tcell_agent 0.2.12 → 0.2.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d7b8f5683724f8a43b2d1a495c1a201c542e2c97
-  data.tar.gz: cdcae5ac8de0675be484c75d6f84140325819021
+  metadata.gz: e5ccc67c1c1611e9a2824184b1b89693dc6d0c95
+  data.tar.gz: 7722062a8bd1a12cda449ce20645ec11fbf024cf
 SHA512:
-  metadata.gz: e62d02980c09b9c29807c264678fb6709aa6958db4fa45db676a45fdaf8f61f724671e0474e8826d048365c57fd4e5d244d106cc2bc33053cbf0c2bb4bd54946
-  data.tar.gz: dd27ffe58a391b514f6e052daf818b433caab75513971da6a0b3c28272dc708ddde1314b0f01268ca5881e7a11991e70d8c63dbaffc9d1cbbbea2eebae35dae7
+  metadata.gz: 11be4d4e2e569c6edbcf737944410aa9c9c7f90e12e585e90026ca539330f3debe7667bcd5db02ee4f402528d92166089f225579d5dd075320118b6f481b15c5
+  data.tar.gz: ed0b1023516c6122b585774908acf5dbb13243619b3c1822ff55e4701616716f1d33acae60a2d5eee7dbdc416f21eb11792caa3ba59214f6d533ac1dc2038ac7

data/lib/tcell_agent.rb

@@ -5,6 +5,8 @@ require 'tcell_agent/configuration'
 
 require 'tcell_agent/agent'
 
+require 'tcell_agent/appsensor/rules/appsensor_rule_manager'
+
 require 'tcell_agent/policies/content_security_policy'
 require 'tcell_agent/policies/http_tx_policy'
 require 'tcell_agent/policies/http_redirect_policy'
@@ -15,9 +17,7 @@ require 'tcell_agent/policies/appsensor_policy'
 require 'tcell_agent/policies/login_fraud_policy'
 require 'tcell_agent/policies/dataloss_policy'
 
-require 'tcell_agent/sensor_events/app_sensor'
 require 'tcell_agent/sensor_events/dlp'
-require 'tcell_agent/appsensor'
 require 'tcell_agent/sensor_events/util/sanitizer_utilities'
 require 'tcell_agent/sensor_events/util/redirect_utils'
 

data/lib/tcell_agent/agent/policy_manager.rb

@@ -100,7 +100,7 @@ module TCellAgent
 
       TCellAgent::PolicyTypes::ClassMap.each do | policy_type, policy_class |
         if (policy_jsons.key?(policy_type))
-          new_policy = policy_class.fromJson(policy_jsons[policy_type])
+          new_policy = policy_class.from_json(policy_jsons[policy_type])
           if new_policy
             @lock.synchronize do
               @policies[policy_type] = new_policy

data/lib/tcell_agent/api.rb

@@ -81,8 +81,8 @@ module TCellAgent
       TCellAgent.logger.debug("tCell.io SendEvents API Request: " + full_url)
       request_headers = {
         :Authorization => 'Bearer ' + TCellAgent.configuration.api_key, 
-        :content_type => :json, 
-        :accept => :json,
+        :content_type => "application/json", 
+        :accept => "application/json",
       }
       begin
         request_headers[:TCellAgent] = "RubyAgent " + TCellAgent::VERSION

data/lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb

@@ -0,0 +1,46 @@
+require 'tcell_agent/appsensor/rules/appsensor_rule_set'
+
+module TCellAgent
+
+  class AppSensorRuleManager
+
+    attr_accessor :rule_info
+
+    def initialize(filename=nil)
+      @rule_info = {}
+
+      load_rules_file(filename) if filename
+    end
+
+    def load_default_rules_file
+      filename = File.join(File.dirname(__FILE__), "baserules.json")
+      load_rules_file(filename)
+    end
+
+    def load_rules_file(filename)
+      @rule_info = {}
+
+      if File.file?(filename)
+        rules_from_file = YAML.load(File.open(filename).read)
+        rule_types = rules_from_file.fetch("sensors", {})
+
+        rule_types.each do |sensor_name, sensor_config|
+          rule_set = AppSensorRuleSet.new()
+          rule_set.set_safe_pattern_from_string(sensor_config.fetch("safe_pattern", nil))
+
+          sensor_config.fetch("patterns", []).each do |pattern_config|
+            rule_set.add_pattern_from_dict(pattern_config)
+          end
+
+          @rule_info[sensor_name] = rule_set
+        end
+      end
+    end
+
+    def get_ruleset_for(rule_type)
+      @rule_info.fetch(rule_type, nil)
+    end
+
+  end
+
+end

