diff --git a/app/options.py b/app/options.py index 1aed18dd..b52f4d6e 100644 --- a/app/options.py +++ b/app/options.py @@ -102,10 +102,20 @@ if form.getvalue('action_hap') is not None and serv is not None: print("HAproxy was %s" % action) else: print("Bad config, check please") - + +if form.getvalue('action_waf') is not None and serv is not None: + serv = form.getvalue('serv') + action = form.getvalue('action_waf') + + commands = [ "sudo systemctl %s waf" % action ] + funct.ssh_command(serv, commands) + if act == "overview": ovw.get_overview() - + +if act == "overviewwaf": + ovw.get_overviewWaf() + if act == "overviewServers": ovw.get_overviewServers() @@ -161,6 +171,7 @@ if serv is not None and act == "stats": if serv is not None and form.getvalue('rows') is not None: rows = form.getvalue('rows') + waf = form.getvalue('waf') grep = form.getvalue('grep') hour = form.getvalue('hour') minut = form.getvalue('minut') @@ -179,11 +190,15 @@ if serv is not None and form.getvalue('rows') is not None: if syslog_server_enable is None or syslog_server_enable == "0": local_path_logs = sql.get_setting('local_path_logs') syslog_server = serv - commands = [ "sudo cat %s| awk '$3>\"%s:00\" && $3<\"%s:00\"' |tail -%s %s %s" % (local_path_logs, date, date1, rows, grep_act, grep) ] + commands = [ "sudo cat %s| awk '$3>\"%s:00\" && $3<\"%s:00\"' |tail -%s %s %s" % (local_path_logs, date, date1, rows, grep_act, grep) ] else: commands = [ "sudo cat /var/log/%s/syslog.log | sed '/ %s:00/,/ %s:00/! d' |tail -%s %s %s" % (serv, date, date1, rows, grep_act, grep) ] syslog_server = sql.get_setting('syslog_server') - + + if waf == "1": + local_path_logs = '/var/log/modsec_audit.log' + commands = [ "sudo cat %s |tail -%s %s %s" % (local_path_logs, rows, grep_act, grep) ] + funct.ssh_command(syslog_server, commands, show_log="1") if serv is not None and form.getvalue('rows1') is not None: diff --git a/app/ovw.py b/app/ovw.py index fa740c1c..8088a3d5 100644 --- a/app/ovw.py +++ b/app/ovw.py @@ -28,14 +28,35 @@ def get_overview(): template = template.render(service_status = servers, role = sql.get_user_role_by_uuid(user_id.value)) print(template) + +def get_overviewWaf(): + import http.cookies + from jinja2 import Environment, FileSystemLoader + env = Environment(loader=FileSystemLoader('templates/ajax')) + template = env.get_template('overivewWaf.html') + cookie = http.cookies.SimpleCookie(os.environ.get("HTTP_COOKIE")) + user_id = cookie.get('uuid') + haproxy_dir = sql.get_setting('haproxy_dir') + haproxy_sock_port = sql.get_setting('haproxy_sock_port') + + listhap = sql.get_dick_permit() + commands = [ "ps ax |grep waf/bin/modsecurity |grep -v grep |wc -l" ] + commands1 = [ "cat %s/waf/modsecurity.conf |grep SecRuleEngine |grep -v '#' |awk '{print $2}'" % haproxy_dir ] + servers = [] + + for server in listhap: + server_status = () + server_status = (server[1],server[2], funct.ssh_command(server[2], commands), funct.ssh_command(server[2], commands1)) + servers.append(server_status) + + template = template.render(service_status = servers, role = sql.get_user_role_by_uuid(user_id.value)) + print(template) def get_overviewServers(): import http.cookies from jinja2 import Environment, FileSystemLoader env = Environment(loader=FileSystemLoader('templates/ajax')) template = env.get_template('overviewServers.html') - cookie = http.cookies.SimpleCookie(os.environ.get("HTTP_COOKIE")) - user_id = cookie.get('uuid') haproxy_sock_port = sql.get_setting('haproxy_sock_port') listhap = sql.get_dick_permit() @@ -58,7 +79,7 @@ def get_overviewServers(): server_status = (server[1],server[2], out1, funct.ssh_command(server[2], commands),funct.show_backends(server[2], ret=1)) servers.append(server_status) - template = template.render(service_status = servers, role = sql.get_user_role_by_uuid(user_id.value)) + template = template.render(service_status = servers) print(template) def get_map(serv): diff --git a/app/scripts/waf.sh b/app/scripts/waf.sh index f28dcdc2..c5b6c3a0 100644 --- a/app/scripts/waf.sh +++ b/app/scripts/waf.sh @@ -28,11 +28,14 @@ fi if [ -f $HAPROXY_PATH/waf/modsecurity.conf ];then echo -e 'error: Haproxy WAF already installed. You can edit confighere

