From bc35940245311290daa9e9b468c9dad53aa175c8 Mon Sep 17 00:00:00 2001 From: Michal Nowacki Date: Fri, 21 Jun 2024 12:03:51 -0400 Subject: [PATCH 01/13] expose app metadata for csec via global symbol Rather than providing a PHP user function to expose app metadata to PHP userland, export a global symbol for cseg agent to use. --- agent/csec_metadata.c | 69 +++++++++++++++++----------------------- agent/csec_metadata.h | 45 +++++++++++++++++++------- agent/export.syms | 1 + agent/php_api_internal.h | 2 -- agent/php_newrelic.c | 2 -- 5 files changed, 64 insertions(+), 55 deletions(-) diff --git a/agent/csec_metadata.c b/agent/csec_metadata.c index ba43b9c1a..0a9d9d47c 100644 --- a/agent/csec_metadata.c +++ b/agent/csec_metadata.c @@ -1,48 +1,37 @@ -#include "csec_metadata.h" -#include "util_strings.h" -#include "php_hash.h" -#include "php_api_internal.h" - -static void nr_csec_php_add_assoc_string_const(zval* arr, - const char* key, - const char* value) { - char* val = NULL; - - if (NULL == arr || NULL == key || NULL == value) { - return; - } +/* + * Copyright 2020 New Relic Corporation. All rights reserved. + * SPDX-License-Identifier: Apache-2.0 + */ - val = nr_strdup(value); - nr_php_add_assoc_string(arr, key, val); - nr_free(val); -} - -#ifdef TAGS -void zif_newrelic_get_security_metadata(void); /* ctags landing pad only */ -void newrelic_get_security_metadata(void); /* ctags landing pad only */ -#endif -PHP_FUNCTION(newrelic_get_security_metadata) { +#include "csec_metadata.h" - NR_UNUSED_RETURN_VALUE; - NR_UNUSED_RETURN_VALUE_PTR; - NR_UNUSED_RETURN_VALUE_USED; - NR_UNUSED_THIS_PTR; - NR_UNUSED_EXECUTE_DATA; +#include "util_memory.h" - array_init(return_value); +#include "nr_axiom.h" +#include "nr_agent.h" +#include "nr_app.h" +#include "php_includes.h" +#include "php_compat.h" +#include "php_newrelic.h" - nr_csec_php_add_assoc_string_const(return_value, KEY_ENTITY_NAME, nr_app_get_entity_name(NRPRG(app))); - nr_csec_php_add_assoc_string_const(return_value, KEY_ENTITY_TYPE, nr_app_get_entity_type(NRPRG(app))); - nr_csec_php_add_assoc_string_const(return_value, KEY_ENTITY_GUID, nr_app_get_entity_guid(NRPRG(app))); - nr_csec_php_add_assoc_string_const(return_value, KEY_HOSTNAME, nr_app_get_host_name(NRPRG(app))); - nr_csec_php_add_assoc_string_const(return_value, KEY_LICENSE, NRPRG(license).value); +int nr_php_csec_get_metadata(nr_php_csec_metadata_t* csec_metadata) { + if (NULL == csec_metadata) { + return -1; + } - if (NRPRG(app)) { - nr_csec_php_add_assoc_string_const(return_value, KEY_AGENT_RUN_ID, NRPRG(app)->agent_run_id); - nr_csec_php_add_assoc_string_const(return_value, KEY_ACCOUNT_ID, NRPRG(app)->account_id); - nr_csec_php_add_assoc_string_const(return_value, KEY_PLICENSE, NRPRG(app)->plicense); - int high_security = NRPRG(app)->info.high_security; - add_assoc_long(return_value, KEY_HIGH_SECURITY, (long)high_security); + if (NULL == NRPRG(app)) { + return -2; } + csec_metadata->high_security = NRPRG(app)->info.high_security; + csec_metadata->entity_name = nr_strdup(nr_app_get_entity_name(NRPRG(app))); + csec_metadata->entity_type = nr_strdup(nr_app_get_entity_type(NRPRG(app))); + csec_metadata->entity_guid = nr_strdup(nr_app_get_entity_guid(NRPRG(app))); + csec_metadata->host_name = nr_strdup(nr_app_get_host_name(NRPRG(app))); + csec_metadata->agent_run_id = nr_strdup(NRPRG(app)->agent_run_id); + csec_metadata->account_id = nr_strdup(NRPRG(app)->account_id); + csec_metadata->license = nr_strdup(NRPRG(license).value); + csec_metadata->plicense = nr_strdup(NRPRG(app)->plicense); + + return 0; } diff --git a/agent/csec_metadata.h b/agent/csec_metadata.h index 1716f6da4..572ce0718 100644 --- a/agent/csec_metadata.h +++ b/agent/csec_metadata.h @@ -1,12 +1,35 @@ -#include "php_agent.h" -#include "util_hashmap.h" +/* + * Copyright 2020 New Relic Corporation. All rights reserved. + * SPDX-License-Identifier: Apache-2.0 + */ -#define KEY_ENTITY_NAME "entity.name" -#define KEY_ENTITY_TYPE "entity.type" -#define KEY_ENTITY_GUID "entity.guid" -#define KEY_HOSTNAME "hostname" -#define KEY_AGENT_RUN_ID "agent.run.id" -#define KEY_ACCOUNT_ID "account.id" -#define KEY_LICENSE "license" -#define KEY_PLICENSE "plicense" -#define KEY_HIGH_SECURITY "high_security" +#ifndef CSEC_METADATA_H +#define CSEC_METADATA_H + +typedef struct _nr_php_csec_metadata_t { + int high_security; /* Indicates if high security been set locally for this + application */ + char* license; /* License key provided */ + char* plicense; /* Printable license (abbreviated for security) */ + char* host_name; /* Local host name reported to the daemon */ + char* entity_name; /* Entity name related to this application */ + char* entity_type; /* Entity type */ + char* account_id; /* Security : Added for getting account id */ + char* entity_guid; /* Entity guid related to this application */ + char* agent_run_id; /* The collector's agent run ID; assigned from the + New Relic backend */ +} nr_php_csec_metadata_t; + +/* + * Purpose : Return app meta data by populating nr_php_csec_metadata_t + * structure. The caller is responsible for freeing the memory + * allocated for the strings in the structure. + * + * Params : Pointer to a nr_php_csec_metadata_t structure + * + * Returns : 0 for success + * -1 for invalid input + * -2 for invalid internal state + */ +extern int nr_php_csec_get_metadata(nr_php_csec_metadata_t*); +#endif diff --git a/agent/export.syms b/agent/export.syms index c1252e827..7e8f1e2c4 100644 --- a/agent/export.syms +++ b/agent/export.syms @@ -1 +1,2 @@ get_module +nr_php_csec_get_metadata diff --git a/agent/php_api_internal.h b/agent/php_api_internal.h index f8ae9a653..61db36648 100644 --- a/agent/php_api_internal.h +++ b/agent/php_api_internal.h @@ -16,8 +16,6 @@ */ extern PHP_FUNCTION(newrelic_get_request_metadata); -extern PHP_FUNCTION(newrelic_get_security_metadata); - #ifdef ENABLE_TESTING_API /* diff --git a/agent/php_newrelic.c b/agent/php_newrelic.c index 80d4466a1..210c04428 100644 --- a/agent/php_newrelic.c +++ b/agent/php_newrelic.c @@ -343,11 +343,9 @@ static zend_function_entry newrelic_functions[] = { #ifdef PHP8 PHP_FE(newrelic_get_linking_metadata, newrelic_arginfo_void) PHP_FE(newrelic_get_trace_metadata, newrelic_arginfo_void) - PHP_FE(newrelic_get_security_metadata, newrelic_arginfo_void) #else PHP_FE(newrelic_get_linking_metadata, 0) PHP_FE(newrelic_get_trace_metadata, 0) - PHP_FE(newrelic_get_security_metadata, 0) #endif /* PHP 8 */ /* * Integration test helpers From 8dc4a69f45178221ec6ac1c8d7347f36e8113012 Mon Sep 17 00:00:00 2001 From: Michal Nowacki Date: Fri, 21 Jun 2024 12:34:52 -0400 Subject: [PATCH 02/13] make `nr_php_csec_get_metadata` easier to use --- agent/csec_metadata.