUserAgent' => false, 'hmacUserId' => false, 'sampling' => nil }
|
23
|
-
end
|
24
|
-
|
25
|
-
def self.from_json(policy_json)
|
26
|
-
return nil unless policy_json
|
27
|
-
http_tx_policy = HttpTxPolicy.new
|
28
|
-
|
29
|
-
http_tx_policy.policy_id = policy_json['policy_id']
|
30
|
-
raise 'Policy ID missing' unless http_tx_policy.policy_id
|
31
|
-
|
32
|
-
types = policy_json['types']
|
33
|
-
return http_tx_policy unless types
|
34
|
-
|
35
|
-
if types.key?('firehose')
|
36
|
-
http_tx_policy.firehose['enabled'] = types['firehose'].fetch('enabled', false)
|
37
|
-
http_tx_policy.firehose['lite'] = types['firehose'].fetch('lite', false)
|
38
|
-
end
|
39
|
-
|
40
|
-
if types.key?('auth_framework')
|
41
|
-
http_tx_policy.auth_framework['enabled'] = types['auth_framework'].fetch('enabled', false)
|
42
|
-
http_tx_policy.auth_framework['lite'] = types['auth_framework'].fetch('lite', false)
|
43
|
-
end
|
44
|
-
|
45
|
-
if types.key?('profile')
|
46
|
-
http_tx_policy.profile['enabled'] = types['profile'].fetch('enabled', false)
|
47
|
-
end
|
48
|
-
|
49
|
-
if types.key?('fingerprint')
|
50
|
-
http_tx_policy.fingerprint['enabled'] = types['fingerprint'].fetch('enabled', false)
|
51
|
-
http_tx_policy.fingerprint['hmacUserAgent'] = types['fingerprint'].fetch('hmacUserAgent', false)
|
52
|
-
http_tx_policy.fingerprint['hmacUserId'] = types['fingerprint'].fetch('hmacUserId', false)
|
53
|
-
http_tx_policy.fingerprint['sampling'] = types['fingerprint'].fetch('sampling', 0)
|
54
|
-
end
|
55
|
-
|
56
|
-
http_tx_policy
|
57
|
-
end
|
58
|
-
end
|
59
|
-
end
|
60
|
-
end
|
@@ -1,45 +0,0 @@
|
|
1
|
-
require 'tcell_agent/policies/policy'
|
2
|
-
|
3
|
-
module TCellAgent
|
4
|
-
module Policies
|
5
|
-
class LoginFraudPolicy < Policy
|
6
|
-
attr_accessor :policy_id
|
7
|
-
|
8
|
-
attr_accessor :login_success_enabled
|
9
|
-
attr_accessor :login_failed_enabled
|
10
|
-
attr_accessor :session_hijacking_metrics
|
11
|
-
|
12
|
-
def initialize
|
13
|
-
init_options
|
14
|
-
end
|
15
|
-
|
16
|
-
def init_options
|
17
|
-
@policy_id = nil
|
18
|
-
@login_success_enabled = false
|
19
|
-
@login_failed_enabled = false
|
20
|
-
@session_hijacking_metrics = false
|
21
|
-
end
|
22
|
-
|
23
|
-
def enabled
|
24
|
-
@login_success_enabled || @login_failed_enabled
|
25
|
-
end
|
26
|
-
|
27
|
-
def self.from_json(policy_json)
|
28
|
-
return nil unless policy_json
|
29
|
-
sensor_policy = LoginFraudPolicy.new
|
30
|
-
|
31
|
-
sensor_policy.policy_id = policy_json['policy_id']
|
32
|
-
raise 'Policy ID missing' unless sensor_policy.policy_id
|
33
|
-
|
34
|
-
options_json = (policy_json['data'] || {})['options']
|
35
|
-
return sensor_policy unless options_json
|
36
|
-
|
37
|
-
sensor_policy.login_failed_enabled = options_json.fetch('login_failed_enabled', false)
|
38
|
-
sensor_policy.login_success_enabled = options_json.fetch('login_success_enabled', false)
|
39
|
-
sensor_policy.session_hijacking_metrics = options_json.fetch('session_hijacking_enabled', false)
|
40
|
-
|
41
|
-
sensor_policy
|
42
|
-
end
|
43
|
-
end
|
44
|
-
end
|
45
|
-
end
|
@@ -1,110 +0,0 @@
|
|
1
|
-
require 'tcell_agent/appsensor/injections_reporter'
|
2
|
-
require 'tcell_agent/instrumentation'
|
3
|
-
require 'tcell_agent/policies/policy'
|
4
|
-
require 'tcell_agent/rust/models'
|
5
|
-
require 'tcell_agent/rust/whisperer'
|
6
|
-
require 'tcell_agent/sensor_events/command_injection'
|
7
|
-
require 'tcell_agent/sensor_events/patches'
|
8
|
-
|
9
|
-
module TCellAgent
|
10
|
-
module Policies
|
11
|
-
class RustPolicies < Policy
|
12
|
-
attr_reader :appfirewall_enabled, :patches_enabled, :cmdi_enabled
|
13
|
-
|
14
|
-
def initialize
|
15
|
-
@appfirewall_enabled = false
|
16
|
-
@patches_enabled = false
|
17
|
-
@cmdi_enabled = false
|
18
|
-
@headers_enabled = false
|
19
|
-
@jsagent_enabled = false
|
20
|
-
@agent_ptr = nil
|
21
|
-
|
22
|
-
whisper = TCellAgent::Rust::Whisperer.create_agent
|
23
|
-
if whisper['error']
|
24
|
-
TCellAgent.logger.error("Error initializing policies: #{whisper['error']}")
|
25
|
-
else
|
26
|
-
@agent_ptr = whisper['agent_ptr']
|
27
|
-
end
|
28
|
-
end
|
29
|
-
|
30
|
-
def update_policies(policies_json)
|
31
|
-
return if @agent_ptr.nil? || policies_json.nil? || policies_json.empty?
