From 1f4813dd2a35a690629521bc1d60d642e9be0428 Mon Sep 17 00:00:00 2001 From: Aviv Shavit Date: Sun, 7 Feb 2021 11:51:44 +0200 Subject: [PATCH 1/4] update 21026 - update to release 5.3 (artifacts generated from server@1b329dd) --- Dockerfile | 86 +++ LICENSE | 75 +++ README.md | 115 +++- hardening_manifest.yaml | 61 ++ scripts/autorun.sh | 1234 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 1569 insertions(+), 2 deletions(-) create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 hardening_manifest.yaml create mode 100755 scripts/autorun.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..6e2fcff --- /dev/null +++ b/Dockerfile @@ -0,0 +1,86 @@ +# These three ARGs must point to an Iron Bank image - the BASE_REGISTRY should always be what is written below; please use \ +# '--build-arg' when building locally to replace these values +# If your container is not based on either the ubi7/ubi8 Iron Bank images, then it should be based on a different Iron Bank image +# Note that you will not be able to pull containers from nexus-docker-secure.levelup-dev.io into your local dev machine +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal +ARG BASE_TAG=8.3 + +# FROM statement must reference the base image using the three ARGs established +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +# needed again for label below +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal +ARG BASE_TAG=8.3 + +# Aqua release version +ARG AQUA_VERSION=5.3 +# Aqua update version tag +ARG AQUA_TAG=21026-ubi8 +ENV VERSION=${AQUA_VERSION}.${AQUA_TAG} +# Aqua container type +ARG CONTAINER=enforcer +ARG COMPONENT=enforcer +ARG BUILDDATE +ARG COMMIT=1b329dd + +# 'LABEL' instructions should include at least the following information and any other helpful details. +LABEL name="Aqua Enterprise ${CONTAINER}" \ + maintainer="admin@aquasec.com" \ + vendor="Aqua Security Software Ltd." \ + summary="Aqua Security Enterprise - ${CONTAINER}" \ + description="Aqua Security Enterprise - ${CONTAINER}" +LABEL com.aquasec.release=${VERSION} +LABEL com.aquasec.version=${VERSION} +LABEL com.aquasec.component=$COMPONENT +LABEL com.aquasec.builddate=${BUILDDATE} +LABEL com.aquasec.commit=${COMMIT} +LABEL com.aquasec.baseimage=${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + + +ENV BUILD_ONLY_PACKAGES="tar gzip shadow-utils" +RUN microdnf install $BUILD_ONLY_PACKAGES + +ARG TARBALL="aquasec-${CONTAINER}-${AQUA_VERSION}.${AQUA_TAG}.tar.gz" + +RUN mkdir -p /build /opt/aquascans + +COPY ${TARBALL} /build/ + +RUN cd /build && \ + tar -zxvf ${TARBALL} && \ + cd - + +RUN if [[ -d /build/licenses ]]; then cp -r /build/licenses/ /licenses/; fi +RUN cd /build/ && \ + cp -r aquasec /opt/ +RUN rm -rf /build + +COPY scripts/* / + +RUN groupadd -g 11433 --system aqua && \ + adduser --home-dir /home/aqua --comment "aqua user" --shell /sbin/nologin -g aqua --system -u 11433 aqua && \ + chown -R aqua:root /opt/aquasec && chown -R aqua:root /opt/aquascans + +RUN microdnf remove ${BUILD_ONLY_PACKAGES} +RUN microdnf clean all + + +# dodTODO: pending SLK-28283 +# Removing of microdnf must be after we use it +#COPY _package/remove-vulnerable-packages / +#RUN chmod +x /remove-vulnerable-packages && sync && /remove-vulnerable-packages ${ubiver} +#RUN rm /remove-vulnerable-packages + +VOLUME /opt/aquascans +WORKDIR /opt/aquasec/ + +LABEL com.aquasec.restart=no +HEALTHCHECK --interval=1m --start-period=3m CMD /opt/aquasec/slk ping || exit 1 +RUN microdnf install iptables libmnl && \ + microdnf clean all + +RUN cp /opt/aquasec/slkinst / +ENV LD_LIBRARY_PATH=/opt/aquasec +CMD ["/autorun.sh"] \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..13df15c --- /dev/null +++ b/LICENSE @@ -0,0 +1,75 @@ +THESE TERMS AND CONDITIONS (the “Agreement“) CONSTITUTE A BINDING AGREEMENT BETWEEN YOU AND AQUA (AS DEFINED BELOW). IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF AN ENTITY, YOU REPRESENT THAT YOU HAVE THE RIGHT, AUTHORITY, AND CAPACITY TO BIND SUCH ENTITY TO THIS AGREEMENT. In any event, references herein to “Customer” means you or such entity (as the case may be). “Aqua” shall mean (i) Aqua Security Software, Inc. in the event that you are a United States or Australian User; OR otherwise (ii) Aqua SECURITY SOFTWARE LTD. + +By clicking the “I Accept” button below or by otherwise installing or using any part of the Software (as defined below), Customer acknowledges these terms and conditions and represents that it has fully read and understood, and agrees to be bound by, the following (the date of such occurrence being the “Effective Date“): this Agreement and other supplemental terms and policies that this Agreement expressly incorporates by reference, and which are thereby made a part of this Agreement. + +IF CUSTOMER DOES NOT AGREE WITH ANY OF THE TERMS OR CONDITIONS OF THIS AGREEMENT, CUSTOMER MUST NEITHER CLICK “I ACCEPT” NOR INSTALL OR USE ANY PART OF THE SOFTWARE. + +By entering into the Agreement, Customer hereby irrevocably and unconditionally waives any law or regulation applicable to Customer requiring that the Agreement be localized to meet Customer’s language or requiring an original (non-electronic) signature or delivery or retention of non-electronic records. + +1. License. Subject to the terms and conditions of this Agreement, Aqua grants Customer a limited, non-exclusive, non-assignable, non-transferable, and non-sublicensable license, during the subscription-based term stated in the purchase order for the provision of Aqua’s software product identified in the purchase order (“Software“) and Support Services (defined below) executed directly with Aqua (“License Term” and “Purchase Order“, respectively), to do the following for internal business use only (collectively, the “License“): (i) install the Software (in object code only) in Customer’s on-premise, private cloud, or other installation environment stated in the Purchase Order (the “Environment(s)“) and on such number of physical or virtual machine (including without limitation server, host, node and docker engine) on which the Software is installed (“Hosts“) specified in the Purchase Order; and (ii) access and use those modules, tools, and/or features of the Software permitted (and in the quantities permitted) under the Purchase Order (“Module“). + +References herein to “Software” include all of the manuals, specifications, and similar documentation accompanying the Software or otherwise made available by Aqua (the “Documentation“), as well as any Updates (as defined in the Support Ts&Cs referenced in Section 6 below) made available to Customer pursuant to Support Services (as defined below). + +2. License Restrictions. Except to the extent expressly permitted in this Agreement (or otherwise mandated under any law applicable to Customer), Customer shall not, and shall not permit or encourage any third party to, do any of the following: (a) copy the Software; (b) sell, assign, lease, lend, rent, sublicense, or make available the Software to any third party, or otherwise use the Software to operate in a time-sharing, outsourcing, or service bureau environment; (c) modify, alter, adapt, arrange, translate, decompile, disassemble, reverse engineer, or otherwise attempt to discover the source code or non-literal aspects (such as the underlying structure, sequence, organization, and interfaces) of, the Software; (d) remove, alter, or conceal, in whole or in part, any copyright, trademark, or other proprietary rights notice or legend displayed or contained on or in the Software; (e) circumvent, disable or otherwise interfere with security-related or technical features or protocols of the Software (such as usage monitoring features); (f) make a derivative work of the Software, or use the Software to develop any service or product that is the same as (or substantially similar to) the Software; (g) disclose to the public the results of any internal performance testing or benchmarking studies of or about the Software, without first (x) sending the results and related study(ies) to Aqua, and (y) obtaining Aqua’s written approval of the assumptions, methodologies and other parameters of the testing or study; (h) use, publish or transmit any robot, malware, Trojan horse, spyware, or similar malicious item intended (or that has the potential) to damage or disrupt the Software; and/or (i) access the Software and/or its servers through or use with the Software any unauthorized means, services or tools, including, without limitation, any data mining, robots, or similar automated means or data gathering and extraction tools, including, without limitation, in order to extract for re-utilization of any parts of the Software. Customer shall not ship, transfer, or export the Software or any component thereof or use the Software in any manner, prohibited by law, including without limitation