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/agent/csec_metadata.h b/agent/csec_metadata.h index 572ce0718..ca7a8f332 100644 --- a/agent/csec_metadata.h +++ b/agent/csec_metadata.h @@ -32,4 +32,6 @@ typedef struct _nr_php_csec_metadata_t { * -2 for invalid internal state */ extern int nr_php_csec_get_metadata(nr_php_csec_metadata_t*); +typedef int (*nr_php_csec_get_metadata_t)(nr_php_csec_metadata_t*); +#define NR_PHP_CSEC_GET_METADATA "nr_php_csec_get_metadata" #endif From 3f6c28323ebb6776632db03c49a3f436ec73687b Mon Sep 17 00:00:00 2001 From: Michal Nowacki Date: Tue, 25 Jun 2024 19:17:09 -0400 Subject: [PATCH 03/13] refactor to avoid 'transport' struct Replace 'transport' struct, which would have to be versioned, with a simple getter API of `get(key, &ptr)` signature. --- agent/csec_metadata.c | 60 ++++++++++++++++++++++++++++++++++--------- agent/csec_metadata.h | 39 ++++++++++++++-------------- 2 files changed, 68 insertions(+), 31 deletions(-) diff --git a/agent/csec_metadata.c b/agent/csec_metadata.c index 0a9d9d47c..0f9571a7b 100644 --- a/agent/csec_metadata.c +++ b/agent/csec_metadata.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 New Relic Corporation. All rights reserved. + * Copyright 2024 New Relic Corporation. All rights reserved. * SPDX-License-Identifier: Apache-2.0 */ @@ -14,8 +14,10 @@ #include "php_compat.h" #include "php_newrelic.h" -int nr_php_csec_get_metadata(nr_php_csec_metadata_t* csec_metadata) { - if (NULL == csec_metadata) { +int nr_php_csec_get_metadata(const nr_php_csec_metadata_key_t key, void** p) { + const char* value = NULL; + + if (NULL == p) { return -1; } @@ -23,15 +25,49 @@ int nr_php_csec_get_metadata(nr_php_csec_metadata_t* csec_metadata) { return -2; } - csec_metadata->high_security = NRPRG(app)->info.high_security; - csec_metadata->entity_name = nr_strdup(nr_app_get_entity_name(NRPRG(app))); - csec_metadata->entity_type = nr_strdup(nr_app_get_entity_type(NRPRG(app))); - csec_metadata->entity_guid = nr_strdup(nr_app_get_entity_guid(NRPRG(app))); - csec_metadata->host_name = nr_strdup(nr_app_get_host_name(NRPRG(app))); - csec_metadata->agent_run_id = nr_strdup(NRPRG(app)->agent_run_id); - csec_metadata->account_id = nr_strdup(NRPRG(app)->account_id); - csec_metadata->license = nr_strdup(NRPRG(license).value); - csec_metadata->plicense = nr_strdup(NRPRG(app)->plicense); + switch (key) { + case NR_PHP_CSEC_METADATA_HIGH_SECURITY: + *p = nr_zalloc(sizeof(int)); + if (NULL == *p) { + return -3; + } + *((int*)*p) = NRPRG(app)->info.high_security; + return 0; + case NR_PHP_CSEC_METADATA_ENTITY_NAME: + value = nr_app_get_entity_name(NRPRG(app)); + break; + case NR_PHP_CSEC_METADATA_ENTITY_TYPE: + value = nr_app_get_entity_type(NRPRG(app)); + break; + case NR_PHP_CSEC_METADATA_ENTITY_GUID: + value = nr_app_get_entity_guid(NRPRG(app)); + break; + case NR_PHP_CSEC_METADATA_HOST_NAME: + value = nr_app_get_host_name(NRPRG(app)); + break; + case NR_PHP_CSEC_METADATA_AGENT_RUN_ID: + value = NRPRG(app)->agent_run_id; + break; + case NR_PHP_CSEC_METADATA_ACCOUNT_ID: + value = NRPRG(app)->account_id; + break; + case NR_PHP_CSEC_METADATA_LICENSE: + value = NRPRG(license).value; + break; + case NR_PHP_CSEC_METADATA_PLICENSE: + value = NRPRG(app)->plicense; + break; + default: + return -4; + } + if (NULL == value) { + return -5; + } + + *p = nr_strdup(value); + if (NULL == *p) { + return -3; + } return 0; } diff --git a/agent/csec_metadata.h b/agent/csec_metadata.h index ca7a8f332..c47bf97d9 100644 --- a/agent/csec_metadata.h +++ b/agent/csec_metadata.h @@ -1,37 +1,38 @@ /* - * Copyright 2020 New Relic Corporation. All rights reserved. + * Copyright 2024 New Relic Corporation. All rights reserved. * SPDX-License-Identifier: Apache-2.0 */ #ifndef CSEC_METADATA_H #define CSEC_METADATA_H -typedef struct _nr_php_csec_metadata_t { - int high_security; /* Indicates if high security been set locally for this - application */ - char* license; /* License key provided */ - char* plicense; /* Printable license (abbreviated for security) */ - char* host_name; /* Local host name reported to the daemon */ - char* entity_name; /* Entity name related to this application */ - char* entity_type; /* Entity type */ - char* account_id; /* Security : Added for getting account id */ - char* entity_guid; /* Entity guid related to this application */ - char* agent_run_id; /* The collector's agent run ID; assigned from the - New Relic backend */ -} nr_php_csec_metadata_t; +typedef enum { + NR_PHP_CSEC_METADATA_HIGH_SECURITY = 1, + NR_PHP_CSEC_METADATA_ENTITY_NAME, + NR_PHP_CSEC_METADATA_ENTITY_TYPE, + NR_PHP_CSEC_METADATA_ENTITY_GUID, + NR_PHP_CSEC_METADATA_HOST_NAME, + NR_PHP_CSEC_METADATA_AGENT_RUN_ID, + NR_PHP_CSEC_METADATA_ACCOUNT_ID, + NR_PHP_CSEC_METADATA_LICENSE, + NR_PHP_CSEC_METADATA_PLICENSE +} nr_php_csec_metadata_key_t; /* - * Purpose : Return app meta data by populating nr_php_csec_metadata_t - * structure. The caller is responsible for freeing the memory - * allocated for the strings in the structure. + * Purpose : Copy requested app meta data into allocated *value. + * The caller is responsible for freeing the memory + * allocated. * * Params : Pointer to a nr_php_csec_metadata_t structure * * Returns : 0 for success * -1 for invalid input * -2 for invalid internal state + * -3 for inability to allocate memory + * -4 for invalid metadata key + * -5 for inability to retrieve metadata value */ -extern int nr_php_csec_get_metadata(nr_php_csec_metadata_t*); -typedef int (*nr_php_csec_get_metadata_t)(nr_php_csec_metadata_t*); +extern int nr_php_csec_get_metadata(const nr_php_csec_metadata_key_t k, void** value); +typedef int (*nr_php_csec_get_metadata_t)(const nr_php_csec_metadata_key_t k, void** value); #define NR_PHP_CSEC_GET_METADATA "nr_php_csec_get_metadata" #endif From 1a4bc7452bdb1b1eca5f36e8fa92204d8ebbe15d Mon Sep 17 00:00:00 2001 From: Michal Nowacki Date: Wed, 26 Jun 2024 14:24:01 -0400 Subject: [PATCH 04/13] simplify return value - always a string This approach adds some level of protection (compiler type checking) from misusing the API. --- agent/csec_metadata.c | 12 ++++++------ agent/csec_metadata.h | 7 ++++--- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/agent/csec_metadata.c b/agent/csec_metadata.c index 0f9571a7b..af8af2d91 100644 --- a/agent/csec_metadata.c +++ b/agent/csec_metadata.c @@ -14,7 +14,7 @@ #include "php_compat.h" #include "php_newrelic.h" -int nr_php_csec_get_metadata(const nr_php_csec_metadata_key_t key, void** p) { +int nr_php_csec_get_metadata(const nr_php_csec_metadata_key_t key, char** p) { const char* value = NULL; if (NULL == p) { @@ -27,12 +27,12 @@ int nr_php_csec_get_metadata(const nr_php_csec_metadata_key_t key, void** p) { switch (key) { case NR_PHP_CSEC_METADATA_HIGH_SECURITY: - *p = nr_zalloc(sizeof(int)); - if (NULL == *p) { - return -3; + if (NRPRG(app)->info.high_security) { + value = "true"; + } else { + value = "false"; } - *((int*)*p) = NRPRG(app)->info.high_security; - return 0; + break; case NR_PHP_CSEC_METADATA_ENTITY_NAME: value = nr_app_get_entity_name(NRPRG(app)); break; diff --git a/agent/csec_metadata.h