remove csec agent config, update status log for csec config

newrelic · Jan 22, 2025 · f0c3fde · f0c3fde
1 parent 95d1c78
commit f0c3fde
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 321 deletions.
diff --git a/agent/php_minit.c b/agent/php_minit.c
@@ -719,11 +719,14 @@ PHP_MINIT_FUNCTION(newrelic) {
   nr_wordpress_minit();
   nr_php_set_opcode_handlers();
 
-  if (!NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled) || !NR_PHP_PROCESS_GLOBALS(nr_security_enabled) || NR_PHP_PROCESS_GLOBALS(high_security)) {
-    nrl_info(NRL_INIT, "New Relic Security is completely disabled by one of the user provided config `newrelic.security.enabled`, `newrelic.security.agent.enabled` or `newrelic.high_security`. Not loading security capabilities.");
-    nrl_debug(NRL_INIT, "newrelic.security.agent.enabled : %s", NR_PHP_PROCESS_GLOBALS(nr_security_enabled) ? "true" : "false");
-    nrl_debug(NRL_INIT, "newrelic.security.enabled : %s", NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled) ? "true" : "false");
-    nrl_debug(NRL_INIT, "newrelic.high_security : %s", NR_PHP_PROCESS_GLOBALS(high_security) ? "true" : "false");
+  if (NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled)
+      && NR_PHP_PROCESS_GLOBALS(nr_security_enabled)
+      && !NR_PHP_PROCESS_GLOBALS(high_security)) {
+    nrl_info(
+        NRL_INIT,
+        "New Relic Security is enabled by the user provided config "
+        "`newrelic.security.enabled`, `newrelic.security.agent.enabled` and "
+        "`newrelic.high_security`. Security capabilities will be loaded.");
   }
 
   nrl_debug(NRL_INIT, "MINIT processing done");

diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template
@@ -1333,319 +1333,3 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log"
 ;          for vulnerability management.
 ;
 ;newrelic.vulnerability_management.package_detection.enabled = true
-
-; Setting: newrelic.security.enabled
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if attack detection security module is to be enabled
-;
-;newrelic.security.enabled = true
-
-; Setting: newrelic.security.mode
-; Type   : string
-; Scope  : system
-; Default: "IAST"
-; Info   : Security module provides two modes "IAST" or "RASP"
-;          See documentation for more details
-;
-;newrelic.security.mode = "IAST"
-
-; Setting: newrelic.security.validator_service_endpoint_url
-; Type   : string
-; Scope  : system
-; Default: "wss://csec.nr-data.net"
-; Info   : New Relic<E2><80><99>s security module SaaS connection URLs
-;
-;newrelic.security.validator_service_url = "wss://csec.nr-data.net"
-
-; Setting: newrelic.security.agent.enabled
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Used to enable security module, default false is equivalent to
-;           security module not even loaded. If this setting is set to true,
-;           then only security module is loaded and to enable it, a restart
-;           of application is required. This is different than
-;           newrelic.security.enabled, in terms that security.enabled decides
-;           runtime behavior of security module but security.agent.enabled
-;           would not even load the security module when set to false
-;
-;newrelic.security.agent.enabled = false
-
-; Setting: newrelic.security.validator.client_ssl_cert_filepath
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : Sets the full path of the client certificate in PEM
-;          format. When set, this certificate will be used to
-;          authenticate the New Relic IAST Security Engine's url. If
-;          not set, the default certificate will be used. Make
-;          sure the file permissions are correct.
-;
-;newrelic.security.validator.client_ssl_cert_filepath = ""
-
-; Setting: newrelic.security.exclude_from_iast_scan.api
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : A list of valid pcre regex of apis separated by | (pipe) to be 
-;          excluded for scanning. Make sure each pipe separated regex is correct,
-;          otherwise none of the regexes will be applicable.
-;
-;newrelic.security.exclude_from_iast_scan.api = "api1|api2"
-
-; Setting: newrelic.security.exclude_from_iast_scan.http_request_parameters.header
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : A list of request header keys separated by :: (double colon) to be 
-;          excluded for scanning
-;
-;newrelic.security.exclude_from_iast_scan.http_request_parameters.header = "X-Forwaded-For"
-
-; Setting: newrelic.security.exclude_from_iast_scan.http_request_parameters.query
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : A list of request query keys separated by :: (double colon) to be 
-;          excluded for scanning
-;
-;newrelic.security.exclude_from_iast_scan.http_request_parameters.query = "username::password"
-
-; Setting: newrelic.security.exclude_from_iast_scan.http_request_parameters.body
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : A list of request body keys separated by :: (double colon) to be 
-;          excluded for scanning
-;
-;newrelic.security.exclude_from_iast_scan.http_request_parameters.body = "account.email::account.contact"
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.insecure_settings
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if insecure settings attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.insecure_settings = false
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.invalid_file_access
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if invalid file access attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.invalid_file_access = false
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.sql_injection
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if sql injection attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.sql_injection = false
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.nosql_injection
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if nosql injection attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.nosql_injection = false
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.ldap_injection
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if ldap injection attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.ldap_injection = false
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.javascript_injection
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if javascript injection attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.javascript_injection = false
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.command_injection
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if command injection attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.command_injection = false
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.xpath_injection
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if xpath injection attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.xpath_injection = false
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.ssrf
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if ssrf injection attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.ssrf = false
-
-; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.rxss
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Indicates if reflected xss attack category is to be excluded
-;
-;newrelic.security.exclude_from_iast_scan.iast_detection_category.rxss = false
-
-; Setting: newrelic.security.scan_schedule.delay
-; Type   : unsigned integer
-; Scope  : system
-; Default: 0
-; Info   : Sets the delay in minutes after which IAST scan should start
-;
-;newrelic.security.scan_schedule.delay = 0
-
-; Setting: newrelic.security.scan_schedule.duration
-; Type   : unsigned integer
-; Scope  : system
-; Default: 0
-; Info   : Sets the duration in minutes for which IAST scan should running
-;          default will be forever
-;
-;newrelic.security.scan_schedule.duration = 0
-
-; Setting: newrelic.security.scan_schedule.schedule
-; Type   : string
-; Scope  : system
-; Default: "0 0 * * * ?"
-; Info   : Sets the IAST run schedule in cron format. scan_schedule.delay
-;          takes precedence over schedule
-;
-;newrelic.security.scan_schedule.schedule = "0 0 * * * ?"
-
-; Setting: newrelic.security.scan_schedule.always_sample_traces
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Always sample traces regardless of other schedule settings
-;
-;newrelic.security.scan_schedule.always_sample_traces = false
-
-; Setting: newrelic.security.iast_test_identifier
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : Sets the identifier for allowing users to run IAST for CI/CD. Provide
-;          a unique identifier (i.e. Build Id) to filter application tests properly.
-;          Also, configurable via env variable NEW_RELIC_SECURITY_IAST_TEST_IDENTIFIER
-;          which takes precedence over this config.
-;
-;newrelic.security.iast_test_identifier = ""
-
-; Setting: newrelic.security.scan_controllers.scan_instance_count
-; Type   : unsigned integer
-; Scope  : system
-; Default: 0
-; Info   : Sets the number of application instances where IAST analysis should be performed
-;          for a specific entity. Allowed values are 0 or 1, where 0 signifies run on
-;          all application instances for that specific entity.
-;          If `newrelic.security.iast_test_identifier` is specified, this value is by default 1.
-;
-;newrelic.security.iast_test_identifier = 0
-
-; Setting: newrelic.security.scan_controllers.report_http_response_body
-; Type   : boolean
-; Scope  : system
-; Default: true
-; Info   : This configuration allows user to enable / disable sending of HTTP responses body.
-;	       Disabling reading of http response body will also disable RXSS vulnerability detection.
-;
-;newrelic.security.scan_controllers.report_http_response_body = true
-
-; Setting: newrelic.security.restriction_criteria.account_info.account_id_values
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : Applicable only with IAST_RESTRICTION as `newrelic.security.mode`. 
-;          A list of account id values separated by :: (double colon) to run IAST
-;          on specific test accounts only.
-;
-;newrelic.security.restriction_criteria.account_info.account_id_values = "account1::account2"
-
-; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.header.enabled
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and 
-;          `newrelic.security.restriction_criteria.account_info.account_id_values`.
-;          Indicates if account id value is to be looked up in the header on which to run IAST.
-;
-;newrelic.security.restriction_criteria.account_info.mapping_parameters.header.enabled = false
-
-; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.header.location
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and 
-;          `newrelic.security.restriction_criteria.account_info.account_id_values`.
-;          A list of header keys separated by :: (double colon) to lookup account id values to
-;          run IAST on specific test accounts only.
-;
-;newrelic.security.restriction_criteria.account_info.mapping_parameters.header.location = "X-Account::X-Nr-Account"
-
-; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.body.enabled
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and 
-;          `newrelic.security.restriction_criteria.account_info.account_id_values`.
-;          Indicates if account id value is to be looked up in the body on which to run IAST.
-;
-;newrelic.security.restriction_criteria.account_info.mapping_parameters.body.enabled = false
-
-; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.body.location
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and 
-;          `newrelic.security.restriction_criteria.account_info.account_id_values`.
-;          A list of body keys separated by :: (double colon) to lookup account id values to
-;          run IAST on specific test accounts only.
-;
-;newrelic.security.restriction_criteria.account_info.mapping_parameters.body.location = "account.id::account.test.id"
-
-; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.query.enabled
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and 
-;          `newrelic.security.restriction_criteria.account_info.account_id_values`.
-;          Indicates if account id value is to be looked up in the query on which to run IAST.
-;
-;newrelic.security.restriction_criteria.account_info.mapping_parameters.query.enabled = false
-
-; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.query.location
-; Type   : string
-; Scope  : system
-; Default: none
-; Info   : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and 
-;          `newrelic.security.restriction_criteria.account_info.account_id_values`.
-;          A list of query keys separated by :: (double colon) to lookup account id values to
-;          run IAST on specific test accounts only.
-;
-;newrelic.security.restriction_criteria.account_info.mapping_parameters.query.location = "id::user"
-
-; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.path.enabled
-; Type   : boolean
-; Scope  : system
-; Default: false
-; Info   : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and 
-;          `newrelic.security.restriction_criteria.account_info.account_id_values`.
-;          Indicates if account id value is to be looked up in the path on which to run IAST.
-;
-;newrelic.security.restriction_criteria.account_info.mapping_parameters.path.enabled = false