' exit 1 -fi -wget -O /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm http://rpmfind.net/linux/centos/7.5.1804/os/x86_64/Packages/yajl-devel-2.0.4-4.el7.x86_64.rpm -wget -O /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm http://mirror.centos.org/centos/7/os/x86_64/Packages/libevent-devel-2.0.21-4.el7.x86_64.rpm -wget -O /tmp/modsecurity-2.9.2.tar.gz https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz -sudo yum install /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm httpd-devel libxml2-devel gcc curl-devel -y +fiif hash apt-get 2>/dev/null; then + sudo apt-get install yajl-dev libevent-dev httpd-dev libxml2-dev gcc curl-dev -y +else + wget -O /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm http://rpmfind.net/linux/centos/7.5.1804/os/x86_64/Packages/yajl-devel-2.0.4-4.el7.x86_64.rpm + wget -O /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm http://mirror.centos.org/centos/7/os/x86_64/Packages/libevent-devel-2.0.21-4.el7.x86_64.rpm + wget -O /tmp/modsecurity-2.9.2.tar.gz https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz + sudo yum install /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm httpd-devel libxml2-devel gcc curl-devel -y +if if [ $? -eq 1 ]; then echo -e "Can't download waf application. Check Internet connection" @@ -119,6 +122,8 @@ sudo tar xf /tmp/owasp.tar.gz sudo mv /tmp/owasp-modsecurity-crs-2.2.9/modsecurity_crs_10_setup.conf.example $HAPROXY_PATH/waf/rules/modsecurity_crs_10_setup.conf sudo mv /tmp/owasp-modsecurity-crs-2.2.9/*rules/* $HAPROXY_PATH/waf/rules/ sudo sed -i 's/#SecAction/SecAction/' $HAPROXY_PATH/waf/rules/modsecurity_crs_10_setup.conf +sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' $HAPROXY_PATH/waf/modsecurity.conf +sudo sed -i 's/SecAuditLogParts ABIJDEFHZ/SecAuditLogParts ABIJDEH/' $HAPROXY_PATH/waf/modsecurity.conf sudo rm -f /tmp/owasp.tar.gz sudo bash -c cat << EOF > /etc/systemd/system/multi-user.target.wants/waf.service @@ -144,7 +149,7 @@ if $programname startswith 'waf' then /var/log/waf.log & stop EOF -sudo bash -c cat << EOF > $HAPROXY_PATH/spoe-modsecurity.conf +sudo bash -c cat << EOF > $HAPROXY_PATH/waf.conf [modsecurity] spoe-agent modsecurity-agent messages check-request @@ -152,7 +157,7 @@ spoe-agent modsecurity-agent timeout hello 100ms timeout idle 30s timeout processing 15ms - use-backend spoe-modsecurity + use-backend waf spoe-message check-request args unique-id method path query req.ver req.hdrs_bin req.body_size req.body @@ -163,7 +168,7 @@ if sudo grep -q "backend spoe-modsecurity" $HAPROXY_PATH/haproxy.cfg; then else sudo bash -c cat << EOF >> $HAPROXY_PATH/haproxy.cfg -backend spoe-modsecurity +backend waf mode tcp timeout connect 5s timeout server 3m diff --git a/app/templates/ajax/overivewWaf.html b/app/templates/ajax/overivewWaf.html new file mode 100644 index 00000000..337be011 --- /dev/null +++ b/app/templates/ajax/overivewWaf.html @@ -0,0 +1,35 @@ +{% for service in service_status %} + + + {{ service.0 }} + + + {% if service.2|int() >= 1 %} + UP running {{service.2 }} processes + {% else %} + DOWN running {{service.2 }} processes + {% endif %} + + + {% if role <= 1 %} + + start + + + start + + + restart + + {% endif %} + + + {% if service.3 %} + {{ service.3 }} + {%else %} + WAF not installed + {% endif %} + + + +{% endfor %} \ No newline at end of file diff --git a/app/templates/logs.html b/app/templates/logs.html index 119e5ae7..d2b2910d 100644 --- a/app/templates/logs.html +++ b/app/templates/logs.html @@ -10,6 +10,7 @@ Server {% endif %} + WAF logs Number rows Ex for grep @@ -44,6 +45,9 @@ {% endif %} + + + diff --git a/app/templates/ovw.html b/app/templates/ovw.html index b408c24e..d4628f5f 100644 --- a/app/templates/ovw.html +++ b/app/templates/ovw.html @@ -97,10 +97,7 @@ HAproxy status - - WAF status - - + Action @@ -112,6 +109,25 @@ + + + + + + + + +