|
32
|
-
|
33
|
-
whisper = TCellAgent::Rust::Whisperer.update_policies(@agent_ptr, policies_json)
|
34
|
-
if whisper['errors']
|
35
|
-
whisper['errors'].each do |error|
|
36
|
-
TCellAgent.logger.error("Error updating policies: #{error}")
|
37
|
-
end
|
38
|
-
else
|
39
|
-
enablements = whisper['enablements']
|
40
|
-
@appfirewall_enabled = enablements['appfirewall']
|
41
|
-
@patches_enabled = enablements['patches']
|
42
|
-
@cmdi_enabled = enablements['cmdi']
|
43
|
-
@headers_enabled = enablements['headers']
|
44
|
-
@jsagent_enabled = enablements['jsagentinjection']
|
45
|
-
end
|
46
|
-
end
|
47
|
-
|
48
|
-
def block_request?(appsensor_meta)
|
49
|
-
return false unless @agent_ptr && @patches_enabled
|
50
|
-
|
51
|
-
whisper = TCellAgent::Rust::Whisperer.apply_patches(@agent_ptr, appsensor_meta)
|
52
|
-
if whisper['error']
|
53
|
-
TCellAgent.logger.error("Error processing patches: #{whisper['error']}")
|
54
|
-
else
|
55
|
-
response = whisper['apply_response']
|
56
|
-
if response && response['status'] == 'Blocked'
|
57
|
-
patches_event = TCellAgent::SensorEvents::PatchesEvent.new(response, appsensor_meta)
|
58
|
-
TCellAgent.send_event(patches_event)
|
59
|
-
return true
|
60
|
-
end
|
61
|
-
end
|
62
|
-
|
63
|
-
false
|
64
|
-
end
|
65
|
-
|
66
|
-
def check_appfirewall_injections(appsensor_meta)
|
67
|
-
return unless @agent_ptr && @appfirewall_enabled
|
68
|
-
|
69
|
-
TCellAgent::Instrumentation.safe_block('AppSensor inspection') do
|
70
|
-
whisper = TCellAgent::Rust::Whisperer.apply_appfirewall(@agent_ptr, appsensor_meta)
|
71
|
-
TCellAgent::AppSensor::InjectionsReporter.report_and_log(whisper['apply_response'])
|
72
|
-
end
|
73
|
-
end
|
74
|
-
|
75
|
-
def block_command?(command, tcell_context)
|
76
|
-
return false unless @agent_ptr &&
|
77
|
-
@cmdi_enabled &&
|
78
|
-
TCellAgent.safe_to_send_cmdi_events?
|
79
|
-
whisper = TCellAgent::Rust::Whisperer.apply_cmdi(
|
80
|
-
@agent_ptr, command, tcell_context
|
81
|
-
)
|
82
|
-
apply_response = whisper.fetch('apply_response', {})
|
83
|
-
cmdi_event =
|
84
|
-
TCellAgent::SensorEvents::CommandInjectionEvent.build_from_native_lib_response_and_tcell_context(apply_response,
|
85
|
-
tcell_context)
|
86
|
-
TCellAgent.send_event(cmdi_event) if cmdi_event
|
87
|
-
|
88
|
-
apply_response.fetch('blocked', false)
|
89
|
-
end
|
90
|
-
|
91
|
-
def get_headers(tcell_context)
|
92
|
-
return [] unless @agent_ptr &&
|
93
|
-
@headers_enabled
|
94
|
-
whisper = TCellAgent::Rust::Whisperer.get_headers(
|
95
|
-
@agent_ptr, tcell_context
|
96
|
-
)
|
97
|
-
whisper['headers'] || []
|
98
|
-
end
|
99
|
-
|
100
|
-
def get_js_agent_script_tag(tcell_context)
|
101
|
-
return nil unless @agent_ptr &&
|
102
|
-
@jsagent_enabled
|
103
|
-
whisper = TCellAgent::Rust::Whisperer.get_js_agent_script_tag(
|
104
|
-
@agent_ptr, tcell_context
|
105
|
-
)
|
106
|
-
whisper['script_tag']
|
107
|
-
end
|
108
|
-
end
|
109
|
-
end
|
110
|
-
end
|