tcell_agent 1.1.12 → 2.2.0

data/lib/tcell_agent/instrumentation/monkey_patches/kernel.rb

@@ -0,0 +1,102 @@
+module Kernel
+  private
+
+  alias_method :tcell_original_backtick, :`
+  alias_method :tcell_original_exec, :exec
+  alias_method :tcell_original_open, :open
+  alias_method :tcell_original_gets, :gets
+  alias_method :tcell_original_readline, :readline
+  alias_method :tcell_original_spawn, :spawn
+  alias_method :tcell_original_system, :system
+
+  class << self
+    alias_method :tcell_original_exec, :exec
+    alias_method :tcell_original_open, :open
+    alias_method :tcell_original_gets, :gets
+    alias_method :tcell_original_readline, :readline
+    alias_method :tcell_original_spawn, :spawn
+    alias_method :tcell_original_system, :system
+  end
+
+  def `(cmd)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_backtick(cmd)
+  end
+
+  if TCellAgent.configuration.should_instrument?('kernel_exec')
+    def exec(*args)
+      cmd = TCellAgent::Cmdi.parse_command(*args)
+      if TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+
+      tcell_original_exec(*args)
+    end
+  end
+
+  def gets(*args, &block)
+    path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf
+
+    if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+      raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+    end
+
+    tcell_original_gets(*args, &block)
+  end
+
+  def open(*args, &block)
+    path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode(*args)
+
+    if !path.strip.empty? && TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+      raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+    end
+
+    if path.empty?
+      cmd = TCellAgent::Cmdi.parse_command_from_open(*args)
+      if cmd && TCellAgent::Cmdi.block_command?(cmd)
+        raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+      end
+    end
+
+    tcell_original_open(*args, &block)
+  end
+
+  def readline(*args, &block)
+    path, mode = TCellAgent::Instrumentation::Lfi.extract_path_mode_argf
+
+    if TCellAgent::Instrumentation::Lfi.block_file_access?(path, mode)
+      raise IOError, "tCell.io Agent: Attempted access to file #{path} with mode #{mode} denied"
+    end
+
+    tcell_original_readline(*args, &block)
+  end
+
+  def spawn(*args)
+    cmd = TCellAgent::Cmdi.parse_command(*args)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_spawn(*args)
+  end
+
+  def system(*args)
+    cmd = TCellAgent::Cmdi.parse_command(*args)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_system(*args)
+  end
+
+  module_function :`
+  module_function :exec
+  module_function :gets
+  module_function :open
+  module_function :readline
+  module_function :spawn
+  module_function :system
+end

data/lib/tcell_agent/logger.rb

@@ -2,149 +2,84 @@
 
 require 'logger'
 require 'tcell_agent/configuration'
-require 'tcell_agent/utils/io'
 
 module TCellAgent
-  class TaggedLogger
-    def initialize(tag, logger)
-      @tag = tag
-      @logger = logger
-    end
-
-    def debug(msg)
-      @logger.tagged(@tag) { @logger.debug(msg) }
-    end
-
-    def info(msg)
-      @logger.tagged(@tag) { @logger.info(msg) }
-    end
-
-    def warn(msg)
-      @logger.tagged(@tag) { @logger.warn(msg) }
-    end
-
-    def error(msg)
-      @logger.tagged(@tag) { @logger.error(msg) }
-    end
-
-    def fatal(msg)
-      @logger.tagged(@tag) { @logger.fatal(msg) }
-    end
-
-    def unknown(msg)
-      @logger.tagged(@tag) { @logger.unknown(msg) }
-    end
-  end
-
   class NullLoger < Logger
     def initialize(*args); end
 
     def add(*args, &block); end
   end
 
-  class TCellLogDevice < Logger::LogDevice
-    def create_logfile(filename)
-      logdev = super
-
-      TCellAgent::Utils::IO.set_owner(filename, TCellAgent.configuration.agent_home_owner.to_s)
+  class ModuleLogger
+    def initialize(logger, module_name)
+      @logger = logger
+      @module_name = module_name
+    end
 
-      logdev
+    %i[exception debug info warn error].each do |method_name|
+      define_method(method_name) do |msg|
+        @logger.send(method_name, @module_name, msg)
+      end
     end
   end
 