to, sell, distribute, export or download the Software: (a) into (or to a national or resident of) Cuba, Iran, Iraq, Libya, North Korea, Sudan, Lebanon, Syria, or the Crimea Region of Ukraine, (b) to anyone on the U.S. Commerce Department’s Table of Denial Orders or U.S. Treasury Department’s list of Specially Designated Nationals, (c) to any country to which such export or re-export is restricted or prohibited, or as to which the U.S., Australian or Israeli government or any agency thereof requires an export license or other governmental approval at the time of export or re-export without first obtaining such license or approval, or (d) otherwise in violation of any export or import restrictions, laws or regulations of the U.S., Australia or Israel or any foreign agency or authority. Customer agrees to the foregoing and warrants that it is not located in, under the control of, or a national or resident of any such prohibited country or on any such prohibited party list. The foregoing conditions are limitations on the scope of the License. + +3. Installation. Customer will be responsible for the installation, using a license key provided by Aqua, including without limitation: (a) all configurations (including without limitation to the Environment and other third party systems) in connection therewith; and (b) for providing Aqua with (as well as procuring for Aqua the right to access and use) all information, materials, facilities, and equipment reasonably requested by Aqua for the purposes of installation. In addition, Customer will cooperate with Aqua in configuring and maintaining the Software’s remote connectivity Module to enable Aqua to monitor and receive reports regarding Customer’s use and consumption levels of the Software (such monitoring and reports, “Usage Audits“). + +4. Payment + +4.1. License Fees. Customer will pay the Software license fees stated in the Purchase Order (“License Fees“), and in accordance with its payment terms; provided, however, that if a Usage Audit reveals a usage level above that permitted in the Purchase Order, the License Fees will be increased according to Aqua’s then-current price list (and as otherwise specified in the Purchase Order for such excessive use). For the avoidance of doubt, the foregoing mechanism shall not result in a reduction in License Fees in the event Customer’s consumption level decreases below the level purchased under the Purchase Order. Unless otherwise specified in the Purchase Order, all payments are due thirty (30) days from receipt of each invoice and are non-refundable and without any right of set-off. Any amount not paid when due will accrue interest on a daily basis until paid in full, at the lesser of: (a) the rate of one and a half percent (1.5%) per month; and (b) the highest amount permitted by applicable law. + +4.2. Taxes. Amounts payable under this Agreement are exclusive of all applicable sales, use, consumption, VAT, GST, and other taxes, duties or governmental charges, except for taxes based upon Aqua’s net income. In the event that Customer is required by applicable law to withhold or deduct taxes imposed upon Customer for any payment under this Agreement, then the amounts due to Aqua will be increased by the amount necessary so that Aqua receives and retains, free from liability for any deduction or withholding, an amount equal to the sum it would have received had Customer not made any such withholding or deduction. + +5. Third Party Software. The Software may include third party software components that are subject to open source and/or pass-through commercial licenses and/or notices (such third party programs, “Third Party Software” and “Third Party Software Terms and Notices“, respectively). Some of the Third Party Software Terms and Notices may be made available to Customer in the Software, its Documentation or via a supplementary list provided by Aqua. Any covenants, representations, warranties, indemnities and other commitments with respect to the Software in this Agreement are made by Aqua and not by any authors, licensors, or suppliers of, or contributors to, such Third Party Software. Any use of Third Party Software is subject solely to the rights and obligations under the applicable Third Party Software Terms and Notices. Notwithstanding anything in this Agreement to the contrary, Aqua does not make any representation, warranty, guarantee, or condition, and does not undertake any liability or obligation, with respect to any Third Party Software. + +6. Support Services. Subject to Customer’s timely payment of the License Fees, Aqua will provide the support and maintenance services (“Support Services“) in accordance with the terms and conditions set forth at https://www.aquasec.com/basic-support-terms/ (“Support Ts&Cs“). + +7. Confidentiality + +7.1. Customer may have access to certain non-public or proprietary information or materials of Aqua (the “Discloser“), whether in tangible or intangible form (“Confidential Information“). Without derogating from the foregoing, the Software, license keys and terms of the Purchase Order shall be deemed as Aqua’s Confidential Information. Confidential Information will not include information or material which Customer can demonstrate: (a) was in the public domain at the time of disclosure by Aqua to Customer hereunder; and/or (b) became part of the public domain after disclosure by Aqua to Customer hereunder, through no fault of Customer; (c) was in the Customer’s possession at the time of disclosure by the Aqua hereunder, and was not subject to prior continuing obligations of confidentiality by Customer to Aqua; (d) was rightfully disclosed to the Customer by a third party having the lawful right to do so; and/or (e) was independently and rightfully developed by the Recipient without (direct or indirect) use of, or reliance upon, Aqua’s Confidential Information. + +7.2. In the event that Customer is required to disclose Confidential Information of Aqua pursuant to any law or governmental or judicial order, Customer will promptly notify Aqua in writing of such law or order and reasonably cooperate with Aqua in opposing such disclosure or obtaining such other protective measures. In any event, such disclosure made pursuant to this paragraph will be made solely to the extent required by such law or order (as the case may be). + +7.3. Customer will use Aqua’s Confidential Information solely for the purpose of performing its obligations and/or exercising its rights under this Agreement and will not disclose or make available the Confidential Information to any third party, except to its employees that have a need to know such information and that are bound by obligations at least as protective as provided herein. Customer will take measures at a level at least as protective as those taken to protect its own confidential information of like nature (but in no event less than a reasonable level) to protect Aqua’s Confidential Information. Customer will promptly notify Aqua in writing in the event of any actual or suspected unauthorized use or disclosure of any Aqua Confidential Information. + +7.4. Each Party acknowledges that in the event of a breach or threatened breach of this Section 7 (Confidentiality) by Customer, Aqua may suffer irreparable harm or damage for which monetary damages will be inadequate, and will, therefore, be entitled to injunctive relief and specific performance to enforce the obligations under this Section 7‎ (Confidentiality) without the need to post a bond. + +8. Ownership. As between the Parties, Aqua is, and shall remain, the sole and exclusive owner of all Intellectual Property Rights in and to the Software and all its copies (as well as any modifications, improvements or derivatives thereto), the Support Services, and any other products or services provided by Aqua (hereinafter, “Aqua IPR“). Aqua reserves all rights not expressly granted herein and except for the License, Customer is granted no other right or license in or to any Aqua IPR. Customer undertakes not to contest Aqua’s ownership in the Aqua IPR. “Intellectual Property Rights” means any and all right, title and interest in and to patents, inventions, discoveries, copyrights, works of authorship, trade secrets, trademarks, service marks, trade dress, technical information, data, know-how, show-how, designs, drawings, utility models, topography and semiconductor mask works, specifications, formulas, methods, techniques, processes, databases, software, code, algorithms, architecture, records, documentation, and other similar intellectual or industrial property, in any form and embodied in any media, whether capable of protection or not, whether registered or unregistered, and including all applications, registrations, renewals, extensions, continuations, divisions or reissues