+ Server + + WAF status + + Action + + WAF mode + + restart +
diff --git a/image/haproxy-wi-overview.jpeg b/image/haproxy-wi-overview.jpeg index 0c130fbd..a2171aac 100644 Binary files a/image/haproxy-wi-overview.jpeg and b/image/haproxy-wi-overview.jpeg differ diff --git a/inc/overview.js b/inc/overview.js index cf8c7d56..ebe69bf8 100644 --- a/inc/overview.js +++ b/inc/overview.js @@ -14,7 +14,29 @@ function ajaxActionServers(action, id) { if( data == 'Bad config, check please ' ) { alert(data); } else { - setTimeout(showOverview, 2000) + setTimeout(showOverview, 2000) + } + }, + error: function(){ + alert(w.data_error); + } + } ); + } +function ajaxActionWafServers(action, id) { + var bad_ans = 'Bad config, check please'; + $.ajax( { + url: "options.py", + data: { + action_waf: action, + serv: id, + token: $('#token').val() + }, + success: function( data ) { + data = data.replace(/\s+/g,' '); + if( data == 'Bad config, check please ' ) { + alert(data); + } else { + setTimeout(showOverviewWaf, 2000) } }, error: function(){ @@ -22,19 +44,30 @@ function ajaxActionServers(action, id) { } } ); } - $( function() { $('.start').click(function() { var id = $(this).attr('id'); - confirmAjaxAction("start", id); + confirmAjaxAction("start", "hap", id); }); $('.stop').click(function() { var id = $(this).attr('id'); - confirmAjaxAction("stop", id); + confirmAjaxAction("stop", "hap", id); }); $('.restart').click(function() { var id = $(this).attr('id'); - confirmAjaxAction("restart", id); + confirmAjaxAction("restart", "hap", id); + }); + $('.start-waf').click(function() { + var id = $(this).attr('id'); + confirmAjaxAction("start", "waf", id); + }); + $('.stop-waf').click(function() { + var id = $(this).attr('id'); + confirmAjaxAction("stop", "waf", id); + }); + $('.restart-waf').click(function() { + var id = $(this).attr('id'); + confirmAjaxAction("restart", "waf", id); }); $( "#show-all-users" ).click( function() { if($( "#show-all-users" ).text() == "Show all") { @@ -49,7 +82,7 @@ $( function() { }); $('#secIntervals').css('display', 'none'); }); -function confirmAjaxAction(action, id) { +function confirmAjaxAction(action, service, id) { $( "#dialog-confirm" ).dialog({ resizable: false, height: "auto", @@ -58,8 +91,12 @@ function confirmAjaxAction(action, id) { title: "Are you sure you want "+ action + " " + id + "?", buttons: { "Sure": function() { - $( this ).dialog( "close" ); - ajaxActionServers(action, id); + $( this ).dialog( "close" ); + if(service == "hap") { + ajaxActionServers(action, id); + } else if (service == "waf") { + ajaxActionWafServers(action, id) + } }, Cancel: function() { $( this ).dialog( "close" ); diff --git a/inc/script.js b/inc/script.js index 95a440ce..065be087 100644 --- a/inc/script.js +++ b/inc/script.js @@ -140,6 +140,7 @@ $( document ).ajaxComplete(function( event, request, settings ) { function showOverview() { showOverviewServers(); + showOverviewWaf() $.ajax( { url: "options.py", data: { @@ -150,6 +151,23 @@ function showOverview() { success: function( data ) { $("#ajaxstatus").empty(); $("#ajaxstatus").html(data); + $.getScript('/inc/overview.js'); + } + } ); +} +function showOverviewWaf() { + showOverviewServers(); + $.ajax( { + url: "options.py", + data: { + act: "overviewwaf", + token: $('#token').val() + }, + type: "GET", + success: function( data ) { + $("#ajaxwafstatus").empty(); + $("#ajaxwafstatus").html(data); + $.getScript('/inc/overview.js'); } } ); } @@ -185,11 +203,16 @@ function showStats() { } function showLog() { + var waf = 0; + if ($('#waf').is(':checked')) { + waf = '1'; + } $.ajax( { url: "options.py", data: { rows: $('#rows').val(), serv: $("#serv").val(), + waf: waf, grep: $("#grep").val(), hour: $('#time_range_out_hour').val(), minut: $('#time_range_out_minut').val(),