-  @@logger_pid = Process.pid
-  @null_logger = TCellAgent::NullLoger.new
-
-  def self.logging_level_from_string(level_string)
-    return Logger::DEBUG if level_string == 'DEBUG'
-    return Logger::WARN if level_string == 'WARN'
-    return Logger::INFO if level_string == 'INFO'
-    return Logger::ERROR if level_string == 'ERROR'
-    return Logger::FATAL if level_string == 'FATAL'
-
-    Logger::INFO
+  module ModuleLoggerAccess
+    def module_logger
+      @module_logger ||= ModuleLogger.new(
+        TCellAgent.logger, self.class.name
+      )
+    end
   end
 
-  def self.appfirewall_payloads_logger
-    return @null_logger unless TCellAgent.configuration.enabled
-
-    if defined?(@paylods_logger) && @logger_pid == Process.pid
-      return @payloads_logger
+  # Note: since the agent waits until native agent
+  # is available, this is only used in errors
+  # throwned while the agent is instrumenting or starting up
+  # so it's ok to send those to STDOUT always
+  class RubyLogger
+    def initialize
+      @logger = Logger.new(STDOUT)
     end
 
-    if TCellAgent.configuration.appfirewall_payloads_logger
-      @logger_pid = Process.pid
-      @payloads_logger = TCellAgent.configuration.appfirewall_payloads_logger
-      return @payloads_logger
+    def exception(module_name, exception)
+      @logger.debug("#{module_name} #{exception.backtrace.join("\n")}")
     end
 
-    TCellAgent::Utils::IO.create_directory(
-      File.dirname(TCellAgent.configuration.appfirewall_payloads_log_filename),
-      TCellAgent.configuration.agent_home_owner.to_s
-    )
-
-    log_device = TCellLogDevice.new(
-      TCellAgent.configuration.appfirewall_payloads_log_filename,
-      :shift_age => 9, :shift_size => 5_242_880
-    )
-    @payloads_logger = Logger.new(log_device)
-    @payloads_logger.level = Logger::INFO
-    @payloads_logger.formatter = proc do |_severity, datetime, _progname, msg|
-      date_format = datetime.strftime('%Y-%m-%dT%H:%M:%S.%L%:z')
-      "#{date_format} - #{msg}\n"
+    %i[debug info warn error].each do |method_name|
+      define_method(method_name) do |module_name, msg|
+        @logger.send(method_name, "#{module_name} #{msg}")
+      end
     end
-
-    @payloads_logger
   end
 
-  def self.logger
-    return @null_logger unless TCellAgent.configuration.enabled
-
-    return @logger if defined?(@logger) && @logger_pid == Process.pid
-
-    if TCellAgent.configuration.logger
-      @logger_pid = Process.pid
-      @logger = if TCellAgent.configuration.log_tag
-                  TCellAgent::TaggedLogger.new(TCellAgent.configuration.log_tag, TCellAgent.configuration.logger)
-                else
-                  TCellAgent.configuration.logger
-                end
-
-      return @logger
+  class NativeLogger
+    def initialize(native_agent)
+      @native_agent = native_agent
     end
 
-    @logger_pid = Process.pid
-    logging_options = TCellAgent.configuration.logging_options || {}
-
-    use_default_setting = !logging_options.key?(:enabled) && !logging_options.key?('enabled')
-
-    if use_default_setting || logging_options[:enabled] || logging_options['enabled']
-      logging_file = TCellAgent.configuration.log_filename
-      logging_directory = File.dirname(logging_file)
-      TCellAgent::Utils::IO.create_directory(logging_directory, TCellAgent.configuration.agent_home_owner.to_s)
-
-      log_device = TCellLogDevice.new(logging_file, :shift_age => 9, :shift_size => 5_242_880)
+    def exception(module_name, exception)
+      @native_agent.log_message(
+        'debug', exception.backtrace.join("\n"), module_name
+      )
+    end
 
-      level = logging_level_from_string(logging_options[:level] || logging_options['level'])
-      # limit the total log file to about 9 * 5 = 45 mb
-      @logger = Logger.new(log_device)
-      @logger.level = level
-      @logger.formatter = proc do |severity, datetime, _progname, msg|
-        # ISO 8601 format
-        date_format = datetime.strftime('%Y-%m-%dT%H:%M:%S.%L%:z')
-        "#{date_format} - [#{TCellAgent::VERSION}] - #{severity}[#{@logger_pid}]: #{msg}\n"
+    %i[debug info warn error].each do |method_name|
+      define_method(method_name) do |module_name, msg|
+        @native_agent.log_message(
+          method_name.to_s, msg, module_name
+        )
       end
+    end
+  end
 
