tcell_agent 1.1.6 → 1.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 268481d9cc436a4f01caf780f929dc045ca3162c1869fe52426d3587d16e78e6
-  data.tar.gz: a2705e57d4662a154306226c700fd2531961d82c329697f5f3c2c8367cf5e3f3
+  metadata.gz: f6f920526272f2ae748d733a485ce838edbf04ce6ec7641265791fd115d9c2a2
+  data.tar.gz: 7c80dc4ff7592443f2d4b9d82a776f9e82f2bc2acb1587890d292d8a0c166a1a
 SHA512:
-  metadata.gz: 545ad44a5d2d830e57858c6d4e96378bfd6dcb708e7cf8e184d1a33d265c3005c760afa8249fddddf634f5c6270180249eebb42fde7e75f13777a777954dd894
-  data.tar.gz: 6d103258c4749bafb3048942d7f98a4ba34632f19510e76c335021eb60d9299b7979fa440381d48ca5445fcd5cfee7ca0b8cbdf08825a036f1d4a12dcdbc16d1
+  metadata.gz: a4c8bea678eb530fb55f9ddeffd0105ad184138c0f77302bc610eee74da467d0de5583b09a1d578c1549cee9730b708d6223ec6d07404c6f9e53b92e4ef9e8b3
+  data.tar.gz: 32035b9d1703f0b08da77c8621ba19f2741486e90c02e8db886e686f4ac8dd39cf6ac38ad011374d6ed8c1c269b6e5ac20f550f71b4da29dd35e9e1d496d8ac8

data/lib/tcell_agent/agent/event_processor.rb

@@ -32,8 +32,14 @@ module TCellAgent
     end
 
     def ensure_event_processor_running
-      return if event_processor_running?
-      return if TCellAgent.configuration.should_start_event_manager? == false
+      if event_processor_running?
+        TCellAgent.logger.debug('[Agent::ensure_event_processor_running] Event processor already running, no need to start')
+        return
+      end
+      if TCellAgent.configuration.should_start_event_manager? == false
+        TCellAgent.logger.debug('[Agent::ensure_event_processor_running] TCellAgent.configuration.should_start_event_manager? is false, no need to start')
+        return
+      end
       @worker_mutex.synchronize do
         return if event_processor_running?
         initialize_processor_variables if parent_process? == false
@@ -42,7 +48,10 @@ module TCellAgent
     end
 
     def event_processor_running?
-      return true if TCellAgent::Agent.parent_process? == false
+      if TCellAgent::Agent.parent_process? == false
+        TCellAgent.logger.debug('[Agent::event_processor_running?] Not a parent process, so returning true')
+        return true
+      end
       @event_processor_thread && @event_processor_thread.alive?
     end
 
@@ -87,9 +96,17 @@ module TCellAgent
     def start_event_processor(send_empties = true)
       return if TCellAgent.configuration.should_start_event_manager? == false
 
-      return if TCellAgent::Agent.parent_process? == false
+      if TCellAgent.configuration.should_start_event_manager_in_child_processes?
+        TCellAgent.logger.debug('Enabling event manager in child processes')
+        require('tcell_agent/config/child_process_events')
+      end
 
-      TCellAgent.logger.debug('Starting event processor thread')
+      if TCellAgent::Agent.parent_process? == false
+        TCellAgent.logger.debug('[Agent::start_event_processor] Not a parent process, so not starting event processor thread')
+        return
+      end
+
+      TCellAgent.logger.debug('[Agent::start_event_processor] Starting event processor thread')
       @events_send_empties = send_empties
       Thread.abort_on_exception = true
       @event_processor_thread = Thread.new do
@@ -147,6 +164,7 @@ module TCellAgent
     end
 