data/lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb

@@ -0,0 +1,67 @@
+module TCellAgent
+
+  class AppSensorRulePattern
+    attr_accessor :pattern_id, :pattern_regex, :enabled
+    def initialize(pattern_id, pattern_regex, enabled)
+      @pattern_id = pattern_id
+      @pattern_regex = pattern_regex
+      @enabled = enabled
+    end
+  end
+
+  class AppSensorRuleSet
+    attr_accessor :safe_pattern, :patterns
+
+    def initialize()
+      @safe_pattern = nil
+      @patterns = []
+    end
+
+    def check_violation(param_name, param_value, active_pattern_ids, v1_compatability_enabled)
+      return nil if param_value.nil? || (@safe_pattern && param_value.match(@safe_pattern))
+
+      @patterns.each do |pattern|
+        next if pattern.nil? || pattern.enabled == false
+
+        if v1_compatability_enabled || active_pattern_ids.fetch(pattern.pattern_id, false)
+          pattern_result = param_value.match(pattern.pattern_regex)
+
+          if pattern_result
+            return {"param" => param_name, "value" => param_value, "pattern" => pattern.pattern_id}
+          end
+        end
+      end
+
+      return nil
+    rescue
+      return nil
+    end
+
+    def add_pattern_from_dict(rule_dict)
+      return unless rule_dict
+
+      pattern_id = rule_dict.fetch("id", nil)
+      pattern = rule_dict.fetch("ruby", nil)
+      if pattern == nil
+        pattern = rule_dict.fetch("common", nil)
+      elsif pattern == "disabled"
+        return
+      end
+
+      return if pattern_id == nil or pattern == nil
+
+      pattern_regex = Regexp.new(pattern)
+      enabled = rule_dict.fetch("enabled", true)
+
+      rule_pattern = AppSensorRulePattern.new(pattern_id, pattern_regex, enabled)
+      @patterns.push(rule_pattern)
+    end
+
+    def set_safe_pattern_from_string(safe_pattern_str)
+      if safe_pattern_str != nil
+        @safe_pattern = Regexp.new(safe_pattern_str)
+      end
+    end
+  end
+
+end