-      return @logger
+  @@ruby_logger = RubyLogger.new
 
-    else
-      @null_logger
-    end
+  def self.logger
+    return @@ruby_logger unless defined?(@native_logger)
 
-    @null_logger
+    @native_logger
   end
 
-  def self.logger=(logger)
-    @logger = logger
+  def self.native_logger=(native_agent)
+    @native_logger = NativeLogger.new(native_agent)
   end
 end

data/lib/tcell_agent/patches.rb

@@ -5,15 +5,14 @@ module TCellAgent
     module Patches
       def self.block?(request)
         TCellAgent::Instrumentation.safe_block('Checking patches blocking') do
-          rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
+          patches_policy = TCellAgent.policy(TCellAgent::PolicyTypes::PATCHES)
+          return false unless patches_policy.enabled
 
-          if rust_policies && rust_policies.patches_enabled
-            meta_data = TCellAgent::MetaData.from_request(request)
-            block_request = rust_policies.block_request?(meta_data)
-            request.env[TCellAgent::Instrumentation::TCELL_ID].patches_blocking_triggered = block_request
+          meta_data = TCellAgent::MetaData.for_patches(request)
+          block_request = patches_policy.block_request?(meta_data)
+          request.env[TCellAgent::Instrumentation::TCELL_ID].patches_blocking_triggered = block_request
 
-            return block_request
-          end
+          return block_request
         end
 
         false

data/lib/tcell_agent/policies/appfirewall_policy.rb

@@ -0,0 +1,26 @@
+require 'tcell_agent/policies/policy'
+
+module TCellAgent
+  module Policies
+    class AppfirewallPolicy < Policy
+      def self.api_identifier
+        'appsensor'
+      end
+
+      attr_accessor :enabled
+
+      def initialize(native_agent, enablements)
+        @native_agent = native_agent
+        @enabled = enablements['appfirewall'] || false
+      end
+
+      def check_appfirewall_injections(appsensor_meta)
+        return unless @enabled
+
+        TCellAgent::Instrumentation.safe_block('AppFirewall inspection') do
+          @native_agent.apply_appfirewall(appsensor_meta)
+        end
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/command_injection_policy.rb

@@ -0,0 +1,28 @@
+require 'tcell_agent/policies/policy'
+
+module TCellAgent
+  module Policies
+    class CommandInjectionPolicy < Policy
+      def self.api_identifier
+        'cmdi'
+      end
+
+      attr_accessor :enabled
+
+      def initialize(native_agent, enablements)
+        @native_agent = native_agent
+        @enabled = enablements['cmdi'] || false
+      end
+
+      def block_command?(command, tcell_context)
+        return false unless @enabled && tcell_context
+
+        response = @native_agent.apply_cmdi(
+          command, tcell_context
+        )
+
+        !response['blocked'].nil? && response['blocked']
+      end
+    end
+  end
+end

data/lib/tcell_agent/policies/dataloss_policy.rb

@@ -4,6 +4,10 @@ require 'tcell_agent/policies/policy'
 module TCellAgent
   module Policies
     class DataLossPolicy < Policy # rubocop:disable Metrics/ClassLength
+      def self.api_identifier
+        'dlp'
+      end
+
       class FilterActions
         attr_accessor :body_event
         attr_accessor :body_redact
@@ -38,8 +42,9 @@ module TCellAgent
       attr_accessor :field_redact_body
       attr_accessor :field_alerts
 
-      def initialize
+      def initialize(policies_json)
         init_options
+        from_json(policies_json) unless policies_json.nil? || policies_json.empty?
       end
 
       def init_options
@@ -192,19 +197,18 @@ module TCellAgent
         actions
       end
 
-      def self.from_json(policy_json)
-        return nil unless policy_json
+      def from_json(policy_json)
+        return unless policy_json
 