     def ensure_fork_event_thread_running
+      TCellAgent.logger.debug('[Agent::ensure_fork_event_thread_running] Ensuring the fork event thread is running')
       return if event_fork_thread_running?
       @fork_event_thread_mutex.synchronize do
         return if event_fork_thread_running?
@@ -155,11 +173,15 @@ module TCellAgent
     end
 
     def event_fork_thread_running?
-      return true if TCellAgent::Agent.parent_process?
+      if TCellAgent::Agent.parent_process?
+        TCellAgent.logger.debug('[Agent::event_fork_thread_running?] Parent process, so returning true')
+        return true
+      end
       @fork_event_thread && @fork_event_thread.alive?
     end
 
     def start_fork_event_thread
+      TCellAgent.logger.debug('[Agent::start_fork_event_thread] Starting event fork thread')
       @fork_event_thread = Thread.new do
         loop do
           begin

data/lib/tcell_agent/config/child_process_events.rb

@@ -0,0 +1,8 @@
+# Forces event manager to start in child processes
+# Conditionally loaded based on config
+class << TCellAgent::Agent
+  alias_method :tcell_parent_process?, :parent_process?
+  def parent_process?
+    true
+  end
+end

data/lib/tcell_agent/configuration.rb

@@ -26,7 +26,6 @@ module TCellAgent
                   :app_id,
                   :api_key,
                   :hmac_key,
-                  :tcell_api_url,
                   :tcell_input_url,
                   :logging_options,
                   :logger,
@@ -54,22 +53,36 @@ module TCellAgent
                   :allow_payloads,
                   :password_hmac_key
 
+    attr_reader   :tcell_api_url
+
     attr_accessor :disable_all,
                   :enabled,
                   :enable_event_manager,       # false = Do not start the even manager
                   :enable_event_consumer,      # false = Do not consume events, drop them
                   :enable_policy_polling,      # false = Do not poll for policies
                   :enable_instrumentation,     # false = Do not add instrumentation
-                  :enable_intercept_requests   # false = Do not insert middleware
+                  :enable_intercept_requests,  # false = Do not insert middleware
+                  :enable_child_process_events # true = Start an event processor on all processes, even children
 
     attr_accessor :enabled_instrumentations
 
     attr_accessor :exp_config_settings
 
+    attr_accessor :disable_cmdi_exec_instrumentation # true = disable cmdi Kernel::exec instrumentation
+
+    def tcell_api_url=(value)
+      @tcell_api_url = value
+      @tcell_api_url = compose_api_url!
+    end
+
     def should_start_event_manager?
       @enabled && @enable_event_manager
     end
 
+    def should_start_event_manager_in_child_processes?
+      @enabled && @enable_event_manager && @enable_child_process_events
+    end
+
     def should_consume_event?
       @enabled && @enable_event_manager && @enable_event_consumer
     end
@@ -110,6 +123,10 @@ module TCellAgent
       end
     end
 
+    def should_instrument_cmdi_exec?
+      !@disable_cmdi_exec_instrumentation
+    end
+
     def initialize(filename = 'config/tcell_agent.config', _useapp = nil)
       # These will be set when the agent starts up, to give rails initializers
       # a chance to run
@@ -134,6 +151,7 @@ module TCellAgent
       @enable_policy_polling = true
       @enable_instrumentation = true
       @enable_intercept_requests = true
+      @enable_child_process_events = false
 
       @enabled_instrumentations = {
         :doorkeeper => true,
@@ -141,6 +159,8 @@ module TCellAgent
         :authlogic => true
       }
 
+      @disable_cmdi_exec_instrumentation = false
+
       @log_file_name = 'tcell_agent.log'
 