data/lib/tcell_agent/appsensor/rules/baserules.json

@@ -0,0 +1,153 @@
+{
+  "version":"20160322",
+  "sensors":{
+    "xss":{
+      "patterns":[
+        {
+          "title":"Basic Injection",
+          "sophistication":1,
+          "common": "(?:<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))",
+          "id": "1"
+        },
+        {
+          "title":"Alert or Event XSS",
+          "sophistication":2,
+          "common": "(?:(alert|on\\w+|function\\s+\\w+)\\s*\\(\\s*(['+\\d\\w](,?\\s*['+\\d\\w]*)*)*\\s*\\))",
+          "id": "2"
+        },
+        {
+          "title":"Tag Breaks",
+          "sophistication":2,
+          "common": "(?:\\\"[^\\\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\/>)|(?:>\\\")",
+          "id": "3"
+        },
+        {
+          "title":"Attribute Breaks",
+          "sophistication":3,
+         "common": "(?:\\\"+.*[<=]\\s*\\\"[^\\\"]+\\\")|(?:\\\"\\s*\\w+\\s*=)|(?:>\\w=\\/)|(?:#.+\\)[\\\"\\s]*>)|(?:\\\"\\s*(?:src|style|on\\w+)\\s*=\\s*\\\")|(?:[^\\\"]?\\\"[,;\\s]+\\w*[\\[\\(])(?:^>[\\w\\s]*<\\/?\\w{2,}>)",
+          "id": "4"
+        },
+        {
+          "title":"Basic Obfuscation",
+          "sophistication":3,
+          "common": "(?:[\\\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\\\"])|(?:\\/[\\w\\s]+\\/\\.)|(?:=\\s*\\/\\w+\\/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\\\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])",
+          "id": "5"
+        },
+        {
+          "title":"Common Concatenation",
+          "sophistication":3,
+          "common": "(?:=\\s*\\w+\\s*\\+\\s*\\\")|(?:\\+=\\s*\\(\\s\\\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:\\\"\\s*\\+\\s*\\\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\\\"\\s*[&|]+\\s*\\\")|(?:\\/\\s*\\?\\s*\\\")|(?:\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:\\]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\/)",
+          "id": "6"
+        },
+        {
+          "title":"IFrame Tag Injection",
+          "sophistication":1,
+          "common": "<iframe.*",
+          "id": "7"
+        }
+      ]
+    },
+    "cmdi":{
+      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
+      "patterns":[
+        {
+          "title":"Common Remote Attempts",
+          "sophistication":2,
+          "id":"1",
+          "common":"(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$)",
+          "ruby":"(?i:(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$))"
+        },
+        {
+          "title":"Common Command Attempts",
+          "sophistication":1,
+          "id":"2",
+          "common":"(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\\\\\/c)|d(?:\\b\\W*?[\\\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b)))"
+        }
+      ]
+    },
+    "sqli":{
+      "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
+      "patterns":[
+        {
+          "title":"Common Encoding Obfuscations",
+          "sophistication":3,
+          "common": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
+          "id": "1"
+        },
+        {
+          "title":"Common Probes/Executions",
+          "sophistication":1,
+          "common": "\\b(?:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\\\"][^=]{1,10}[\\'\\\"]) ?[=<>]+|(?:\\bcreate\\s+?table.{0,20}?\\()|(?:\\blike\\W*?char\\W*?\\()|(?:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')",
+          "id": "2"
+        },
+        {
+          "title":"Comment Injection",
+          "sophistication":1,
+          "common": "([';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\\\x00)",
+          "id": "3"
+        },
+        {
+          "title":"Extraction Attempts 1",
+          "sophistication":1,
+          "common": "(?:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\\\"'`\u00b4\u2019\u2018=()]))",
+          "id": "4"
+        },
+        {
+          "title":"Extraction Attempts 2",
+          "sophistication":2,
+          "pattern": "(?:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\\\"'`\u00b4\u2019\u2018]|[=\\d]+x))|([\\\"'`\u00b4\u2019\u2018]\\s*?\\d\\s*?(?:--|#))|(?:[\\\"'`\u00b4\u2019\u2018][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\\\"'`\u00b4\u2019\u2018]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?\\d.+[\\\"'`\u00b4\u2019\u2018]?\\w)|(?:[\\\"'`\u00b4\u2019\u2018]\\|?[\\w-]{3,}[^\\w\\s.,]+[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?is\\s*?[\\d.]+\\s*?\\W.*?[\\\"'`\u00b4\u2019\u2018]))",
+          "id": "5"
+        },
+        {
+          "title":"Extraction Attempts 3",
+          "sophistication":3,
+          "pattern": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
+          "id": "6"
+        }
+      ]
+    },
+    "fpt":{
+      "patterns":[
+        {
+          "title":"Windows Probing",
+          "sophistication":1,
+          "common": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
+          "ruby": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.*))|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
+          "id": "1"
+        },
+        {
+          "title":"Unix Probing",
+          "sophistication":1,
+          "common": "(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
+          "id": "2"
+        },
+        {
+          "title":"Attempt for /etc/passwd",
+          "sophistication":1,
+          "common": "(?:etc\\/\\W*passwd)",
+          "id": "3"
+        }
+      ]
+    },
+    "nullbyte":{
+      "patterns":[
+        {
+          "title":"Any Null Byte",
+          "sophistication":1,
+          "id":"1",
+          "common":"\\0"
+        }
+      ]
+    },
+    "retr":{
+      "patterns":[
+        {
+          "title":"Any Line-Break Character",
+          "sophistication":1,
+          "id":"1",
+          "common":"(\\n|\\r)"
+        }
+      ]
+    }
+  }
+}

data/lib/tcell_agent/configuration.rb

@@ -38,7 +38,9 @@ module TCellAgent
       :whitelist_present,
       :config_filename,
       :agent_log_dir,
-      :max_data_ex_db_records_per_request
+      :max_data_ex_db_records_per_request,
+      :log_appfirewall_events,
+      :appfirewall_payloads_log_filename
 
     attr_accessor :disable_all,
       :enabled,
@@ -104,6 +106,7 @@ module TCellAgent
       @cache_filename = File.join(@agent_home_dir, "cache", "tcell_agent.cache")
       @log_filename = File.join(@agent_log_dir, "tcell_agent.log")
 
+
       # Because ENV can override this one
       env_unencrypted_firewall = 
       if (ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPSENSOR_PAYLOADS"] != nil)
@@ -113,6 +116,9 @@ module TCellAgent
         @allow_unencrypted_appsensor_payloads = [true, "true", "yes", "1"].include?(ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS"])
       end
 