thereof. + +9. Warranty; Disclaimer. Aqua warrants to Customer that the Software will materially perform the functions described in the technical specifications included in the Documentation for a period of sixty (60) days commencing upon the Effective Date (the “Warranty” and “Warranty Period“, respectively). The following are excluded from the foregoing Warranty: (a) the Software has not been properly installed, operated, repaired or maintained in accordance with the Documentation and the written instructions of Aqua; (b) the Software has been modified by persons other than Aqua or its authorized representatives; and (c) any error or failure related to the Environment or any third party software (including any Third Party Software), hardware or service. Customer’s sole and exclusive remedy, and Aqua’s entire obligation and liability, for a Warranty claim under this Section 9 (Warranty; Disclaimer) will be for Aqua to make commercially reasonable efforts to provide a fix, patch or workaround (which may be included in a future Update) for reproducible defects in the Software reported to Aqua in writing, all at no additional charge to Customer; provided, however, that (A) the Warranty claim is made in writing, with sufficient detail, within the Warranty Period; (B) Aqua determines that the defect is not due to any misuse, abuse, neglect, negligence, or unauthorized repair or modification of the Software; and (C) the failure or error is reproducible by Aqua. Any fix, patch, or workaround provided as part of the foregoing remedy will not re-commence the Warranty Period and are warranted for the remainder of the Warranty Period, as then in effect. + +EXCEPT TO THE EXTENT PROVIDED OTHERWISE IN THIS SECTION 9 (WARRANTY; DISCLAIMER),‎ THE SOFTWARE AND ANY SERVICES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, AND ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES (INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, OR QUALITY OF SERVICE, OR THAT OTHERWISE ARISE FROM A COURSE OF PERFORMANCE OR USAGE OF TRADE) ARE HEREBY DISCLAIMER. AQUA DOES NOT MAKE ANY REPRESENTATION, WARRANTY, GUARANTEE OR CONDITION REGARDING THE EFFECTIVENESS, USEFULNESS, RELIABILITY, COMPLETENESS, OR QUALITY OF THE SOFTWARE, OR THAT USE OF THE SOFTWARE WILL BE UNINTERRUPTED, SECURE OR ERROR-FREE OR THAT ERRORS/BUGS ARE REPRODUCIBLE OR THAT ERRORS/BUGS ARE REPAIRABLE. + +10. LIMITATION OF LIABILITY + +10.1. IN NO EVENT WILL AQUA, ANY OF ITS AFFILIATES, PARTNERS, DISTRIBUTORS OR ANY OF THEIR LICENSORS AND SUPPLIERS BE LIABLE UNDER, OR OTHERWISE IN CONNECTION WITH, THIS AGREEMENT, THE SOFTWARE OR OTHERWISE FOR: (A) ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES; (B) ANY LOSS OF PROFITS, BUSINESS, ANTICIPATED SAVINGS, OR DATA AND/OR DAMAGE TO OR LOSS OF REPUTATION, OR GOODWILL; AND/OR (C) THE COST OF PROCURING ANY SUBSTITUTE GOODS OR SERVICES. + +10.2. THE COMBINED CUMULATIVE LIABILITY OF AQUA AND ITS AFFILIATES, PARTNERS AND ANY OF THEIR LICENSORS AND SUPPLIERS UNDER, OR OTHERWISE IN CONNECTION WITH, THIS AGREEMENT, THE SOFTWARE OR OTHERWISE, WILL NOT EXCEED THE LICENSE FEES ACTUALLY PAID BY CUSTOMER TO AQUA UNDER THE APPLICABLE PURCHASE ORDER DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH LIABILITY. AQUA’S SOLE AND EXCLUSIVE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY IN RESPECT OF ANY MAINTENANCE OR SUPPORT ISSUE SHALL BE LIMITED TO PROVISION OF SUPPORT SERVICES. + +10.3. THE PRECEDING LIMITATIONS OF LIABILITY SHALL NOT APPLY TO BREACHES OF CONFIDENTIALITY, MISAPPROPRIATION OR BREACH OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS AND OBLIGATIONS PURSUANT TO SECTION 11 (INDEMNIFICATION) HEREIN. + +10.4. THE FOREGOING LIMITATIONS OF LIABILITY WILL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND: (A) EVEN IF A PARTY OR AN AFFILIATE, DISTRIBUTOR OR SUPPLIER OF AQUA HAS BEEN ADVISED, OR SHOULD HAVE BEEN AWARE, OF THE POSSIBILITY OF LOSSES, DAMAGES, OR COSTS; (B) EVEN IF ANY REMEDY IN THIS AGREEMENT FAILS OF ITS ESSENTIAL PURPOSE; AND (C) REGARDLESS OF THE THEORY OF LIABILITY (INCLUDING, WITHOUT LIMITATION, BREACH OF CONTRACT, TORT, NEGLIGENCE OR STRICT LIABILITY). + +11. Indemnification + +11.1. By Aqua. Aqua will defend, indemnify and hold harmless Customer against any third party demand, claim, suit, or action alleging that Customer’s use of the Software in accordance with this Agreement infringes such third party’s intellectual property rights (an “Infringement Claim“), and Aqua will pay any amounts finally awarded by a court against Customer (or otherwise agreed in settlement) under such Infringement Claim. Aqua will have no obligation or liability under this Section 11.1‎ to the extent that the Infringement Claim is based upon or results from: (a) the combination or use of the Software with any third party products or services if the claim would not have occurred if not for such combination or use; (b) any modification to the Software not made by Aqua; (c) Customer’s failure to comply with the written instructions of Aqua and/or with the terms of this Agreement or the Documentation; (d) where Customer continues the alleged infringing activity after being notified thereof; (e) use or retention of a copy of the Software not in its most current version provided by Aqua; and/or (f) Aqua’s compliance with any Customer instructions or requirements (any such claim in clauses (a) through (d), a “Reverse Infringement Claim“). + +11.2. Remediation. Should the Software (in whole or in part) become, or in Aqua’s opinion be likely to become, the subject of any Infringement Claim, then Customer permits Aqua, at Aqua’s option, either to: (a) obtain for Customer the right to continue using the Software (or part thereof); or (b) replace or modify the Software (or part thereof) so that it becomes non-infringing; provided, however, that if, in Aqua’s opinion, the remedies in clauses (a) and (b) above are not commercially feasible, Aqua may terminate this Agreement immediately upon written notice to Customer and provide Customer with a pro-rata refund of any prepaid (but unutilized) License Fees based on the remaining License Term. + +11.3. By Customer. Customer will defend, indemnify, and hold harmless Aqua, Aqua Affiliates, distributors and suppliers and their respective directors, officers, employees, and suppliers from and against any third party claims, demands, actions, suits, proceedings, damages, losses, judgments and/or liabilities arising from, or related to or in connection with: (a) a Reverse Infringement Claim; and/or (b) Customer’s unauthorized use of the Software or breach of this Agreement (each, a “Aqua Claim“). + +11.4. Procedure. Each Party’s obligation and liability under this Section (Indemnification) is subject to the conditions that: (a) the indemnified Party has promptly notified the indemnifying Party in writing of the Infringement Claim or Aqua Claim, as the case may be (as used in this subsection, “Claim“), provided that a delay or failure by the indemnified Party to provide such notice will not relieve the indemnifying Party of its obligation or liability under this Section (Indemnification), except to the extent that such delay or failure materially prejudices its ability to defend the claim; (b) the indemnified Party reasonably cooperates with the indemnifying Party and permits the indemnifying Party to assume sole control of the defense of the Claim and all negotiations for any settlement thereof, provided that Aqua will not be required to cede control of a Aqua Claim to the extent that it impacts any Aqua Intellectual Property Right or goodwill, and the indemnifying Party will not enter into any settlement of a Claim without the indemnified Party’s prior express written consent, not to be unreasonably withheld, conditioned or delayed; and (c) the indemnified Party refrains from admitting any liability or otherwise compromising the defense of the Claim (in whole or in part), without the prior express written consent of the indemnifying Party. + +11.5. Entire Liability. This Section (Indemnification) states Aqua’s sole and exclusive obligation and liability, and Customer’s sole remedy, with respect to any Infringement Claim. + +12. Term and Termination + +12.1. Term. This Agreement commences as of the Effective Date and will continue in full force and effect for the duration of the License Term, unless earlier terminated in accordance with this Agreement. If the License Term is a subscription-based term, this Agreement will automatically renew for successive annual periods (as applicable), unless, a Party gives written notice to the other Party of the former’s intent not to renew the License Term, given at least thirty (30) days prior to the expiration thereof. + +12.2. Termination. Each Party may terminate this Agreement immediately upon written notice to the