b/agent/csec_metadata.h index c47bf97d9..a98b79339 100644 --- a/agent/csec_metadata.h +++ b/agent/csec_metadata.h @@ -21,7 +21,8 @@ typedef enum { /* * Purpose : Copy requested app meta data into allocated *value. * The caller is responsible for freeing the memory - * allocated. + * allocated. The value is a string representation of + * the requested metadata. * * Params : Pointer to a nr_php_csec_metadata_t structure * @@ -32,7 +33,7 @@ typedef enum { * -4 for invalid metadata key * -5 for inability to retrieve metadata value */ -extern int nr_php_csec_get_metadata(const nr_php_csec_metadata_key_t k, void** value); -typedef int (*nr_php_csec_get_metadata_t)(const nr_php_csec_metadata_key_t k, void** value); +extern int nr_php_csec_get_metadata(const nr_php_csec_metadata_key_t k, char** value); +typedef int (*nr_php_csec_get_metadata_t)(const nr_php_csec_metadata_key_t k, char** value); #define NR_PHP_CSEC_GET_METADATA "nr_php_csec_get_metadata" #endif From 8becf09c4881e6c12e824a65ee0402bde8656466 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Tue, 20 Aug 2024 16:23:53 +0530 Subject: [PATCH 05/13] add config for skip iast scan --- agent/scripts/newrelic.ini.template | 116 ++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template index 6526f6a7c..e268efd4f 100644 --- a/agent/scripts/newrelic.ini.template +++ b/agent/scripts/newrelic.ini.template @@ -1416,3 +1416,119 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; sure the file permissions are correct. ; ;newrelic.security.validator.client_ssl_cert_filepath = "" + +; Setting: newrelic.security.skip_iast_scan.api +; Type : string +; Scope : system +; Default: none +; Info : A list of valid pcre regex of apis separated by | (pipe) to be +; skipped for scanning +; +;newrelic.security.skip_iast_scan.api = "api1|api2" + +; Setting: newrelic.security.skip_iast_scan.parameters.header +; Type : string +; Scope : system +; Default: none +; Info : A list of request header keys separated by :: (double colon) to be +; skipped for scanning +; +;newrelic.security.skip_iast_scan.parameters.header = "X-Forwaded-For" + +; Setting: newrelic.security.skip_iast_scan.parameters.query +; Type : string +; Scope : system +; Default: none +; Info : A list of request query keys separated by :: (double colon) to be +; skipped for scanning +; +;newrelic.security.skip_iast_scan.parameters.query = "q1::q2" + +; Setting: newrelic.security.skip_iast_scan.parameters.body +; Type : string +; Scope : system +; Default: none +; Info : A list of request body keys separated by :: (double colon) to be +; skipped for scanning +; +;newrelic.security.skip_iast_scan.parameters.body = "object.cc_number" + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.insecure_settings +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if insecure settings attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.insecure_settings = false + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.invalid_file_access +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if invalid file access attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.invalid_file_access = false + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.sql_injection +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if sql injection attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.sql_injection = false + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.nosql_injection +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if nosql injection attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.nosql_injection = false + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.ldap_injection +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if ldap injection attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.ldap_injection = false + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.javascript_injection +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if javascript injection attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.javascript_injection = false + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.command_injection +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if command injection attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.command_injection = false + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.xpath_injection +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if xpath injection attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.xpath_injection = false + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.ssrf +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if ssrf injection attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.ssrf = false + +; Setting: newrelic.security.skip_iast_scan.iast_detection_category.rxss +; Type : boolean +; Scope : system +; Default: false +; Info : Indicates if reflected xss attack category is to be skipped +; +;newrelic.security.skip_iast_scan.iast_detection_category.rxss = false \ No newline at end of file From fb054ab8c1d2bb7ad9a2d7f86ab204565f9ba061 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Fri, 23 Aug 2024 12:30:14 +0530 Subject: [PATCH 06/13] Add config for scan schedule --- agent/scripts/newrelic.ini.template | 64 +++++++++++++++++------------ 1 file changed, 37 insertions(+), 27 deletions(-) diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template index e268efd4f..e939e4abb 100644 --- a/agent/scripts/newrelic.ini.template +++ b/agent/scripts/newrelic.ini.template @@ -1373,30 +1373,6 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; ;newrelic.security.agent.enabled = false -; Setting: newrelic.security.detection.rci.enabled -; Type : boolean -; Scope : system -; Default: true -; Info : Indicates if detection of remote code injection attack category is to be enabled -; -;newrelic.security.detection.rci.enabled = true - -; Setting: newrelic.security.detection.rxss.enabled -; Type : boolean -; Scope : system -; Default: true -; Info : Indicates if detection of reflected xss attack category is to be enabled -; -;newrelic.security.detection.rxss.enabled = true - -; Setting: newrelic.security.detection.deserialization.enabled -; Type : boolean -; Scope : system -; Default: true -; Info : Indicates if detection of deserialization attack category is to be enabled -; -;newrelic.security.detection.deserialization.enabled = true - ; Setting: newrelic.security.request.body_limit ; Type : unsigned integer ; Scope : system @@ -1442,7 +1418,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Info : A list of request query keys separated by :: (double colon) to be ; skipped for scanning ; -;newrelic.security.skip_iast_scan.parameters.query = "q1::q2" +;newrelic.security.skip_iast_scan.parameters.query = "username::password" ; Setting: newrelic.security.skip_iast_scan.parameters.body ; Type : string @@ -1451,7 +1427,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Info : A list of request body keys separated by :: (double colon) to be ; skipped for scanning ; -;newrelic.security.skip_iast_scan.parameters.body = "object.cc_number" +;newrelic.security.skip_iast_scan.parameters.body = "account.email::account.contact" ; Setting: newrelic.security.skip_iast_scan.iast_detection_category.insecure_settings ; Type : boolean @@ -1531,4 +1507,38 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Default: false ; Info : Indicates if reflected xss attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.rxss = false \ No newline at end of file +;newrelic.security.skip_iast_scan.iast_detection_category.rxss = false + +; Setting: newrelic.security.scan_schedule.delay +; Type : unsigned integer +; Scope : system +; Default: 0 +; Info : Sets the delay in minutes after which IAST scan should start +; +;newrelic.security.scan_schedule.delay = 0 + +; Setting: newrelic.security.scan_schedule.duration +; Type : unsigned integer +; Scope : system +; Default: 0 +; Info : Sets the duration in minutes for which IAST scan should running +; default will be forever +; +;newrelic.security.scan_schedule.duration = 0 + +; Setting: newrelic.security.scan_schedule.schedule +; Type : string +; Scope : system +; Default: "0 0 * * * ?" +; Info : Sets the IAST run schedule in cron format. scan_schedule.delay +; takes precedence over schedule +; +;newrelic.security.scan_schedule.schedule = "0 0 * * * ?" + +; Setting: newrelic.security.scan_schedule.always_sample_traces +; Type : boolean +; Scope : system +; Default: false +; Info : If true, event sampling will be done regardless of delay +; +;newrelic.security.scan_schedule.always_sample_traces = false \ No newline at end of file From 5087938cf804308c9e2a56ee7db6e822db12f5a7 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Wed, 4 Sep 2024 13:29:31 +0530 Subject: [PATCH 07/13] rename config for ignore iast scan feature --- agent/scripts/newrelic.ini.template | 58 ++++++++++++++--------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template index e939e4abb..e203320ad 100644 --- a/agent/scripts/newrelic.ini.template +++ b/agent/scripts/newrelic.ini.template @@ -1393,121 +1393,121 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; ;newrelic.security.validator.client_ssl_cert_filepath = "" -; Setting: newrelic.security.skip_iast_scan.api +; Setting: newrelic.security.exclude_from_iast_scan.api ; Type : string ; Scope : system ; Default: none ; Info : A list of valid pcre regex of apis separated by | (pipe) to be ; skipped for scanning ; -;newrelic.security.skip_iast_scan.api = "api1|api2" +;newrelic.security.exclude_from_iast_scan.api = "api1|api2" -; Setting: newrelic.security.skip_iast_scan.parameters.header +; Setting: newrelic.security.exclude_from_iast_scan.http_request_parameters.header ; Type : string ; Scope : system ; Default: none ; Info : A list of request header keys separated by :: (double colon) to be ; skipped for scanning ; -;newrelic.security.skip_iast_scan.parameters.header = "X-Forwaded-For" +;newrelic.security.exclude_from_iast_scan.http_request_parameters.header = "X-Forwaded-For" -; Setting: newrelic.security.skip_iast_scan.parameters.query +; Setting: newrelic.security.exclude_from_iast_scan.http_request_parameters.query ; Type : string ; Scope : system ; Default: none ; Info : A list of request query keys separated by :: (double colon) to be ; skipped for scanning ; -;newrelic.security.skip_iast_scan.parameters.query = "username::password" +;newrelic.security.exclude_from_iast_scan.http_request_parameters.query = "username::password" -; Setting: newrelic.security.skip_iast_scan.parameters.body +; Setting: newrelic.security.exclude_from_iast_scan.http_request_parameters.body ; Type : string ; Scope : system ; Default: none ; Info : A list of request body keys separated by :: (double colon) to be ; skipped for scanning ; -;newrelic.security.skip_iast_scan.parameters.body = "account.email::account.contact" +;newrelic.security.exclude_from_iast_scan.http_request_parameters.body = "account.email::account.contact" -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.insecure_settings +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.insecure_settings ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if insecure settings attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.insecure_settings = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.insecure_settings = false -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.invalid_file_access +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.invalid_file_access ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if invalid file access attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.invalid_file_access = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.invalid_file_access = false -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.sql_injection +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.sql_injection ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if sql injection attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.sql_injection = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.sql_injection = false -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.nosql_injection +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.nosql_injection ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if nosql injection attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.nosql_injection = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.nosql_injection = false -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.ldap_injection +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.ldap_injection ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if ldap injection attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.ldap_injection = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.ldap_injection = false -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.javascript_injection +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.javascript_injection ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if javascript injection attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.javascript_injection = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.javascript_injection = false -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.command_injection +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.command_injection ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if command injection attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.command_injection = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.command_injection = false -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.xpath_injection +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.xpath_injection ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if