+      @log_appfirewall_events = [true, "true", "yes", "1"].include?(ENV["TCELL_AGENT_ALLOW_UNENCRYPTED_APPFIREWALL_PAYLOADS_LOGGING"])
+      @appfirewall_payloads_log_filename = File.join(@agent_log_dir, "tcell_agent_payloads.log")
+
       @tcell_api_url ||= "https://api.tcell.io/api/v1"
       @tcell_input_url ||= "https://input.tcell.io/api/v1"
       @js_agent_api_base_url ||= nil

data/lib/tcell_agent/instrumentation.rb

@@ -5,6 +5,7 @@ require 'tcell_agent/logger'
 require 'tcell_agent/configuration'
 require 'tcell_agent/version'
 require 'date'
+require 'cgi'
 
 module TCellAgent
   module Instrumentation
@@ -126,6 +127,7 @@ module TCellAgent
                   session_id_actions.action_id
                   ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID)
               )
+
             end
           end
         end
@@ -133,6 +135,7 @@ module TCellAgent
           replace_filters = (context_filters.select {|context_filter| context_filter.rule.body_redact == true })
           event_filters = (context_filters.select {|context_filter| (context_filter.rule.body_redact != true && context_filter.rule.body_event == true) })
           send_flag = TCellData.filterx(body, event_filters.length > 0, replace_filters.length > 0, term)
+          send_flag = send_flag || TCellData.filterx(body, event_filters.length > 0, replace_filters.length > 0, CGI.escapeHTML(term))
           if send_flag
             (replace_filters + event_filters).each { |filter|
               base_event = TCellAgent::SensorEvents::DlpEvent.new(

data/lib/tcell_agent/logger.rb

@@ -23,8 +23,30 @@ module TCellAgent
     return Logger::ERROR
   end
 
+  def self.appfirewall_payloads_logger
+    if defined?(@paylods_logger) && @logger_pid == Process.pid
+      return @payloads_logger
+    end
+
+    if TCellAgent.configuration.log_appfirewall_events
+      FileUtils.mkdir_p TCellAgent.configuration.agent_log_dir
+      @payloads_logger = Logger.new(TCellAgent.configuration.appfirewall_payloads_log_filename, 9, 5242880)
+      @payloads_logger.level = Logger::INFO
+      @payloads_logger.formatter = proc do |severity, datetime, progname, msg|
+        date_format = datetime.strftime("%Y-%m-%dT%H:%M:%S.%L%:z")
+         "#{date_format} - #{msg}\n"
+      end
+
+      return @payloads_logger
+    end
+
+    logger = Logger.new(TCellAgent.configuration.appfirewall_payloads_log_filename)
+    logger.level = Logger::ERROR
+    return logger
+  end
+
   def self.logger
-    if defined?(@logger) and @logger_pid == Process.pid
+    if defined?(@logger) && @logger_pid == Process.pid
       return @logger
     end
 
@@ -40,8 +62,8 @@ module TCellAgent
       @logger.level = level
       @logger.formatter = proc do |severity, datetime, progname, msg|
         # ISO 8601 format
-        date_format = datetime.strftime("%Y-%m-%d %H:%M:%S,%L%z")
-         "[#{date_format}] [#{TCellAgent::VERSION}] #{severity}[#{@logger_pid}]: #{msg}\n"
+        date_format = datetime.strftime("%Y-%m-%dT%H:%M:%S.%L%:z")
+         "#{date_format} - [#{TCellAgent::VERSION}] - #{severity}[#{@logger_pid}]: #{msg}\n"
       end
 
       return @logger

data/lib/tcell_agent/policies/appsensor/cmdi_sensor.rb

@@ -0,0 +1,19 @@
+require 'tcell_agent/policies/appsensor/injection_sensor'
+
+
+module TCellAgent
+  module Policies
+
+    class CmdiSensor < InjectionSensor
+
+      def initialize(policy_json=nil)
+        super(
+          "cmdi",
+          policy_json
+        )
+      end
+
+    end
+
+  end
+end

data/lib/tcell_agent/policies/appsensor/fpt_sensor.rb

@@ -0,0 +1,19 @@
+require 'tcell_agent/policies/appsensor/injection_sensor'
+
+
+module TCellAgent
+  module Policies
+
+    class FptSensor < InjectionSensor
+
+      def initialize(policy_json=nil)
+        super(
+          "fpt",
+          policy_json
+        )
+      end
+
+    end
+
+  end
+end