From 6ae69306c23058a386b3d8d360fe5e666e42e499 Mon Sep 17 00:00:00 2001
From: Pavel Loginov <aidaho@roxy-wi.org>
Date: Sun, 24 Jul 2022 22:36:05 +0300
Subject: [PATCH] v6.1.2.0
Change log: https://roxy-wi.org/changelog.py#6_1_2
---
.github/workflows/fortify.yml | 98 -------------------
.github/workflows/pysa.yml | 50 ----------
app/funct.py | 30 ++++--
.../haproxy/templates/haproxy_rsyslog.conf.j2 | 2 +
.../roles/keepalived/tasks/install.yml | 2 -
.../keepalived/templates/keepalived.conf.j2 | 2 +-
.../keepalived/templates/rsyslog.conf.j2 | 1 +
app/templates/ajax/show_configs_files.html | 11 ++-
8 files changed, 34 insertions(+), 162 deletions(-)
delete mode 100644 .github/workflows/fortify.yml
delete mode 100644 .github/workflows/pysa.yml
diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml
deleted file mode 100644
index 4b59b5e6..00000000
--- a/.github/workflows/fortify.yml
+++ /dev/null
@@ -1,98 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-################################################################################################################################################
-# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,#
-# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial #
-# or contact our sales team, visit microfocus.com/appsecurity. #
-# #
-# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.#
-# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into #
-# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against #
-# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the #
-# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional #
-# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. #
-################################################################################################################################################
-
-name: Fortify on Demand Scan
-
-# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time
-on:
- workflow_dispatch:
- push:
- branches: [ "master" ]
- schedule:
- - cron: '43 17 * * 5'
-
-jobs:
- FoD-SAST-Scan:
- # Use the appropriate runner for building your source code.
- # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax.
- runs-on: ubuntu-latest
- permissions:
- actions: read
- contents: read
- security-events: write
-
- steps:
- # Check out source code
- - name: Check Out Source Code
- uses: actions/checkout@v3
-
- # Java is required to run the various Fortify utilities.
- # When scanning a Java application, please use the appropriate Java version for building your application.
- - name: Setup Java
- uses: actions/setup-java@v3
- with:
- java-version: 8
- distribution: 'temurin'
-
- # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml.
- # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints:
- # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle).
- # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner.
- # ScanCentral has additional options that should be set for PHP and Python projects
- # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation.
- # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/
- - name: Download Fortify ScanCentral Client
- uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3
- - name: Package Code + Dependencies
- run: scancentral package $PACKAGE_OPTS -o package.zip
- env:
- PACKAGE_OPTS: "-bt mvn"
-
- # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java
- # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints:
- # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used).
- # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal.
- - name: Download Fortify on Demand Universal CI Tool
- uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433
- - name: Perform SAST Scan
- run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES"
- env:
- FOD_URL: "https://ams.fortify.com/"
- FOD_API_URL: "https://api.ams.fortify.com/"
- FOD_TENANT: ${{ secrets.FOD_TENANT }}
- FOD_USER: ${{ secrets.FOD_USER }}
- FOD_PAT: ${{ secrets.FOD_PAT }}
- FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }}
- FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf"
- FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})'
-
- # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output.
- - name: Export results to GitHub-optimized SARIF
- uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b
- with:
- fod_base_url: "https://ams.fortify.com/"
- fod_tenant: ${{ secrets.FOD_TENANT }}
- fod_user: ${{ secrets.FOD_USER }}
- fod_password: ${{ secrets.FOD_PAT }}
- fod_release_id: ${{ secrets.FOD_RELEASE_ID }}
-
- # Import Fortify on Demand results to GitHub Security Code Scanning
- - name: Import Results
- uses: github/codeql-action/upload-sarif@v2
- with:
- sarif_file: ./gh-fortify-sast.sarif
diff --git a/.github/workflows/pysa.yml b/.github/workflows/pysa.yml
deleted file mode 100644
index d7bde84b..00000000
--- a/.github/workflows/pysa.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow integrates Python Static Analyzer (Pysa) with
-# GitHub's Code Scanning feature.