xpath injection attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.xpath_injection = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.xpath_injection = false -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.ssrf +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.ssrf ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if ssrf injection attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.ssrf = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.ssrf = false -; Setting: newrelic.security.skip_iast_scan.iast_detection_category.rxss +; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.rxss ; Type : boolean ; Scope : system ; Default: false ; Info : Indicates if reflected xss attack category is to be skipped ; -;newrelic.security.skip_iast_scan.iast_detection_category.rxss = false +;newrelic.security.exclude_from_iast_scan.iast_detection_category.rxss = false ; Setting: newrelic.security.scan_schedule.delay ; Type : unsigned integer @@ -1539,6 +1539,6 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : If true, event sampling will be done regardless of delay +; Info : Always sample traces regardless of other schedule settings ; ;newrelic.security.scan_schedule.always_sample_traces = false \ No newline at end of file From bd77ee819909f19f85791a73eed046b9367fc3f2 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Wed, 4 Sep 2024 16:46:58 +0530 Subject: [PATCH 08/13] update description for exclude scan config --- agent/scripts/newrelic.ini.template | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template index e203320ad..744a697c4 100644 --- a/agent/scripts/newrelic.ini.template +++ b/agent/scripts/newrelic.ini.template @@ -1398,7 +1398,8 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Scope : system ; Default: none ; Info : A list of valid pcre regex of apis separated by | (pipe) to be -; skipped for scanning +; excluded for scanning. Make sure each pipe separated regex is correct, +; otherwise none of the regexes will be applicable. ; ;newrelic.security.exclude_from_iast_scan.api = "api1|api2" @@ -1407,7 +1408,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Scope : system ; Default: none ; Info : A list of request header keys separated by :: (double colon) to be -; skipped for scanning +; excluded for scanning ; ;newrelic.security.exclude_from_iast_scan.http_request_parameters.header = "X-Forwaded-For" @@ -1416,7 +1417,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Scope : system ; Default: none ; Info : A list of request query keys separated by :: (double colon) to be -; skipped for scanning +; excluded for scanning ; ;newrelic.security.exclude_from_iast_scan.http_request_parameters.query = "username::password" @@ -1425,7 +1426,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Scope : system ; Default: none ; Info : A list of request body keys separated by :: (double colon) to be -; skipped for scanning +; excluded for scanning ; ;newrelic.security.exclude_from_iast_scan.http_request_parameters.body = "account.email::account.contact" @@ -1433,7 +1434,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if insecure settings attack category is to be skipped +; Info : Indicates if insecure settings attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.insecure_settings = false @@ -1441,7 +1442,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if invalid file access attack category is to be skipped +; Info : Indicates if invalid file access attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.invalid_file_access = false @@ -1449,7 +1450,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if sql injection attack category is to be skipped +; Info : Indicates if sql injection attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.sql_injection = false @@ -1457,7 +1458,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if nosql injection attack category is to be skipped +; Info : Indicates if nosql injection attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.nosql_injection = false @@ -1465,7 +1466,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if ldap injection attack category is to be skipped +; Info : Indicates if ldap injection attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.ldap_injection = false @@ -1473,7 +1474,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if javascript injection attack category is to be skipped +; Info : Indicates if javascript injection attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.javascript_injection = false @@ -1481,7 +1482,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if command injection attack category is to be skipped +; Info : Indicates if command injection attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.command_injection = false @@ -1489,7 +1490,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if xpath injection attack category is to be skipped +; Info : Indicates if xpath injection attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.xpath_injection = false @@ -1497,7 +1498,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if ssrf injection attack category is to be skipped +; Info : Indicates if ssrf injection attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.ssrf = false @@ -1505,7 +1506,7 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Type : boolean ; Scope : system ; Default: false -; Info : Indicates if reflected xss attack category is to be skipped +; Info : Indicates if reflected xss attack category is to be excluded ; ;newrelic.security.exclude_from_iast_scan.iast_detection_category.rxss = false From 2f59bf8d4357252c1b0bf21dd49fe281369d050b Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Mon, 23 Sep 2024 17:25:12 +0530 Subject: [PATCH 09/13] add config for ci/cd integration support --- agent/scripts/newrelic.ini.template | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template index 744a697c4..3013a3abf 100644 --- a/agent/scripts/newrelic.ini.template +++ b/agent/scripts/newrelic.ini.template @@ -1542,4 +1542,15 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Default: false ; Info : Always sample traces regardless of other schedule settings ; -;newrelic.security.scan_schedule.always_sample_traces = false \ No newline at end of file +;newrelic.security.scan_schedule.always_sample_traces = false + +; Setting: newrelic.security.iast_test_identifier +; Type : string +; Scope : system +; Default: none +; Info : Sets the identifier for allowing users to run IAST for CI/CD. Provide +; a unique identifier (i.e. Build Id) to filter application tests properly. +; Also, configurable via env variable NEW_RELIC_SECURITY_IAST_TEST_IDENTIFIER +; which takes precedence over this config. +; +;newrelic.security.iast_test_identifier = "" \ No newline at end of file From 1cd656b236eaaea7c0f86ed9f50c9f776da88608 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Tue, 1 Oct 2024 16:22:10 +0530 Subject: [PATCH 10/13] add config for scan instance count --- agent/scripts/newrelic.ini.template | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template index 3013a3abf..f253d5be3 100644 --- a/agent/scripts/newrelic.ini.template +++ b/agent/scripts/newrelic.ini.template @@ -1553,4 +1553,15 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; Also, configurable via env variable NEW_RELIC_SECURITY_IAST_TEST_IDENTIFIER ; which takes precedence over this config. ; -;newrelic.security.iast_test_identifier = "" \ No newline at end of file +;newrelic.security.iast_test_identifier = "" + +; Setting: newrelic.security.scan_controllers.scan_instance_count +; Type : unsigned integer +; Scope : system +; Default: 0 +; Info : Sets the number of application instances where IAST analysis should be performed +; for a specific entity. Allowed values are 0 or 1, where 0 signifies run on +; all application instances for that specific entity. +; If `newrelic.security.iast_test_identifier` is specified, this value is by default 1. +; +;newrelic.security.iast_test_identifier = 0 \ No newline at end of file From 18549f33ad11fd6fb5afe100a85a7b11cadf08cb Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Wed, 23 Oct 2024 14:07:13 +0530 Subject: [PATCH 11/13] remove config for request body limit --- agent/scripts/newrelic.ini.template | 8 -------- 1 file changed, 8 deletions(-) diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template index f253d5be3..1da861d82 100644 --- a/agent/scripts/newrelic.ini.template +++ b/agent/scripts/newrelic.ini.template @@ -1373,14 +1373,6 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; ;newrelic.security.agent.enabled = false -; Setting: newrelic.security.request.body_limit -; Type : unsigned integer -; Scope : system -; Default: 300 -; Info : Sets the maximum limit of the request body to be read in kb. -; -;newrelic.security.request.body_limit = 300 - ; Setting: newrelic.security.validator.client_ssl_cert_filepath ; Type : string ; Scope : system From 95d1c78fe922d74a8f3d2606afb561b389b43c11 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Thu, 21 Nov 2024 17:54:20 +0530 Subject: [PATCH 12/13] add config for http response body, iast restricted mode --- agent/scripts/newrelic.ini.template | 94 ++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 1 deletion(-) diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template index 1da861d82..52193de48 100644 --- a/agent/scripts/newrelic.ini.template +++ b/agent/scripts/newrelic.ini.template @@ -1556,4 +1556,96 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; all application instances for that specific entity. ; If `newrelic.security.iast_test_identifier` is specified, this value is by default 1. ; -;newrelic.security.iast_test_identifier = 0 \ No newline at end of file +;newrelic.security.iast_test_identifier = 0 + +; Setting: newrelic.security.scan_controllers.report_http_response_body +; Type : boolean +; Scope : system +; Default: true +; Info : This configuration allows user to enable / disable sending of HTTP responses body. +; Disabling reading of http response body will also disable RXSS vulnerability detection. +; +;newrelic.security.scan_controllers.report_http_response_body = true + +; Setting: newrelic.security.restriction_criteria.account_info.account_id_values +; Type : string +; Scope : system +; Default: none +; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode`. +; A list of account id values separated by :: (double colon) to run IAST +; on specific test accounts only. +; +;newrelic.security.restriction_criteria.account_info.account_id_values = "account1::account2" + +; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.header.enabled +; Type : boolean +; Scope : system +; Default: false +; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and +; `newrelic.security.restriction_criteria.account_info.account_id_values`. +; Indicates if account id value is to be looked up in the header on which to run IAST. +; +;newrelic.security.restriction_criteria.account_info.mapping_parameters.header.enabled = false + +; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.header.location +; Type : string +; Scope : system +; Default: none +; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and +; `newrelic.security.restriction_criteria.account_info.account_id_values`. +; A list of header keys separated by :: (double colon) to lookup account id values to +; run IAST on specific test accounts only. +; +;newrelic.security.restriction_criteria.account_info.mapping_parameters.header.location = "X-Account::X-Nr-Account" + +; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.body.enabled +; Type : boolean +; Scope : system +; Default: false +; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and +; `newrelic.security.restriction_criteria.account_info.account_id_values`. +; Indicates if account id value is to be looked up in the body on which to run IAST. +; +;newrelic.security.restriction_criteria.account_info.mapping_parameters.body.enabled = false + +; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.body.location +; Type : string +; Scope : system +; Default: none +; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and +; `newrelic.security.restriction_criteria.account_info.account_id_values`. +; A list of body keys separated by :: (double colon) to lookup account id values to +; run IAST on specific test accounts only. +; +;newrelic.security.restriction_criteria.account_info.mapping_parameters.body.location = "account.id::account.test.id" + +; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.query.enabled +; Type : boolean +; Scope : system +; Default: false +; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and +; `newrelic.security.restriction_criteria.account_info.account_id_values`. +; Indicates if account id value is to be looked up in the query on which to run IAST. +; +;newrelic.security.restriction_criteria.account_info.mapping_parameters.query.enabled = false + +; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.query.location +; Type : string +; Scope : system +; Default: none +; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and +; `newrelic.security.restriction_criteria.account_info.account_id_values`. +; A list of query keys separated by :: (double colon) to lookup account id values to +; run IAST on specific test accounts only. +; +;newrelic.security.restriction_criteria.account_info.mapping_parameters.query.location = "id::user" + +; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.path.enabled +; Type : boolean +; Scope : system +; Default: false +; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and +; `newrelic.security.restriction_criteria.account_info.account_id_values`. +; Indicates if account id value is to be looked up in the path on which to run IAST. +; +;newrelic.security.restriction_criteria.account_info.mapping_parameters.path.enabled = false \ No newline at end of file From f0c3fde8d8546661e9e3e4eef2b71d0da16477e9 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Wed, 22 Jan 2025 12:40:58 +0530 Subject: [PATCH 13/13] remove csec agent config, update status log for csec config --- agent/php_minit.c | 13 +- agent/scripts/newrelic.ini.template | 316 ---------------------------- 2 files changed, 8 insertions(+), 321 deletions(-) diff --git a/agent/php_minit.c b/agent/php_minit.c index 6a013e238..d6410e40f 100644 --- a/agent/php_minit.c +++ b/agent/php_minit.c @@ -719,11 +719,14 @@ PHP_MINIT_FUNCTION(newrelic) { nr_wordpress_minit(); nr_php_set_opcode_handlers(); - if (!NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled) || !NR_PHP_PROCESS_GLOBALS(nr_security_enabled) || NR_PHP_PROCESS_GLOBALS(high_security)) { - nrl_info(NRL_INIT, "New Relic Security is completely disabled by one of the user provided config `newrelic.security.enabled`, `newrelic.security.agent.enabled` or `newrelic.high_security`. Not loading security capabilities."); - nrl_debug(NRL_INIT, "newrelic.security.agent.enabled : %s", NR_PHP_PROCESS_GLOBALS(nr_security_enabled) ? "true" : "false"); - nrl_debug(NRL_INIT, "newrelic.security.enabled : %s", NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled) ? "true" : "false"); - nrl_debug(NRL_INIT, "newrelic.high_security : %s", NR_PHP_PROCESS_GLOBALS(high_security) ? "true" : "false"); + if (NR_PHP_PROCESS_GLOBALS(nr_security_agent_enabled) + && NR_PHP_PROCESS_GLOBALS(nr_security_enabled) + && !NR_PHP_PROCESS_GLOBALS(high_security)) { + nrl_info( + NRL_INIT, + "New Relic Security is enabled by the user provided config " + "`newrelic.security.enabled`, `newrelic.security.agent.enabled` and " + "`newrelic.high_security`. Security capabilities will be loaded."); } nrl_debug(NRL_INIT, "MINIT processing done"); diff --git a/agent/scripts/newrelic.ini.template b/agent/scripts/newrelic.ini.template index 52193de48..d6770a217 100644 --- a/agent/scripts/newrelic.ini.template +++ b/agent/scripts/newrelic.ini.template @@ -1333,319 +1333,3 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log" ; for vulnerability management. ; ;newrelic.vulnerability_management.package_detection.enabled = true - -; Setting: newrelic.security.enabled -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if attack detection security module is to be enabled -; -;newrelic.security.enabled = true - -; Setting: newrelic.security.mode -; Type : string -; Scope : system -; Default: "IAST" -; Info : Security module provides two modes "IAST" or "RASP" -; See documentation for more details -; -;newrelic.security.mode = "IAST" - -; Setting: newrelic.security.validator_service_endpoint_url -; Type : string -; Scope : system -; Default: "wss://csec.nr-data.net" -; Info : New Relic<80><99>s security module SaaS connection URLs -; -;newrelic.security.validator_service_url = "wss://csec.nr-data.net" - -; Setting: newrelic.security.agent.enabled -; Type : boolean -; Scope : system -; Default: false -; Info : Used to enable security module, default false is equivalent to -; security module not even loaded. If this setting is set to true, -; then only security module is loaded and to enable it, a restart -; of application is required. This is different than -; newrelic.security.enabled, in terms that security.enabled decides -; runtime behavior of security module but security.agent.enabled -; would not even load the security module when set to false -; -;newrelic.security.agent.enabled = false - -; Setting: newrelic.security.validator.client_ssl_cert_filepath -; Type : string -; Scope : system -; Default: none -; Info : Sets the full path of the client certificate in PEM -; format. When set, this certificate will be used to -; authenticate the New Relic IAST Security Engine's url. If -; not set, the default certificate will be used. Make -; sure the file permissions are correct. -; -;newrelic.security.validator.client_ssl_cert_filepath = "" - -; Setting: newrelic.security.exclude_from_iast_scan.api -; Type : string -; Scope : system -; Default: none -; Info : A list of valid pcre regex of apis separated by | (pipe) to be -; excluded for scanning. Make sure each pipe separated regex is correct, -; otherwise none of the regexes will be applicable. -; -;newrelic.security.exclude_from_iast_scan.api = "api1|api2" - -; Setting: newrelic.security.exclude_from_iast_scan.http_request_parameters.header -; Type : string -; Scope : system -; Default: none -; Info : A list of request header keys separated by :: (double colon) to be -; excluded for scanning -; -;newrelic.security.exclude_from_iast_scan.http_request_parameters.header = "X-Forwaded-For" - -; Setting: newrelic.security.exclude_from_iast_scan.http_request_parameters.query -; Type : string -; Scope : system -; Default: none -; Info : A list of request query keys separated by :: (double colon) to be -; excluded for scanning -; -;newrelic.security.exclude_from_iast_scan.http_request_parameters.query = "username::password" - -; Setting: newrelic.security.exclude_from_iast_scan.http_request_parameters.body -; Type : string -; Scope : system -; Default: none -; Info : A list of request body keys separated by :: (double colon) to be -; excluded for scanning -; -;newrelic.security.exclude_from_iast_scan.http_request_parameters.body = "account.email::account.contact" - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.insecure_settings -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if insecure settings attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.insecure_settings = false - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.invalid_file_access -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if invalid file access attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.invalid_file_access = false - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.sql_injection -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if sql injection attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.sql_injection = false - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.nosql_injection -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if nosql injection attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.nosql_injection = false - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.ldap_injection -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if ldap injection attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.ldap_injection = false - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.javascript_injection -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if javascript injection attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.javascript_injection = false - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.command_injection -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if command injection attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.command_injection = false - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.xpath_injection -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if xpath injection attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.xpath_injection = false - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.ssrf -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if ssrf injection attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.ssrf = false - -; Setting: newrelic.security.exclude_from_iast_scan.iast_detection_category.rxss -; Type : boolean -; Scope : system -; Default: false -; Info : Indicates if reflected xss attack category is to be excluded -; -;newrelic.security.exclude_from_iast_scan.iast_detection_category.rxss = false - -; Setting: newrelic.security.scan_schedule.delay -; Type : unsigned integer -; Scope : system -; Default: 0 -; Info : Sets the delay in minutes after which IAST scan should start -; -;newrelic.security.scan_schedule.delay = 0 - -; Setting: newrelic.security.scan_schedule.duration -; Type : unsigned integer -; Scope : system -; Default: 0 -; Info : Sets the duration in minutes for which IAST scan should running -; default will be forever -; -;newrelic.security.scan_schedule.duration = 0 - -; Setting: newrelic.security.scan_schedule.schedule -; Type : string -; Scope : system -; Default: "0 0 * * * ?" -; Info : Sets the IAST run schedule in cron format. scan_schedule.delay -; takes precedence over schedule -; -;newrelic.security.scan_schedule.schedule = "0 0 * * * ?" - -; Setting: newrelic.security.scan_schedule.always_sample_traces -; Type : boolean -; Scope : system -; Default: false -; Info : Always sample traces regardless of other schedule settings -; -;newrelic.security.scan_schedule.always_sample_traces = false - -; Setting: newrelic.security.iast_test_identifier -; Type : string -; Scope : system -; Default: none -; Info : Sets the identifier for allowing users to run IAST for CI/CD. Provide -; a unique identifier (i.e. Build Id) to filter application tests properly. -; Also, configurable via env variable NEW_RELIC_SECURITY_IAST_TEST_IDENTIFIER -; which takes precedence over this config. -; -;newrelic.security.iast_test_identifier = "" - -; Setting: newrelic.security.scan_controllers.scan_instance_count -; Type : unsigned integer -; Scope : system -; Default: 0 -; Info : Sets the number of application instances where IAST analysis should be performed -; for a specific entity. Allowed values are 0 or 1, where 0 signifies run on -; all application instances for that specific entity. -; If `newrelic.security.iast_test_identifier` is specified, this value is by default 1. -; -;newrelic.security.iast_test_identifier = 0 - -; Setting: newrelic.security.scan_controllers.report_http_response_body -; Type : boolean -; Scope : system -; Default: true -; Info : This configuration allows user to enable / disable sending of HTTP responses body. -; Disabling reading of http response body will also disable RXSS vulnerability detection. -; -;newrelic.security.scan_controllers.report_http_response_body = true - -; Setting: newrelic.security.restriction_criteria.account_info.account_id_values -; Type : string -; Scope : system -; Default: none -; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode`. -; A list of account id values separated by :: (double colon) to run IAST -; on specific test accounts only. -; -;newrelic.security.restriction_criteria.account_info.account_id_values = "account1::account2" - -; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.header.enabled -; Type : boolean -; Scope : system -; Default: false -; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and -; `newrelic.security.restriction_criteria.account_info.account_id_values`. -; Indicates if account id value is to be looked up in the header on which to run IAST. -; -;newrelic.security.restriction_criteria.account_info.mapping_parameters.header.enabled = false - -; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.header.location -; Type : string -; Scope : system -; Default: none -; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and -; `newrelic.security.restriction_criteria.account_info.account_id_values`. -; A list of header keys separated by :: (double colon) to lookup account id values to -; run IAST on specific test accounts only. -; -;newrelic.security.restriction_criteria.account_info.mapping_parameters.header.location = "X-Account::X-Nr-Account" - -; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.body.enabled -; Type : boolean -; Scope : system -; Default: false -; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and -; `newrelic.security.restriction_criteria.account_info.account_id_values`. -; Indicates if account id value is to be looked up in the body on which to run IAST. -; -;newrelic.security.restriction_criteria.account_info.mapping_parameters.body.enabled = false - -; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.body.location -; Type : string -; Scope : system -; Default: none -; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and -; `newrelic.security.restriction_criteria.account_info.account_id_values`. -; A list of body keys separated by :: (double colon) to lookup account id values to -; run IAST on specific test accounts only. -; -;newrelic.security.restriction_criteria.account_info.mapping_parameters.body.location = "account.id::account.test.id" - -; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.query.enabled -; Type : boolean -; Scope : system -; Default: false -; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and -; `newrelic.security.restriction_criteria.account_info.account_id_values`. -; Indicates if account id value is to be looked up in the query on which to run IAST. -; -;newrelic.security.restriction_criteria.account_info.mapping_parameters.query.enabled = false - -; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.query.location -; Type : string -; Scope : system -; Default: none -; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and -; `newrelic.security.restriction_criteria.account_info.account_id_values`. -; A list of query keys separated by :: (double colon) to lookup account id values to -; run IAST on specific test accounts only. -; -;newrelic.security.restriction_criteria.account_info.mapping_parameters.query.location = "id::user" - -; Setting: newrelic.security.restriction_criteria.account_info.mapping_parameters.path.enabled -; Type : boolean -; Scope : system -; Default: false -; Info : Applicable only with IAST_RESTRICTION as `newrelic.security.mode` and -; `newrelic.security.restriction_criteria.account_info.account_id_values`. -; Indicates if account id value is to be looked up in the path on which to run IAST. -; -;newrelic.security.restriction_criteria.account_info.mapping_parameters.path.enabled = false \ No newline at end of file