       @event_batch_size_limit = 50
@@ -254,6 +274,8 @@ module TCellAgent
 
       @agent_home_owner = ENV['TCELL_AGENT_HOME_OWNER'] || @agent_home_owner
       @agent_log_dir = ENV['TCELL_AGENT_LOG_DIR'] || @agent_log_dir
+
+      @disable_cmdi_exec_instrumentation = ENV['TCELL_CMDI_EXEC_DISABLED'] || @disable_cmdi_exec_instrumentation
     end
 
     def read_config_from_file(filename)
@@ -288,6 +310,7 @@ module TCellAgent
           @enable_intercept_requests = app_data.fetch('enable_intercept_requests', @enable_intercept_requests)
           @fetch_policies_from_tcell = app_data.fetch('fetch_policies_from_tcell', @fetch_policies_from_tcell)
           @instrument_for_events = app_data.fetch('instrument_for_events', @instrument_for_events)
+          @enable_child_process_events = app_data.fetch('enable_child_process_events', @enable_child_process_events)
 
           @agent_home_owner = app_data.fetch('agent_home_owner', @agent_home_owner)
 

data/lib/tcell_agent/instrumentation/cmdi.rb

@@ -0,0 +1,56 @@
+require 'tcell_agent/agent/policy_types'
+require 'tcell_agent/utils/strings'
+require 'tcell_agent/configuration'
+
+module TCellAgent
+  module Cmdi
+    def self.block_command?(cmd)
+      TCellAgent::Instrumentation.safe_block('Checking Command Injection Policy') do
+        if TCellAgent::Utils::Strings.present?(cmd)
+          rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
+          if rust_policies && rust_policies.cmdi_enabled
+            request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
+              Thread.current.object_id, {}
+            )
+            tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
+            return rust_policies.block_command?(cmd, tcell_context)
+          end
+        end
+      end
+
+      false
+    end
+
+    def self.parse_command(*args)
+      cmd = ''
+
+      TCellAgent::Instrumentation.safe_block('CMDI Parsing *args') do
+        unless args.empty?
+          args_copy = Array.new(args)
+          args_copy.shift if args_copy.first.is_a?(Hash)
+          args_copy.pop if args_copy.last.is_a?(Hash)
+
+          if args_copy.first.is_a?(Array)
+            cmd_n_argv0 = args_copy.shift
+            args_copy.unshift(cmd_n_argv0.first)
+          end
+
+          cmd = args_copy.join(' ')
+        end
+      end
+
+      cmd
+    end
+  end
+end
+
+if TCellAgent.configuration.should_instrument_cmdi_exec?
+  require('tcell_agent/instrumentation/cmdi/exec')
+else
+  TCellAgent.logger.debug('Disabling cmdi Kernel::exec instrumentation')
+end
+
+require('tcell_agent/instrumentation/cmdi/backtick')
+require('tcell_agent/instrumentation/cmdi/system')
+require('tcell_agent/instrumentation/cmdi/spawn')
+require('tcell_agent/instrumentation/cmdi/popen')

data/lib/tcell_agent/instrumentation/cmdi/backtick.rb

@@ -0,0 +1,10 @@
+module Kernel
+  alias_method :tcell_original_backtick, :`
+  def `(cmd)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_backtick(cmd)
+  end
+end

data/lib/tcell_agent/instrumentation/cmdi/exec.rb

@@ -0,0 +1,11 @@
+module Kernel
+  alias_method :tcell_original_exec, :exec
+  def exec(*args)
+    cmd = TCellAgent::Cmdi.parse_command(*args)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_exec(*args)
+  end
+end

data/lib/tcell_agent/instrumentation/cmdi/popen.rb

@@ -0,0 +1,28 @@
+class IO
+  class << self
+    alias_method :tcell_original_popen, :popen
+    def popen(*args, &block)
+      unless args.empty?
+        cmd = ''
+
+        TCellAgent::Instrumentation.safe_block('CMDI Parsing popen *args') do
+          args_copy = Array.new(args)
+          args_copy.shift if args_copy.first.is_a?(Hash)
+          args_copy.pop if args_copy.last.is_a?(Hash)
+
+          cmd = if args_copy.first.is_a?(String)
+                  args_copy.shift
+                else
+                  TCellAgent::Cmdi.parse_command(*args_copy.shift)
+                end
+        end
+
+        if TCellAgent::Cmdi.block_command?(cmd)
+          raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
+        end
+      end
+
+      tcell_original_popen(*args, &block)
+    end
+  end
+end