-#
-# Python Static Analyzer (Pysa) is a security-focused static
-# analysis tool that tracks flows of data from where they
-# originate to where they terminate in a dangerous location.
-#
-# See https://pyre-check.org/docs/pysa-basics/
-
-name: Pysa
-
-on:
- workflow_dispatch:
- push:
- branches: [ "master" ]
- pull_request:
- branches: [ "master" ]
- schedule:
- - cron: '30 23 * * 2'
-
-permissions:
- contents: read
-
-jobs:
- pysa:
- permissions:
- actions: read
- contents: read
- security-events: write
-
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- with:
- submodules: true
-
- - name: Run Pysa
- uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b
- with:
- # To customize these inputs:
- # See https://github.com/facebook/pysa-action#inputs
- repo-directory: './'
- requirements-path: 'requirements.txt'
- infer-types: true
- include-default-sapp-filters: true
diff --git a/app/funct.py b/app/funct.py
index caac35ae..df102099 100644
--- a/app/funct.py
+++ b/app/funct.py
@@ -941,6 +941,10 @@ def upload_and_restart(server_ip, cfg, **kwargs):
service = 'keepalived'
config_path = sql.get_setting('keepalived_config_path')
tmp_file = sql.get_setting('tmp_config_path') + "/" + get_data('config') + ".cfg"
+ elif kwargs.get('waf'):
+ service = 'waf'
+ config_path = kwargs.get('config_file_name')
+ tmp_file = sql.get_setting('tmp_config_path') + "/" + get_data('config') + ".conf"
else:
service = 'haproxy'
config_path = sql.get_setting('haproxy_config_path')
@@ -1019,6 +1023,12 @@ def upload_and_restart(server_ip, cfg, **kwargs):
commands = [check_and_move + reload_or_restart_command]
# if sql.return_firewall(server_ip):
# commands[0] += open_port_firewalld(cfg, server_ip=server_ip, service='nginx')
+ elif service == 'waf':
+ check_and_move = "sudo mv -f " + tmp_file + " " + config_path
+ if action == "save":
+ commands = [check_and_move]
+ else:
+ commands = [check_and_move + reload_or_restart_command]
else:
if is_docker == '1':
check_config = "sudo docker exec -it " + container_name + " haproxy -c -f " + tmp_file
@@ -1044,7 +1054,7 @@ def upload_and_restart(server_ip, cfg, **kwargs):
logging('localhost', str(e), haproxywi=1)
# If master then save version of config in a new way
- if not kwargs.get('slave'):
+ if not kwargs.get('slave') and service != 'waf':
from pathlib import Path
diff = ''
@@ -1109,14 +1119,15 @@ def master_slave_upload_and_restart(server_ip, cfg, just_save, **kwargs):
for master in masters:
if master[0] is not None:
slv_output = upload_and_restart(
- master[0], cfg, just_save=just_save, nginx=kwargs.get('nginx'),
+ master[0], cfg, just_save=just_save, nginx=kwargs.get('nginx'), waf=kwargs.get('waf'),
apache=kwargs.get('apache'), config_file_name=kwargs.get('config_file_name'), slave=1
)
slave_output += '<br>' + master[1] + ':\n' + slv_output
output = upload_and_restart(
- server_ip, cfg, just_save=just_save, nginx=kwargs.get('nginx'), apache=kwargs.get('apache'),
- config_file_name=kwargs.get('config_file_name'), oldcfg=kwargs.get('oldcfg'), login=login
+ server_ip, cfg, just_save=just_save, nginx=kwargs.get('nginx'), waf=kwargs.get('waf'),
+ apache=kwargs.get('apache'), config_file_name=kwargs.get('config_file_name'),
+ oldcfg=kwargs.get('oldcfg'), login=login
)
output = server_name + ':\n' + output
@@ -1253,10 +1264,13 @@ def show_finding_in_config(stdout: str, **kwargs) -> str:
def show_haproxy_log(serv, rows=10, waf='0', grep=None, hour='00', minut='00', hour1='24', minut1='00', service='haproxy', **kwargs):