other Party: (a) if the other Party commits a material breach under this Agreement and, if curable, fails to cure that breach within thirty (30) days after receipt of written notice specifying the material breach (except that for payment defaults, such cure period will be seven days); and/or (b) if the other Party is declared bankrupt by a judicial decision, or, in the event an involuntary bankruptcy action is filed against such other Party, it has not taken, within sixty (60) days from service of such action to such Party, any possible action under applicable law for such filed action to be dismissed. + +12.3. Effect of Termination; Survival. Upon expiration or the effective date of termination of this Agreement (as the case may be): (a) this License will automatically terminate and Customer will uninstall and permanently erase (or, if requested by Aqua, permit Aqua to uninstall and permanently erase) all copies of the Software from the Customer’s systems; (b) Customer will pay all outstanding fees, including any License Fees; and (c) Customer shall, at Aqua’s election, erase or return to Aqua all Aqua Confidential Information in its possession or under its control. Sections 1 (Definitions), 2 (License Restrictions), 4 (Payments), 5 (Third Party Software) and 7 (Confidentiality) through 13 (Miscellaneous) will survive the expiration or termination of this Agreement. + +13. Miscellaneous. (13.1) Entire Agreement. This Agreement, all Purchase Orders and the Support Ts&Cs represents the entire agreement of the Parties with respect to the subject matter hereof, and supersedes and replaces all prior and contemporaneous oral or written understandings and statements by the Parties with respect to such subject matter. In entering into this Agreement, neither Party is relying on any representation not expressly specified in this Agreement. This Agreement may only be amended by a written instrument duly signed by each Party. The Section and subsection headings used in this Agreement are for convenience only. Any terms and conditions printed, or linked to, within the Purchase Order, which is in addition to or otherwise inconsistent with the terms and conditions of this Agreement, shall be of no effect, unless explicitly stated otherwise with reference to this Agreement. (13.2) Name and Logo. Aqua may use Customer’s name and logo on its website and in its promotional materials to state that Customer is a customer of Aqua and a Software user. (13.3) Reference Customer. Customer agrees to serve as a reference customer of Aqua with other potential customers and industry analysts. (13.4) Case Study. Customer agrees, in due course, to collaborate with Aqua’s marketing team to create a case study of the Customer’s use of the Software. (13.5) Assignment. This Agreement (whether in whole or in part): (a) may not be assigned by Customer without the prior express written consent of Aqua; and (b) may be assigned by Aqua, without obligation or restriction. Any prohibited assignment will be null and void. Subject to the provisions of this Section (Assignment), this Agreement will bind and benefit each Party and its respective successors and assigns. (13.6) Governing Law; Jurisdiction. Section 13.6(a) shall apply in respect of North American users, otherwise Section 13.6(b) shall apply: (a) this Agreement will be governed by, and construed in accordance with, the laws of the State of Delaware, USA without regard to its conflicts of law rules. Any claim, dispute or controversy between the Parties will be subject to the exclusive jurisdiction and venue of the competent federal and state courts located in Wilmington, Delaware, and each Party hereby irrevocably submits to the personal jurisdiction of such courts and waives any jurisdictional, venue, or inconvenient forum or other objections to such courts; (b) This Agreement will be governed by, and construed in accordance with, the laws of the State of Israel, without regard to its conflicts of law rules. Any claim, dispute or controversy between the Parties will be subject to the exclusive jurisdiction and venue of the competent courts located in Tel Aviv-Jaffa, Israel, and each Party hereby irrevocably submits to the personal jurisdiction of such courts and waives any jurisdictional, venue, or inconvenient forum, or other objections to such courts. The following applies to all users notwithstanding the foregoing, Aqua may seek injunctive relief in any court worldwide that has competent jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods is hereby disclaimed. (13.7) Feedback. If Customer provides Aqua with any feedback, ideas or suggestions regarding the Software (“Feedback“), Aqua may, at no cost, freely use such Feedback, for any purpose whatsoever and Customer hereby and shall assign all right, title and interest in and to all Feedback to Aqua upon creation thereof. For the avoidance of doubt, Feedback will not be deemed Customer’s Confidential Information. (13.8) Relationship. The Parties are solely independent contractors. Nothing in this Agreement shall create a partnership, joint venture, agency, or employment relationship between the Parties. Neither Party may make, or undertake, any commitments or obligations on behalf of the other. (13.9) Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then: (a) the remaining provisions of this Agreement shall remain in full force and effect; and (b) such provision will be ineffective solely as to such jurisdiction (and only to the extent and for the duration of such invalidity or unenforceability), and will be substituted (in respect of such jurisdiction) with a valid and enforceable provision that most closely approximates the original legal intent and economic impact of such provision. (13.10) Notices. All notices and communications between the Parties under, or in connection with, this Agreement (“Notices“) shall be in writing, by hand delivery, by nationally recognized courier service or by prepaid certified mail. Aqua may send Notices to Customer through the management and reporting Module of the Software. Customer shall send all Notices to the mailing and email addresses and contact person listed in the Purchase Order, unless Customer has no Purchase Order with Aqua in which case Notices shall be sent to: Aqua Security Software Ltd., 20 Menachem Begin Street, Ramat-Gan 5270005, Israel, Attn: Director of Finance, Email: Support@aquasec.com. (13.11) Force Majeure. Except for payment obligations, neither Party will be liable for failure or delay in performance of any of its obligations under or in connection with this Agreement arising out of any event or circumstance beyond that Party’s reasonable control, including without limitation an Act of God, fire, flood, lightning, war, revolution, act of terrorism, riot, civil commotion, adverse weather condition, adverse traffic condition, strike, lock-out or other industrial action, and failure of supply of power, fuel, transport, equipment, raw materials, or other goods or services. (13.12) Customer Data; Storage. Customer acknowledges that the Software is not intended to, and will not, operate as an archive or file-storage product or service for Customer Data (as defined below), and Customer will be solely responsible for the maintenance and backup of all Customer Data. “Customer Data” means Customer’s content, code, or data uploaded to, or otherwise processed by, the Software. (13.13) Waiver. Any waiver granted hereunder must be in writing, duly signed by the waiving Party, and will be valid only in the specific instance in which given. + +Updated January 2020 \ No newline at end of file diff --git a/README.md b/README.md index 5dc6fa6..45f2d81 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,114 @@ -# +## Welcome to Aqua Cloud Native Security Platform (CSP)! -Project template for all Iron Bank container repositories. \ No newline at end of file +Aqua CSP provides full lifecycle security for your cloud native applications (containers, orchestrators, cloud VMs, and serverless functions) at a very granular level. Aqua includes preventive controls to secure the development pipeline; protects applications in runtime; detects and blocks attacks; and provides visibility and auditing for security risk management and compliance. + +Aqua CSP: + +* Integrates with your existing workflows for building, shipping, running, and securing your cloud workloads +* Works with the leading orchestrators and cloud provider platforms +* Secures environments consisting of servers running Linux and Windows, as well as CaaS and FaaS cloud services +* Provides you with full audit logs of security-related events that have occurred on your hosts or in your containers and serverless functions + +Aqua CSP Version 5.3 includes several new features, other improvements, and changes with respect