data/lib/tcell_agent/instrumentation/cmdi/spawn.rb

@@ -0,0 +1,11 @@
+module Kernel
+  alias_method :tcell_original_spawn, :spawn
+  def spawn(*args)
+    cmd = TCellAgent::Cmdi.parse_command(*args)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_spawn(*args)
+  end
+end

data/lib/tcell_agent/instrumentation/cmdi/system.rb

@@ -0,0 +1,11 @@
+module Kernel
+  alias_method :tcell_original_system, :system
+  def system(*args)
+    cmd = TCellAgent::Cmdi.parse_command(*args)
+    if TCellAgent::Cmdi.block_command?(cmd)
+      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
+    end
+
+    tcell_original_system(*args)
+  end
+end

data/lib/tcell_agent/rails/auth/devise.rb

@@ -92,9 +92,17 @@ if TCellAgent.configuration.should_instrument_devise? && defined?(Devise)
       alias_method :tcell_validate, :validate
       def validate(resource, &block)
         is_valid = tcell_validate(resource, &block)
+        send_event = is_valid
+
+        # gets the first entry in the current backtrace
+        # syntax suggested by rubocop to improve performance
+        if caller(1..1).first.include? 'two_factor_authenticatable'
+          TCellAgent.logger.debug('Not sending login success event for Devise::Strategies::TwoFactorAuthenticatable since 2fa is unsupported')
+          send_event = false
+        end
 
         TCellAgent::Instrumentation.safe_block('Devise Authenticatable Validate') do
-          if is_valid && TCellAgent.configuration.enabled &&
+          if send_event && TCellAgent.configuration.enabled &&
              TCellAgent.configuration.should_intercept_requests?
             username = nil
             (authentication_keys || []).each do |auth_key|

data/lib/tcell_agent/start_background_thread.rb

@@ -9,7 +9,7 @@ unless TCellAgent.configuration.disable_all
   module TCellAgent
     # require 'tcell_agent/sinatra' if defined?(Sinatra)
     require 'tcell_agent/rails' if defined?(Rails)
-    require 'tcell_agent/cmdi'
+    require 'tcell_agent/instrumentation/cmdi'
 
     def self.run_instrumentation(server_name, send_startup_events = true)
       require 'tcell_agent/hooks/login_fraud'

data/lib/tcell_agent/version.rb

@@ -1,5 +1,5 @@
 # See the file "LICENSE" for the full license governing this code.
 
 module TCellAgent
-  VERSION = '1.1.6'.freeze
+  VERSION = '1.1.7'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tcell_agent
 version: !ruby/object:Gem::Version
-  version: 1.1.6
+  version: 1.1.7
 platform: ruby
 authors:
 - Rafael
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-28 00:00:00.000000000 Z
+date: 2019-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
@@ -118,12 +118,18 @@ files:
 - lib/tcell_agent/api.rb
 - lib/tcell_agent/appsensor/injections_reporter.rb
 - lib/tcell_agent/authlogic.rb
-- lib/tcell_agent/cmdi.rb
+- lib/tcell_agent/config/child_process_events.rb
 - lib/tcell_agent/config/unknown_options.rb
 - lib/tcell_agent/configuration.rb
 - lib/tcell_agent/devise.rb
 - lib/tcell_agent/hooks/login_fraud.rb
 - lib/tcell_agent/instrumentation.rb
+- lib/tcell_agent/instrumentation/cmdi.rb
+- lib/tcell_agent/instrumentation/cmdi/backtick.rb
+- lib/tcell_agent/instrumentation/cmdi/exec.rb
+- lib/tcell_agent/instrumentation/cmdi/popen.rb
+- lib/tcell_agent/instrumentation/cmdi/spawn.rb
+- lib/tcell_agent/instrumentation/cmdi/system.rb
 - lib/tcell_agent/logger.rb
 - lib/tcell_agent/patches.rb
 - lib/tcell_agent/policies/dataloss_policy.rb