import sql
- exgrep = form.getvalue('exgrep')
- log_file = form.getvalue('file')
- date = hour + ':' + minut
- date1 = hour1 + ':' + minut1
+ exgrep = checkAjaxInput(form.getvalue('exgrep'))
+ log_file = checkAjaxInput(form.getvalue('file'))
+ date = checkAjaxInput(hour) + ':' + checkAjaxInput(minut)
+ date1 = checkAjaxInput(hour1) + ':' + checkAjaxInput(minut1)
+ grep = checkAjaxInput(grep)
+ rows = checkAjaxInput(rows)
+ waf = checkAjaxInput(waf)
cmd = ''
if grep is not None:
diff --git a/app/scripts/ansible/roles/haproxy/templates/haproxy_rsyslog.conf.j2 b/app/scripts/ansible/roles/haproxy/templates/haproxy_rsyslog.conf.j2
index 420d98ce..212449d8 100644
--- a/app/scripts/ansible/roles/haproxy/templates/haproxy_rsyslog.conf.j2
+++ b/app/scripts/ansible/roles/haproxy/templates/haproxy_rsyslog.conf.j2
@@ -1,6 +1,8 @@
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
+module(load="builtin:omfile")
+
if $programname startswith 'haproxy' then {
if $syslogseverity == 6 then
diff --git a/app/scripts/ansible/roles/keepalived/tasks/install.yml b/app/scripts/ansible/roles/keepalived/tasks/install.yml
index 438d5ec8..4fcb380c 100644
--- a/app/scripts/ansible/roles/keepalived/tasks/install.yml
+++ b/app/scripts/ansible/roles/keepalived/tasks/install.yml
@@ -61,8 +61,6 @@
src: keepalived.conf.j2
dest: /etc/keepalived/keepalived.conf
mode: 0644
- notify: restart keepalived
-
- name: test to see if selinux is running
command: getenforce
diff --git a/app/scripts/ansible/roles/keepalived/templates/keepalived.conf.j2 b/app/scripts/ansible/roles/keepalived/templates/keepalived.conf.j2
index ab61f73c..18564299 100644
--- a/app/scripts/ansible/roles/keepalived/templates/keepalived.conf.j2
+++ b/app/scripts/ansible/roles/keepalived/templates/keepalived.conf.j2
@@ -3,7 +3,7 @@ global_defs {
}
#health-check for keepalive
vrrp_script chk_haproxy {
- script "/usr/bin/killall -0 haproxy"
+ script "systemctl is-active --quiet haproxy"
interval 2
weight 3
}
diff --git a/app/scripts/ansible/roles/keepalived/templates/rsyslog.conf.j2 b/app/scripts/ansible/roles/keepalived/templates/rsyslog.conf.j2
index a909505c..d5eeeb43 100644
--- a/app/scripts/ansible/roles/keepalived/templates/rsyslog.conf.j2
+++ b/app/scripts/ansible/roles/keepalived/templates/rsyslog.conf.j2
@@ -1,6 +1,7 @@
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
+module(load="builtin:omfile")
if $programname startswith 'Keepalived_vrrp' then {
if $syslogseverity == 6 then
diff --git a/app/templates/ajax/show_configs_files.html b/app/templates/ajax/show_configs_files.html
index 798abc8d..6d70278c 100644
--- a/app/templates/ajax/show_configs_files.html
+++ b/app/templates/ajax/show_configs_files.html
@@ -36,9 +36,14 @@
</div>
<div id="add-new-config" style="display: none">
- <div style="padding-top: 15px;">
- Config file name: {{ input('new_config_name', type='text', placeholder='conf.d/config_name', title='Format: sub-directory/config_name') }}
- {{ input('path_config_name', type='hidden', value=path_dir) }}
+ <table class="overview">
+ {% include 'include/tr_validate_tips.html' %}
+ <tr>
+ <td class="padding20">Config file name:</td>
+ <td>{{ input('new_config_name', type='text', placeholder='conf.d/config_name', title='Format: sub-directory/config_name') }}</td>
+ </tr>
+ {{ input('path_config_name', type='hidden', value=path_dir) }}
+ </table>
</div>
</div>
<script>