to CSP Version 5.0. They are described below. + +### What's new in this version? +* Improved, configurable dashboard +* Redesigned main (left side) menu +* Kubernetes Assurance Policies +* Pod Enforcer +* Integration with Apolicy for Kubernetes cluster assessment +* VMware acquisition of Pivotal (rebranding) +* DTA enhancements +* Scheduled host scans +* Forbid specific Docker labels in images +* Require specific Docker labels in images +* Webhook enhancements +* Automatic database connection management +* Host scan queue enhancements +* RBAC- Email identification of application scope owners +* Aqua CyberCenter v5 as default +* Scanning of local Docker tar images +* Container Runtime Policies - support Port Scanning Detection in windows +* Audit event enhancements +* Enforcers support of httpGet for Liveness probes +* Block container exec runtime control +* HTML scan report enhancements +* Support for scanning of SUSE Linux Enterprise based images +* Login security enhancements - maximum session duration and automatic logout after inactivity +* Support for OpenID Connect +* Expanded workload container information +* UX - Dynamic text entry suggestions +* Enforcer support for AWS Bottlerocket + +More information at https://www.aquasec.com + +### Aqua images and containers +Aqua components are supplied as product images in the Aqua Registry, and deployed as containers. The typical exceptions to this are: +* Aqua Server is the central control component of Aqua CSP. +* Aqua Gateway(s) handle communication between the Aqua Server and the Aqua Enforcer(s), and use the Aqua Database. +* Aqua Scanner(s) scan images for security issues (vulnerabilities, sensitive data, and malware) and send the results to the Aqua Server. The Scanners are directed by the Image Assurance Policies you have configured using the Aqua UI. +* Aqua Enforcer(s) provide runtime security-related monitoring of your running containers, in order to provide enforcement of the Container Runtime Policies you have configured using the Aqua UI. The Aqua Enforcer(s) also ensure that + only registered and scanned images will run on the hosts where the Aqua Enforcer is deployed. + +### Deploying Aqua CSP + +Follow the example below for a simple ``podman`` based deployment. + +**Other deployment options are available at https://github.com/aquasecurity/deployments/** + +* `````` must be changed to a resolvable DNS name or the IP address of the database host. +* Replace all occurrences of `````` with a password of your choice. +* Replace `````` with a resolvable DNS name or the IP address of the Aqua Server host. +* Replace the image name with the appropriate Ironbank image source. + +``` +podman run -d -p 5432:5432 --name aqua-db \ + -e POSTGRES_PASSWORD= \ + -v /var/lib/aqua-db/data:/var/lib/postgresql/data \ + registry.aquasec.com/database:5.0 + + podman run -d -p 8080:8080 -p 443:8443 \ + --name aqua-web \ + -e SCALOCK_DBHOST= \ + -e SCALOCK_DBNAME=scalock \ + -e SCALOCK_DBUSER=postgres \ + -e SCALOCK_DBPASSWORD= \ + -e SCALOCK_AUDIT_DBHOST= \ + -e SCALOCK_AUDIT_DBNAME=slk_audit \ + -e SCALOCK_AUDIT_DBUSER=postgres \ + -e SCALOCK_AUDIT_DBPASSWORD= \ + -v /var/run/docker.sock:/var/run/docker.sock \ + registry.aquasec.com/console:5.0 + + podman run -d -p 3622:3622 -p 8443:8443 --name aqua-gateway \ + -e AQUA_CONSOLE_SECURE_ADDRESS=:443 \ + -e SCALOCK_DBHOST= \ + -e SCALOCK_DBNAME=scalock \ + -e SCALOCK_DBUSER=postgres \ + -e SCALOCK_DBPASSWORD= \ + -e SCALOCK_AUDIT_DBHOST= \ + -e SCALOCK_AUDIT_DBNAME=slk_audit \ + -e SCALOCK_AUDIT_DBUSER=postgres \ + -e SCALOCK_AUDIT_DBPASSWORD= \ + registry.aquasec.com/gateway:5.0 +``` + + The instructions to deploy the Enforcer are installation dependent and can be retrieved from Enforcers page on the Aqua console web ui. Open the 3-dot menu on the right side of the default enforcer group and select 'Copy Deployment Command'. + +### Sizing Guide +The sizing guidance below is based on a small kubernetes deployment as described in the following table: + +| Hosts | Pods | Gateways | Scanners | Enforcers | +| --- | --- | --- | --- | --- | +| 50 | 4000 | 1 | 10 | 50 | + +| Component | CPU (millicores) | RAM (GB) | Storage (GB) | +|-----------| --- | ------ | --- | +| Aqua Server | Min: 2,000 Rec: 3,000 | Min: 3.0 Rec: 5.0 | Min: 5.0 Rec: 6.0 | +| Aqua Gateway (each) | Min: 1,000 Rec: 1,000 | Min: 1.0 Rec: 2.0 | | +| Aqua Scanner (each) | Min: 500 Rec: 800 | Min: 2.0 Rec: 6.0 | Size of the largest image | +| Aqua Enforcer (each) | Min: 350 Rec: 500 | Min: 0.5 Rec: 1.5 | | +| PostgreSQL DB | Min: 2,000 Rec: 5,000 | Min: 10.0 Rec: 20.0 | Min: 50 Rec: 250 | + +#### Special note on "Local" scanning +Aqua Enterprise supports scanning images from the local host docker image store by specifiying the ``--local`` scanner command line switch. Therefore, the scanner-cli running within the scanner container requires access permissions to the docker socket. These can be provided by assigning the effective group of the container user to that of the docker with the docker ``--user`` command line switch or adding the docker group gid to the ``supplementalGroups`` list of the kubernetes deployment's ``securityContext``. \ No newline at end of file diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..be3ebf4 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "aqua-security/enterprise/enforcer-5.3" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "5.3.21026-ubi8" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi8-minimal" + BASE_TAG: "8.3" + +# Docker image labels +labels: + org.opencontainers.image.title: "enforcer-5.3" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Aqua Security Enterprise - enforcer" + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "proprietary" + ## URL to find more information on the image + # org.opencontainers.image.url: "FIXME" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Aqua Security" + org.opencontainers.image.version: "5.3.21026-ubi8" + ## Keywords to help with search (ex. "cicd,gitops,golang") + # mil.dso.ironbank.image.keywords: "FIXME" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + ## Product the image belongs to for grouping multiple images + # mil.dso.ironbank.product.name: "FIXME" + +# List of resources to make available to the offline build context +resources: +- auth: + id: aquasec-credential + type: basic + filename: aquasec-enforcer-5.3.21026-ubi8.tar.gz + url: https://download.aquasec.com/aquasec/csp/enforcer/5.3/aquasec-enforcer-5.3.21026-ubi8.tar.gz + validation: + type: sha256 + value: 199bfbcd615e088e3d76b1184643753ef0a8c738d172cfe022318e4476906a4d + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "aviv.shavit@aquasec.com" +# # The name of the current container owner + name: "Aviv Shavit" +# # The gitlab username of the current container owner + username: "avivataqua" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +- name: "Al Fontaine" + username: "alfontaine" + email: "alan.fontaine@centauricorp.com" diff --git a/scripts/autorun.sh b/scripts/autorun.sh new file mode 100755 index 0000000..b1d74ae --- /dev/null +++ b/scripts/autorun.sh @@ -0,0 +1,1234 @@ +#!/bin/sh + +MAJOR_VERSION=5.3 +MINOR_VERSION=31833 +RELEASE_VERSION=5.3.21026 +COMPANY_NAME="Aqua Security Software Ltd" +PRODUCT_NAME="Aqua Container Security" +COPYRIGHT="Copyright (c) 2020 Aqua Security Software Ltd. All Rights Reserved." + +AQUA_AGENT_IMAGE_NAME=aquadev/agent:5.3.0 +AQUA_AGENT_CONT_NAME=aquasec-agent-5.3.31833 +AQUA_DATA_IMAGE_NAME=aquasec/agent-data +AQUA_DATA_CONT_NAME=aquasec-agent-data +AQUA_DEPLOY_CONT_NAME=scalock-install +AQUA_DATA_TAR_NAME=data.tar +AQUA_CONTAINER_PATH=/opt/aquasec +AQUA_INSTALL_MODE=CONTAINER +AQUA_OS_INFO= +AQUA_RUNTIME= +AQUA_VERSION= +AQUA_HOST_PATH= +AQUA_CURRENT_CONTAINER_NAME= +AQUA_CURRENT_CONTAINER_ID= +AQUA_CURRENT_IMAGE_NAME= +AQUA_CONTAINER_NAME= +AQUA_SELINUX_CONFIG= +RUNNING_CONTAINERS= +AQUA_INSTALLED_AGENT_CONT_LIST= +KUBERNETES="no" +OPENSHIFT="no" +AQUA_PRIVILEGED=0 + +aquasec_usage() +{ + echo "" + echo $COPYRIGHT + echo "" + if [ "$AQUA_INSTALL_MODE" = "CONTAINER" ]; then + aquasec_usage_container_mode + else + aquasec_usage_service_mode + fi +} + +aquasec_usage_container_mode() +{ + echo "docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\" + echo " -e AQUA_SERVER= \\" + echo " -e AQUA_TOKEN= \\" + echo " -e AQUA_INSTALL_PATH=/opt/aquasec \\" + #echo " -e AQUA_RUNTIME_PROTECTION=true \\" + #echo " -e AQUA_NETWORK_PROTECTION=true \\" + #echo " -e AQUA_USER_ACCESS_CONTROL=true \\" + #echo " -e AQUA_IMAGE_ASSURANCE=true \\" + #echo " -e AQUA_HOST_ASSURANCE=true \\" + #echo " -e AQUA_HOST_PROTECTION=true \\" + #echo " -e RESTART_CONTAINERS=no \\" + echo " " + echo "" +} + +aquasec_usage_service_mode() +{ + #echo "docker run -d --name \\" + #echo " --restart=always \\" + #echo " --security-opt apparmor=unconfined \\" + #echo " --cap-add=SYS_ADMIN \\" + #echo " --cap-add=NET_ADMIN \\" + #echo " --cap-add=NET_RAW \\" + #echo " --cap-add=SYS_PTRACE \\" + #echo " --cap-add=KILL \\" + #echo " --cap-add=MKNOD \\" + #echo " --cap-add=SETGID \\" + #echo " --cap-add=SETUID \\" + #echo " --cap-add=SYS_MODULE \\" + #echo " --cap-add=AUDIT_CONTROL \\" + #echo " --cap-add=SYSLOG \\" + #echo " --cap-add=SYS_CHROOT \\" + #echo " --cap-add=LINUX_IMMUTABLE \\" + #echo " --device /dev \\" + #echo " --pid=host --userns=host \\" + #echo " -p 2376:2376 \\" + #echo " -v /var/run:/var/run \\" + #echo " -v /dev:/dev \\" + #echo " -v /opt/aquasec:/host/opt/aquasec:ro \\" + #echo " -v /opt/aquasec/tmp:/opt/aquasec/tmp \\" + #echo " -v /opt/aquasec/audit:/opt/aquasec/audit \\" + #echo " -v /opt/aquasec/data:/data \\" + #echo " -v /proc:/host/proc:ro \\" + #echo " -v /sys:/host/sys:ro \\" + #echo " -v /etc:/host/etc:ro \\" + #echo " -e AQUA_SERVER= \\" + #echo " -e AQUA_TOKEN= \\" + #echo " -e AQUA_INSTALL_PATH=/opt/aquasec \\" + #echo " -e AQUA_SERVICE_STOP=no \\" + #echo " -e AQUA_RUNTIME_PROTECTION=true \\" + #echo " -e AQUA_NETWORK_PROTECTION=true \\" + #echo " -e AQUA_USER_ACCESS_CONTROL=true \\" + #echo " -e AQUA_IMAGE_ASSURANCE=true \\" + #echo " -e AQUA_HOST_ASSURANCE=true \\" + #echo " -e AQUA_HOST_PROTECTION=true \\" + #echo " -e RESTART_CONTAINERS=no \\" + #echo " " + #echo "" + + echo "docker run -d --name \\" + echo " --restart=always \\" + echo " --privileged --pid=host --userns=host \\" + echo " -p 2376:2376 \\" + echo " -v /var/run:/var/run \\" + echo " -v /dev:/dev \\" + echo " -v /opt/aquasec:/host/opt/aquasec:ro \\" + echo " -v /opt/aquasec/tmp:/opt/aquasec/tmp \\" + echo " -v /opt/aquasec/audit:/opt/aquasec/audit \\" + echo " -v /opt/aquasec/data:/data \\" + echo " -v /proc:/host/proc:ro \\" + echo " -v /sys:/host/sys:ro \\" + echo " -v /etc:/host/etc:ro \\" + echo " -e AQUA_SERVER= \\" + echo " -e AQUA_TOKEN= \\" + echo " -e AQUA_INSTALL_PATH=/opt/aquasec \\" + #echo " -e AQUA_RUNTIME_PROTECTION=true \\" + #echo " -e AQUA_NETWORK_PROTECTION=true \\" + #echo " -e AQUA_USER_ACCESS_CONTROL=true \\" + #echo " -e AQUA_IMAGE_ASSURANCE=true \\" + #echo " -e AQUA_HOST_ASSURANCE=true \\" + #echo " -e AQUA_HOST_PROTECTION=true \\" + #echo " -e RESTART_CONTAINERS=no \\" + echo " " + echo "" +} + +aquasec_log() +{ + local debug="`printenv AQUA_DEBUG`" + if [ ! -z "$debug" ]; then + echo "`date +%T`: $*" + fi +} + +aquasec_exec() +{ + aquasec_log "Running $@" + eval "$@" + status="$?" + aquasec_log "Status: $status" + aquasec_log "" + return $status +} + +aquasec_check_prerequisite() +{ + # docker socket is required for agent for runc and non-runc modes + # only in full protection installation. + + if [ "$AQUA_ENFORCER_TYPE" = "host" ]; then + return + fi + + if [ "$AQUA_PAS" == true ] || [ "$AQUA_PAS" == True ] || [ "$AQUA_PAS" == "1" ] ; then + AQUA_RUNTIME=garden + fi + + if [ "$AQUA_RUNTIME" == docker ]; then + if [ ! -e $AQUA_DOCKER_SOCKET ]; then + echo "Cannot connect to the Docker daemon at unix://$AQUA_DOCKER_SOCKET. Is the docker daemon running?" + echo "If docker daemon is running in user namespace, start installing the container with flag '--userns=host'." + echo "If SELinux is in enforcing mode, start installing the container with flag '--privileged'." + aquasec_terminate + fi + fi +} + +aquasec_init_debug() +{ + local debug="`printenv AQUA_SHELL_DEBUG`" + if [ ! -z "$debug" ]; then + set -x + fi +} + +aquasec_init() +{ + aquasec_log "initialize agent install" + + aquasec_log "runtime-type: $AQUA_RUNTIME" + + AQUA_HOST_PATH="`printenv AQUA_INSTALL_PATH`" + if [ -z "$AQUA_HOST_PATH" ]; then + AQUA_HOST_PATH=/opt/aquasec + fi + aquasec_log "Product path: $AQUA_HOST_PATH" + + AQUA_CURRENT_CONTAINER_ID="`/slkinst container-id`" + aquasec_log "Container id: $AQUA_CURRENT_CONTAINER_ID" + + AQUA_VERSION="`/slkinst version | grep Version | cut -f2 -d ' '`" + aquasec_log "Aqua security version: $AQUA_VERSION" + + if [ $AQUA_RUNTIME = garden ]; then + AQUA_CURRENT_CONTAINER_NAME=$AQUA_CURRENT_CONTAINER_ID + return + fi + if [ "$AQUA_ENFORCER_TYPE" = "host" ]; then + AQUA_CURRENT_CONTAINER_NAME=$AQUA_CURRENT_CONTAINER_ID + return + fi + + # For CRI -- runtime info does not contain information about operating system. + if [ $AQUA_RUNTIME != "cri" ]; then + AQUA_OS_INFO="`/slkinst os-version`" + aquasec_log "OS: $AQUA_OS_INFO" + fi + + runtime_version="`/slkinst runtime-version | grep ^Version | cut -f2 -d=`" + aquasec_log "Runtime version: $runtime_version" + + AQUA_CURRENT_IMAGE_NAME="`/slkinst image-name`" + aquasec_log "Image name: $AQUA_CURRENT_IMAGE_NAME" + + AQUA_CURRENT_CONTAINER_NAME="`/slkinst container-name`" + aquasec_log "Container name: $AQUA_CURRENT_CONTAINER_NAME" +} + +aquasec_set_install_type() +{ + aquasec_log "check install settings" + + AQUA_INSTALL_MODE="`printenv AQUA_MODE`" + if [ "$AQUA_INSTALL_MODE" = "CONTAINER" ]; then + aquasec_log "Using AQUA_MODE=CONTAINER" + return 0 + fi + if [ $AQUA_RUNTIME = garden ]; then + return + fi + if [ "$AQUA_ENFORCER_TYPE" = "host" ]; then + return + fi + + local inspect=`/slkinst inspect $AQUA_CURRENT_CONTAINER_ID` + if [ "$AQUA_RUNTIME" != docker ]; then + # make all output a single line without spaces + inspect=`echo "$inspect" | paste -sd " " - | sed 's/ //g'` + fi + local need_check_sec_privs=0 + + + if [ "$AQUA_RUNTIME" == docker ]; then + echo "$inspect" | grep PidMode | grep host > /dev/null 2>&1 + else + echo "$inspect" | grep "\"type\":\"pid\"" > /dev/null 2>&1 + fi + if [ $? -ne 0 ]; then + aquasec_log "Option --pid=host is not found." + fi + + if [ "$AQUA_RUNTIME" == docker ]; then + echo "$inspect" | grep Privileged | grep true > /dev/null 2>&1 + else + echo "$inspect" | grep "\"privileged\":true" > /dev/null 2>&1 + fi + if [ $? != 0 ]; then + aquasec_log "Option --privileged is missing, checking needed security privileges" + need_check_sec_privs=1 + else + AQUA_PRIVILEGED=1 + fi + + # on Pivotal Container Service (PKS) the mount is /var/vcap/sys/run/docker:/var/run + # and not /var/run:/var/run + # therefore we will only check for :/var/run + + if [ "$AQUA_RUNTIME" == docker ]; then + local volumes=" + :/var/run \ + /dev:/dev \ + $AQUA_HOST_PATH:/host$AQUA_CONTAINER_PATH \ + $AQUA_HOST_PATH/tmp:$AQUA_CONTAINER_PATH/tmp \ + $AQUA_HOST_PATH/audit:$AQUA_CONTAINER_PATH/audit \ + /proc:/host/proc \ + /sys:/host/sys \ + /etc:/host/etc \ + " + elif [ "$AQUA_RUNTIME" == podman ]; then + local volumes=" + /var/run \ + /dev \ + $AQUA_HOST_PATH \ + /host$AQUA_CONTAINER_PATH \ + $AQUA_HOST_PATH/tmp \ + $AQUA_CONTAINER_PATH/tmp \ + $AQUA_HOST_PATH/audit \ + $AQUA_CONTAINER_PATH/audit \ + /proc \ + /host/proc \ + /sys \ + /host/sys \ + /etc \ + /host/etc \ + " + else + local volumes=" + \"container_path\":\"/var/run\",\"host_path\":\".*/run\" \ + \"container_path\":\"/dev\",\"host_path\":\"/dev\" \ + \"container_path\":\"/host$AQUA_CONTAINER_PATH\",\"host_path\":\"$AQUA_HOST_PATH\" \ + \"container_path\":\"$AQUA_CONTAINER_PATH/tmp\",\"host_path\":\"$AQUA_HOST_PATH/tmp\" \ + \"container_path\":\"$AQUA_CONTAINER_PATH/audit\",\"host_path\":\"$AQUA_HOST_PATH/audit\" \ + \"container_path\":\"/host/proc\",\"host_path\":\"/proc\" \ + \"container_path\":\"/host/sys\",\"host_path\":\"/sys\" \ + \"container_path\":\"/host/etc\",\"host_path\":\"/etc\" \ + " + fi + + for volume in $volumes + do + echo "$inspect" | grep "$volume" > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "Volume $volume is missing, exiting..." + aquasec_usage_service_mode + exit 1 + fi + done + + if [ "$need_check_sec_privs" = 1 ]; then + if [ "$AQUA_RUNTIME" == docker ]; then + echo "$inspect" | grep apparmor=unconfined > /dev/null 2>&1 + else + echo "$inspect" | grep "\"apparmor_profile\":\"unconfined\"" > /dev/null 2>&1 + fi + if [ $? -ne 0 ]; then + aquasec_log "Option --security-opt apparmor=unconfined is not found." + fi + + local caps=" + SYS_ADMIN \ + NET_ADMIN \ + NET_RAW \ + SYS_PTRACE \ + KILL \ + MKNOD \ + SETGID \ + SETUID \ + SYS_MODULE \ + AUDIT_CONTROL \ + SYSLOG \ + SYS_CHROOT \ + LINUX_IMMUTABLE \ + " + for cap in $caps + do + echo "$inspect" | grep "$cap" > /dev/null 2>&1 + if [ $? -ne 0 ]; then + aquasec_log "Capability $cap is not found." + fi + done + fi + AQUA_INSTALL_MODE=SERVICE + export AQUA_MODE="SERVICE" +} + +aquasec_set_install_path() +{ + if [ $AQUA_RUNTIME = "garden" ]; then + return + fi + + if [ "$AQUA_ENFORCER_TYPE" = "host" ]; then + return + fi + + aquasec_log "set install path" + /slkinst run -t --rm --net=none $(get_security_options) $(user_namespace_supported) -v /:/host --image $AQUA_CURRENT_IMAGE_NAME sh -c "echo $AQUA_HOST_PATH > /host/etc/aquasec && chmod 444 /host/etc/aquasec" +} + +aquasec_create_container_name() +{ + AQUA_CONTAINER_NAME="aquasec-agent-$AQUA_VERSION" + aquasec_log "container name=$AQUA_CONTAINER_NAME" +} + +aquasec_get_agent_containers() +{ + if [ $AQUA_RUNTIME = garden ]; then + return + fi + + if [ "$AQUA_ENFORCER_TYPE" = "host" ]; then + return + fi + + AQUA_INSTALLED_AGENT_CONT_LIST=$(/slkinst ps --quiet --all --filter label=com.aquasec.component=agent --exclude $AQUA_CURRENT_CONTAINER_ID --exclude $AQUA_DATA_CONT_NAME) + AQUA_INSTALLED_AGENT_CONT_LIST="$AQUA_INSTALLED_AGENT_CONT_LIST $(/slkinst ps --quiet --all --filter name-prefix=aquasec-agent --exclude $AQUA_CURRENT_CONTAINER_ID --exclude $AQUA_DATA_CONT_NAME)" + + aquasec_log "currently installed agent container(s): $AQUA_INSTALLED_AGENT_CONT_LIST" +} + +aquasec_disable_restart_policy() +{ + if [ $AQUA_RUNTIME = garden ]; then + return + fi + + if [ "$AQUA_ENFORCER_TYPE" = "host" ]; then + return + fi + + local agent_cont_name=$1 + aquasec_log "disabling restart policy for $agent_cont_name" + local rc=0 + + aquasec_exec "/slkinst update --restart=no $agent_cont_name > /dev/null" + rc=$? + + if [ $rc = 0 ]; then + aquasec_log "Disabling restart policy for $agent_cont_name done." + else + aquasec_log "Cannot disable restart policy for $agent_cont_name." + fi + + return $rc +} + +aquasec_create_data_container() +{ + local data_container_id="" + + # check if data container already exists + # there can be an attempt to install agent when data container already exists + # therefore -- check for its existence and do not create it again + data_container_id=$(/slkinst ps --quiet --all --filter name-prefix=$AQUA_DATA_CONT_NAME) + + if [ -z "$data_container_id" ]; then + aquasec_log "create data container" + + aquasec_exec /slkinst import --file $AQUA_CONTAINER_PATH/$AQUA_DATA_TAR_NAME --image $AQUA_DATA_IMAGE_NAME + aquasec_exec /slkinst create --name $AQUA_DATA_CONT_NAME --image $AQUA_DATA_IMAGE_NAME --entrypoint _ --volume /data + fi +} + +aquasec_create_data_directory() +{ + mkdir /data > /dev/null 2>&1 +} + +aquasec_copy_host_files() +{ + aquasec_log "copy files to host" + + copy_command="mkdir -p /host/$AQUA_HOST_PATH > /dev/null 2>&1" + copy_command="$copy_command;rmdir /host/$AQUA_HOST_PATH/slkstatic > /dev/null 2>&1" + copy_command="$copy_command;rmdir /host/$AQUA_HOST_PATH/analyzer > /dev/null 2>&1" + copy_command="$copy_command;rmdir /host/$AQUA_HOST_PATH/kern.o > /dev/null 2>&1" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slk.x86_64 /host/$AQUA_HOST_PATH/slk" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slk.bash /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/uninstall.sh /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/scalock.pp /host/$AQUA_HOST_PATH/scalock-mv19.pp" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/scalock-mv17.pp /host/$AQUA_HOST_PATH/scalock-mv17.pp" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slkstatic /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slkinstrumenter /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp -r $AQUA_CONTAINER_PATH/kubebench /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp -r $AQUA_CONTAINER_PATH/dockerbench /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp -r $AQUA_CONTAINER_PATH/commonbench /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp -r $AQUA_CONTAINER_PATH/linuxbench /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/analyzer /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/kern.o /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/pam_aquasec.so /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/libaquapamaux.so /host/$AQUA_HOST_PATH" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/config_pam_aquasec.sh /host/$AQUA_HOST_PATH" + copy_command="$copy_command;mkdir -p /host/$AQUA_HOST_PATH/data" + copy_command="$copy_command;mkdir -p /host/$AQUA_HOST_PATH/audit/bin" + copy_command="$copy_command;mkdir -p /host/$AQUA_HOST_PATH/audit/socket" + copy_command="$copy_command;chmod 0777 /host/$AQUA_HOST_PATH/audit/socket" + copy_command="$copy_command;mkdir -p /host/$AQUA_HOST_PATH/tmp/ocihook" + copy_command="$copy_command;mkdir -p /host/$AQUA_HOST_PATH/tmp/db" + copy_command="$copy_command;mkdir -p /host/tmp/corefiles" + copy_command="$copy_command;chmod 0755 /host/$AQUA_HOST_PATH/tmp/db" + copy_command="$copy_command;rm -rf /host/$AQUA_HOST_PATH/tmp/db/binsyscalls.db" + copy_command="$copy_command;touch /host/$AQUA_HOST_PATH/tmp/db/binsyscalls.db" + copy_command="$copy_command;chmod 0644 /host/$AQUA_HOST_PATH/tmp/db/binsyscalls.db" + # musl libc does not support __libc_dlopen_mode and _dl_sym, use slklib linked with libdl + # put slklib linked with libdl in $PLATFORM directory because musl libc does not resolve it + if [ ! -z "$AQUA_PRELOAD_NO_LIBDL" ]; then + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slklib-nold.so /host/$AQUA_HOST_PATH/audit/bin/slklib.so.$MAJOR_VERSION.$MINOR_VERSION" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slklib32-nold.so /host/$AQUA_HOST_PATH/audit/bin/slklib32.so.$MAJOR_VERSION.$MINOR_VERSION" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slklib.so /host/$AQUA_HOST_PATH/audit/bin/slklib-ld.so.$MAJOR_VERSION.$MINOR_VERSION" + else + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slklib.so /host/$AQUA_HOST_PATH/audit/bin/slklib.so.$MAJOR_VERSION.$MINOR_VERSION" + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slklib32.so /host/$AQUA_HOST_PATH/audit/bin/slklib32.so.$MAJOR_VERSION.$MINOR_VERSION" + fi + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/slkrun /host/$AQUA_HOST_PATH/audit/bin/slkrun.$MAJOR_VERSION.$MINOR_VERSION" + copy_command="$copy_command;cd /host/$AQUA_HOST_PATH/audit/bin" + copy_command="$copy_command;ln -s -f slklib.so.$MAJOR_VERSION.$MINOR_VERSION slklib.so" + copy_command="$copy_command;ln -s -f slklib32.so.$MAJOR_VERSION.$MINOR_VERSION slklib32.so" + if [ ! -z "$AQUA_PRELOAD_NO_LIBDL" ]; then + copy_command="$copy_command;ln -s -f slklib-ld.so.$MAJOR_VERSION.$MINOR_VERSION slklib-ld.so" + fi + + # support preload for 32 bit binaries + # from glibc/sysdeps/x86/cpu-features.c + copy_command="$copy_command;mkdir -p x86 i586 i686 x86_64 haswell xenon_phi \\"$\\"PLATFORM" + copy_command="$copy_command;cd x86;ln -s -f ../slklib32.so slklib.so;cd - > /dev/null" + copy_command="$copy_command;cd i586;ln -s -f ../slklib32.so slklib.so;cd - > /dev/null" + copy_command="$copy_command;cd i686;ln -s -f ../slklib32.so slklib.so;cd - > /dev/null" + copy_command="$copy_command;cd x86_64;ln -s -f ../slklib.so slklib.so;cd - > /dev/null" + copy_command="$copy_command;cd haswell;ln -s -f ../slklib.so slklib.so;cd - > /dev/null" + copy_command="$copy_command;cd xenon_phi;ln -s -f ../slklib.so slklib.so;cd - > /dev/null" + if [ ! -z "$AQUA_PRELOAD_NO_LIBDL" ]; then + copy_command="$copy_command;cd \\"$\\"PLATFORM;ln -s -f ../slklib-ld.so slklib.so;cd - > /dev/null" + else + copy_command="$copy_command;cd \\"$\\"PLATFORM;ln -s -f ../slklib.so slklib.so;cd - > /dev/null" + fi + + copy_command="$copy_command;ln -s -f slkrun.$MAJOR_VERSION.$MINOR_VERSION slkrun" + copy_command="$copy_command;rm -rf /host/$AQUA_HOST_PATH/audit/ld.so.preload" + copy_command="$copy_command;echo /bin/aquasec/\\"$\\"PLATFORM/slklib.so > /host/$AQUA_HOST_PATH/audit/ld.so.preload" + + copy_command="$copy_command;ln -s -f $AQUA_HOST_PATH/slk /host/usr/bin/slk > /dev/null 2>&1" + + # copy ociaquahook as symlink to ociaquahook.$MAJOR_VERSION.$MINOR_VERSION + copy_command="$copy_command;cp $AQUA_CONTAINER_PATH/ociaquahook /host/$AQUA_HOST_PATH/ociaquahook.$MAJOR_VERSION.$MINOR_VERSION" + copy_command="$copy_command;cd /host/$AQUA_HOST_PATH" + copy_command="$copy_command;ln -s -f ociaquahook.$MAJOR_VERSION.$MINOR_VERSION ociaquahook" + + # solve cases where containers run nsenter to the host itself. + # Path relative to /bin/aquasec/$platfome for example + copy_command="$copy_command;rm -rf /host/bin/aquasec" + copy_command="$copy_command;ln -s -f ../../../$AQUA_HOST_PATH/audit/bin /host/bin/aquasec > /dev/null 2>&1" + + aquasec_log "command=$copy_command" + + # install on PAS is done via runc create + # copy command to host. + if [ "$AQUA_RUNTIME" = "garden" ]; then + aquasec_exec $copy_command + return 0 + fi + + # install enforcer type "host" is done via runc create + # copy command to host. + if [ "$AQUA_ENFORCER_TYPE" = "host" ]; then + aquasec_exec $copy_command + return 0 + fi + + aquasec_exec /slkinst run -t --rm --net=none $(get_security_options) $(user_namespace_supported) -e AQUA_MODE="$AQUA_INSTALL_MODE" -e AQUA_PRODUCT_PATH="$AQUA_HOST_PATH" -v /var/run:/var/run -v /:/host --image $AQUA_CURRENT_IMAGE_NAME sh -c \""$copy_command"\" + # Container creation failed -- fallback to copy command to host. + [ $? != 0 ] && aquasec_exec $copy_command +} + +user_namespace_supported() +{ + supported_version="01.11.000000" + current_version=`echo $runtime_version | awk -F. '{printf "%02d.%02d.