-        policy = DataLossPolicy.new
-        policy.policy_id = policy_json['policy_id']
-        raise 'Policy ID missing' unless policy.policy_id
+        @policy_id = policy_json['policy_id']
+        raise 'Policy ID missing' unless @policy_id
 
         data_json = (policy_json['data'] || {})
 
         if data_json.key?('data_discovery')
           data_discovery_json = data_json['data_discovery']
-          policy.database_discovery_enabled = data_discovery_json.fetch('database_enabled', false)
-          policy.enabled = policy.database_discovery_enabled
+          @database_discovery_enabled = data_discovery_json.fetch('database_enabled', false)
+          @enabled = @database_discovery_enabled
         end
 
         if data_json.key?('session_id_protections')
@@ -212,9 +216,9 @@ module TCellAgent
           rule_id = session_id_protection.fetch('id', nil)
           filter_actions = DataLossPolicy.actions_from_json(session_id_protection)
           unless filter_actions.nil?
-            policy.enabled = true
+            @enabled = true
             filter_actions.action_id = rule_id
-            policy.session_id_filter_actions = filter_actions
+            @session_id_filter_actions = filter_actions
           end
         end
 
@@ -235,62 +239,58 @@ module TCellAgent
               next
             end
 
-            next unless context && policy.request_filter_actions.key?(context) && variables && options
+            next unless context && @request_filter_actions.key?(context) && variables && options
             filter_actions = DataLossPolicy.actions_from_json(options)
             next if filter_actions.nil?
-            policy.enabled = true
+            @enabled = true
             filter_actions.action_id = rule_id
             variables.each do |variable|
               route_ids.each  do |route_id|
                 if context == RequestProtectionManager::COOKIE
                   # Case sensitive variable name
-                  policy.request_filter_actions[context][route_id][variable].add(filter_actions)
+                  @request_filter_actions[context][route_id][variable].add(filter_actions)
                 else
-                  policy.request_filter_actions[context][route_id][variable.downcase].add(filter_actions)
+                  @request_filter_actions[context][route_id][variable.downcase].add(filter_actions)
                 end
               end
             end
           end
         end
 
-        if data_json.key?('db_protections')
-          protections = data_json['db_protections']
-          if protections
-            protections.each do |protection_json|
-              scope = protection_json.fetch('scope', nil)
-              databases = protection_json.fetch('databases', ['*'])
-              schemas = protection_json.fetch('schemas', ['*'])
-              tables = protection_json.fetch('tables', ['*'])
-              fields = protection_json.fetch('fields', nil)
-              rule_id = protection_json.fetch('id', nil)
-              actions = protection_json.fetch('actions', {})
-              filter_actions = DataLossPolicy.actions_from_json(actions)
-              route_ids = ['*']
+        return unless data_json.key?('db_protections')
+        protections = data_json['db_protections']
+        return unless protections
+        protections.each do |protection_json|
+          scope = protection_json.fetch('scope', nil)
+          databases = protection_json.fetch('databases', ['*'])
+          schemas = protection_json.fetch('schemas', ['*'])
+          tables = protection_json.fetch('tables', ['*'])
+          fields = protection_json.fetch('fields', nil)
+          rule_id = protection_json.fetch('id', nil)
+          actions = protection_json.fetch('actions', {})
+          filter_actions = DataLossPolicy.actions_from_json(actions)
+          route_ids = ['*']
+
+          if !scope.nil? && scope != 'global' && scope == 'route'
+            route_ids = protection_json.fetch('route_ids', [])
+          end
 
-              if !scope.nil? && scope != 'global' && scope == 'route'
-                route_ids = protection_json.fetch('route_ids', [])
-              end
+          next if fields.nil? || filter_actions.nil?
 
-              next if fields.nil? || filter_actions.nil?
-
-              policy.enabled = true
-              filter_actions.action_id = rule_id
-              databases.each do |database|
-                schemas.each do |schema|
-                  tables.each do |table|
-                    fields.each do |field|
-                      route_ids.each do |route_id|
-                        policy.database_actions[database][schema][table][field][route_id].add(filter_actions)
-                      end
-                    end
+          @enabled = true
+          filter_actions.action_id = rule_id
+          databases.each do |database|
+            schemas.each do |schema|
+              tables.each do |table|
+                fields.each do |field|
+                  route_ids.each do |route_id|
+                    @database_actions[database][schema][table][field][route_id].add(filter_actions)
                   end
                 end
               end
             end
           end
         end
-
-        policy
       end
     end
   end