data/lib/tcell_agent/cmdi.rb

@@ -1,114 +0,0 @@
-require 'tcell_agent/agent/policy_types'
-require 'tcell_agent/utils/strings'
-
-module TCellAgent
-  module Cmdi
-    def self.block_command?(cmd)
-      TCellAgent::Instrumentation.safe_block('Checking Command Injection Policy') do
-        if TCellAgent::Utils::Strings.present?(cmd)
-          rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
-          if rust_policies && rust_policies.cmdi_enabled
-            request_env = TCellAgent::Instrumentation::Rails::Middleware::ContextMiddleware::THREADS.fetch(
-              Thread.current.object_id, {}
-            )
-            tcell_context = request_env[TCellAgent::Instrumentation::TCELL_ID]
-            return rust_policies.block_command?(cmd, tcell_context)
-          end
-        end
-      end
-
-      false
-    end
-
-    def self.parse_command(*args)
-      cmd = ''
-
-      TCellAgent::Instrumentation.safe_block('CMDI Parsing *args') do
-        unless args.empty?
-          args_copy = Array.new(args)
-          args_copy.shift if args_copy.first.is_a?(Hash)
-          args_copy.pop if args_copy.last.is_a?(Hash)
-
-          if args_copy.first.is_a?(Array)
-            cmd_n_argv0 = args_copy.shift
-            args_copy.unshift(cmd_n_argv0.first)
-          end
-
-          cmd = args_copy.join(' ')
-        end
-      end
-
-      cmd
-    end
-  end
-end
-
-module Kernel
-  alias_method :tcell_original_backtick, :`
-  def `(cmd)
-    if TCellAgent::Cmdi.block_command?(cmd)
-      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-    end
-
-    tcell_original_backtick(cmd)
-  end
-
-  alias_method :tcell_original_exec, :exec
-  def exec(*args)
-    cmd = TCellAgent::Cmdi.parse_command(*args)
-    if TCellAgent::Cmdi.block_command?(cmd)
-      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-    end
-
-    tcell_original_exec(*args)
-  end
-
-  alias_method :tcell_original_system, :system
-  def system(*args)
-    cmd = TCellAgent::Cmdi.parse_command(*args)
-    if TCellAgent::Cmdi.block_command?(cmd)
-      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-    end
-
-    tcell_original_system(*args)
-  end
-
-  alias_method :tcell_original_spawn, :spawn
-  def spawn(*args)
-    cmd = TCellAgent::Cmdi.parse_command(*args)
-    if TCellAgent::Cmdi.block_command?(cmd)
-      raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-    end
-
-    tcell_original_spawn(*args)
-  end
-end
-
-class IO
-  class << self
-    alias_method :tcell_original_popen, :popen
-    def popen(*args, &block)
-      unless args.empty?
-        cmd = ''
-
-        TCellAgent::Instrumentation.safe_block('CMDI Parsing popen *args') do
-          args_copy = Array.new(args)
-          args_copy.shift if args_copy.first.is_a?(Hash)
-          args_copy.pop if args_copy.last.is_a?(Hash)
-
-          cmd = if args_copy.first.is_a?(String)
-                  args_copy.shift
-                else
-                  TCellAgent::Cmdi.parse_command(*args_copy.shift)
-                end
-        end
-
-        if TCellAgent::Cmdi.block_command?(cmd)
-          raise Errno::ENOENT, "tCell.io Agent: Command not allowed by policy: #{cmd}"
-        end
-      end
-
-      tcell_original_popen(*args, &block)
-    end
-  end
-end