%06d\n", $1, $2, $3}'` + if [ "$supported_version" = "$current_version" -o "$supported_version" \< "$current_version" ]; then + echo -n "--userns=host" + else + echo -n "" + fi +} + +get_security_options() +{ + local sec_opts="" + if [ "$AQUA_PRIVILEGED" = 1 ]; then + sec_opts="--privileged" + else + sec_opts="--cap-add=SYS_ADMIN \ +--cap-add=NET_ADMIN \ +--cap-add=NET_RAW \ +--cap-add=SYS_PTRACE \ +--cap-add=KILL \ +--cap-add=MKNOD \ +--cap-add=SETGID \ +--cap-add=SETUID \ +--cap-add=SYS_MODULE \ +--cap-add=AUDIT_CONTROL \ +--cap-add=SYSLOG \ +--cap-add=SYS_CHROOT \ +--security-opt label=disable" + fi + + if [ "$AQUA_RUNTIME" != podman ]; then + sec_opts="${sec_opts} --security-opt apparmor=unconfined" + fi + + echo $sec_opts +} + +aquasec_create_agent_container() +{ + aquasec_log "create agent container" + + userns=`user_namespace_supported` + docker_restart="--restart=always" + options="--pid=host" + options="$options $userns" + network_options="" + env_options="" + priv_options="" + + if [ "$AQUA_PRIVILEGED" = 1 ]; then + priv_options="--privileged" + else + priv_options="--security-opt apparmor=unconfined \ + --cap-add=SYS_ADMIN \ + --cap-add=NET_ADMIN \ + --cap-add=NET_RAW \ + --cap-add=SYS_PTRACE \ + --cap-add=KILL \ + --cap-add=MKNOD \ + --cap-add=SETGID \ + --cap-add=SETUID \ + --cap-add=SYS_MODULE \ + --cap-add=AUDIT_CONTROL \ + --cap-add=SYSLOG \ + --cap-add=SYS_CHROOT \ + --cap-add=LINUX_IMMUTABLE \ + --device=/dev" + fi + + # /dev/log is needed for sending audit events to syslog + # /dev/shm is needed for sending audit events to systemd journalctl + # created volume mount for sssd even it is not installed + mount_options="--volumes-from=$AQUA_DATA_CONT_NAME" + mount_options="$mount_options -v $AQUA_HOST_PATH:/host/$AQUA_CONTAINER_PATH:ro" + mount_options="$mount_options -v $AQUA_HOST_PATH/tmp:$AQUA_CONTAINER_PATH/tmp" + mount_options="$mount_options -v $AQUA_HOST_PATH/audit:$AQUA_CONTAINER_PATH/audit" + mount_options="$mount_options -v $AQUA_HOST_PATH/data:/data" + mount_options="$mount_options -v /proc:/host/proc:ro -v /sys:/host/sys:ro" + mount_options="$mount_options -v /var/lib/sss/pipes:/var/lib/sss/pipes" + mount_options="$mount_options -v /etc:/host/etc:ro" + mount_options="$mount_options -v /var/lib:/host/var/lib:ro" + mount_options="$mount_options -v /dev:/dev" + + # on Pivotal Container Service (PKS) the mount is /var/vcap/sys/run/docker:/var/run + # and not /var/run:/var/run + + if [ ! -z "$AQUA_HOST_RUN_PATH" ]; then + env_options="$env_options -e AQUA_HOST_RUN_PATH=$AQUA_HOST_RUN_PATH" + mount_options="$mount_options -v $AQUA_HOST_RUN_PATH:/var/run" + else + mount_options="$mount_options -v /var/run:/var/run" + fi + + # add additional mounts defined in $AQUA_HOST_PATH/mounts.cfg + user_mounts="`/slkinst run -i -t --rm $(get_security_options) --net=none $userns --image $AQUA_CURRENT_IMAGE_NAME -v $AQUA_HOST_PATH:/tmp/aqua:ro sh -c \"[ -f /tmp/aqua/mounts.cfg ] && cat /tmp/aqua/mounts.cfg | tr '\n' ' '\"`" + if [ -n "$user_mounts" ]; then + mount_options="$mount_options $user_mounts" + fi + + # add network options defined in the current container + if [ -z "$AQUA_CONTINUE_UPGRADE" ]; then + network_name=$(/slkinst inspect --format '{{.HostConfig.NetworkMode}}' "$AQUA_CURRENT_CONTAINER_ID") + else + # current container is not watcher container + # try get network name from one of the reserved containers + reserved_container_id=$(aquasec_get_reserved_container_id) + network_name=$(/slkinst inspect --format '{{.HostConfig.NetworkMode}}' "$reserved_container_id") + fi + + # copy the network stack from the watcher container to the actual agent container + # this is a must on DDC environment + if [ "$AQUA_RUNTIME" == docker ] && [ ! -z "$AQUA_RUN_WATCHER" ]; then + network_name="container:$AQUA_CURRENT_CONTAINER_ID" + fi + + network_options="--net=$network_name" + + if [ ! -z "$AQUA_SERVER" ]; then + env_options="$env_options -e AQUA_SERVER=$AQUA_SERVER" + elif [ ! -z "$SCALOCK_SERVER" ]; then + env_options="$env_options -e AQUA_SERVER=$SCALOCK_SERVER" + fi + if [ ! -z "$AQUA_TOKEN" ]; then + env_options="$env_options -e AQUA_TOKEN=$AQUA_TOKEN" + elif [ ! -z "$SCALOCK_TOKEN" ]; then + env_options="$env_options -e AQUA_TOKEN=$SCALOCK_TOKEN" + fi + if [ ! -z "$AQUA_ENV" ]; then + env_options="$env_options -e AQUA_ENV=$AQUA_ENV" + fi + if [ ! -z "$AQUA_HOST_PATH" ]; then + env_options="$env_options -e AQUA_PRODUCT_PATH=$AQUA_HOST_PATH" + env_options="$env_options -e AQUA_INSTALL_PATH=$AQUA_HOST_PATH" + fi + if [ ! -z "$AQUA_INSTALL_MODE" ]; then + env_options="$env_options -e AQUA_MODE=$AQUA_INSTALL_MODE" + fi + if [ ! -z "$AQUA_RUNTIME_PROTECTION" ]; then + env_options="$env_options -e AQUA_RUNTIME_PROTECTION=$AQUA_RUNTIME_PROTECTION" + fi + if [ ! -z "$AQUA_NETWORK_PROTECTION" ]; then + env_options="$env_options -e AQUA_NETWORK_PROTECTION=$AQUA_NETWORK_PROTECTION" + fi + if [ ! -z "$AQUA_AV_PROTECTION" ]; then + env_options="$env_options -e AQUA_AV_PROTECTION=$AQUA_AV_PROTECTION" + fi + if [ ! -z "$AQUA_BPF_RUNTIME_PROTECTION" ]; then + env_options="$env_options -e AQUA_BPF_RUNTIME_PROTECTION=$AQUA_BPF_RUNTIME_PROTECTION" + fi + if [ ! -z "$AQUA_USER_ACCESS_CONTROL" ]; then + env_options="$env_options -e AQUA_USER_ACCESS_CONTROL=$AQUA_USER_ACCESS_CONTROL" + fi + if [ ! -z "$AQUA_IMAGE_ASSURANCE" ]; then + env_options="$env_options -e AQUA_IMAGE_ASSURANCE=$AQUA_IMAGE_ASSURANCE" + fi + if [ ! -z "$AQUA_HOST_ASSURANCE" ]; then + env_options="$env_options -e AQUA_HOST_ASSURANCE=$AQUA_HOST_ASSURANCE" + fi + if [ ! -z "$AQUA_HOST_PROTECTION" ]; then + env_options="$env_options -e AQUA_HOST_PROTECTION=$AQUA_HOST_PROTECTION" + fi + if [ ! -z "$AQUA_HOST_NETWORK_PROTECTION" ]; then + env_options="$env_options -e AQUA_HOST_NETWORK_PROTECTION=$AQUA_HOST_NETWORK_PROTECTION" + fi + if [ ! -z "$AQUA_FULL_PROTECTION" ]; then + env_options="$env_options -e AQUA_FULL_PROTECTION=$AQUA_FULL_PROTECTION" + fi + if [ ! -z "$AQUA_AUDIT_LOGGER" ]; then + env_options="$env_options -e AQUA_AUDIT_LOGGER=$AQUA_AUDIT_LOGGER" + fi + if [ ! -z "$AQUA_NETWORK_CONTROL" ]; then + env_options="$env_options -e AQUA_NETWORK_CONTROL=$AQUA_NETWORK_CONTROL" + fi + if [ ! -z "$AQUA_NETWORK_FAIL_MODE" ]; then + env_options="$env_options -e AQUA_NETWORK_FAIL_MODE=$AQUA_NETWORK_FAIL_MODE" + fi + if [ ! -z "$AQUA_NETWORK_LOG_PROCESS" ]; then + env_options="$env_options -e AQUA_NETWORK_LOG_PROCESS=$AQUA_NETWORK_LOG_PROCESS" + fi + if [ ! -z "$AQUA_NETWORK_CHECK_DNS" ]; then + env_options="$env_options -e AQUA_NETWORK_CHECK_DNS=$AQUA_NETWORK_CHECK_DNS" + fi + if [ ! -z "$AQUA_NETWORK_BLOCK_DNS" ]; then + env_options="$env_options -e AQUA_NETWORK_BLOCK_DNS=$AQUA_NETWORK_BLOCK_DNS" + fi + if [ ! -z "$AQUA_NETFILTER_NUMQ" ]; then + env_options="$env_options -e AQUA_NETFILTER_NUMQ=$AQUA_NETFILTER_NUMQ" + fi + if [ ! -z "$NETFILTER_CHECK_BYPASS" ]; then + env_options="$env_options -e NETFILTER_CHECK_BYPASS=$NETFILTER_CHECK_BYPASS" + fi + if [ ! -z "$AQUA_DEBUG_AGENT" ]; then + env_options="$env_options -e AQUA_DEBUG_AGENT='"$AQUA_DEBUG_AGENT"'" + fi + if [ ! -z "$AQUA_DEBUG_SLKNETD" ]; then + env_options="$env_options -e AQUA_DEBUG_SLKNETD='"$AQUA_DEBUG_SLKNETD"'" + fi + if [ ! -z "$RESTART_CONTAINERS" ]; then + env_options="$env_options -e RESTART_CONTAINERS=$RESTART_CONTAINERS" + fi + if [ ! -z "$AQUA_SELINUX_CONFIG" ]; then + env_options="$env_options -e AQUA_SELINUX_CONFIG=$AQUA_SELINUX_CONFIG" + fi + if [ ! -z "$AQUA_STATIC_BIN" ]; then + env_options="$env_options -e AQUA_STATIC_BIN=$AQUA_STATIC_BIN" + fi + if [ ! -z "$AQUA_LOGICAL_NAME" ]; then + env_options="$env_options -e AQUA_LOGICAL_NAME='$AQUA_LOGICAL_NAME'" + fi + if [ ! -z "$AQUA_NODE_NAME" ]; then + env_options="$env_options -e AQUA_NODE_NAME='$AQUA_NODE_NAME'" + fi + if [ ! -z "$AQUA_INTERCEPTION" ]; then + env_options="$env_options -e AQUA_INTERCEPTION='$AQUA_INTERCEPTION'" + fi + if [ ! -z "$AQUA_CONTAINER_LEVEL_ENCRYPTION" ]; then + env_options="$env_options -e AQUA_CONTAINER_LEVEL_ENCRYPTION=$AQUA_CONTAINER_LEVEL_ENCRYPTION" + fi + if [ ! -z "$AQUA_RUNC_INTERCEPTION" ]; then + env_options="$env_options -e AQUA_RUNC_INTERCEPTION=$AQUA_RUNC_INTERCEPTION" + fi + if [ ! -z "$AQUA_FAN_RUNC_INTERCEPTION" ]; then + env_options="$env_options -e AQUA_FAN_RUNC_INTERCEPTION=$AQUA_FAN_RUNC_INTERCEPTION" + fi + if [ ! -z "$AQUA_RUNC_PATH" ]; then + env_options="$env_options -e AQUA_RUNC_PATH=$AQUA_RUNC_PATH" + fi + if [ ! -z "$AQUA_RUNC_ROOT_PATH" ]; then + env_options="$env_options -e AQUA_RUNC_ROOT_PATH=$AQUA_RUNC_ROOT_PATH" + fi + if [ ! -z "$AQUA_RUNC_BUNDLE_PATH_PREFIX" ]; then + env_options="$env_options -e AQUA_RUNC_BUNDLE_PATH_PREFIX=$AQUA_RUNC_BUNDLE_PATH_PREFIX" + fi + if [ ! -z "$AQUA_RUNC_BUNDLE_PATH_SUFFIX" ]; then + env_options="$env_options -e AQUA_RUNC_BUNDLE_PATH_SUFFIX=$AQUA_RUNC_BUNDLE_PATH_SUFFIX" + fi + if [ ! -z "$KUBECONFIG" ]; then + env_options="$env_options -e KUBECONFIG=$KUBECONFIG" + fi + if [ ! -z "$FAIL_ON_MISSING_SECRET" ]; then + env_options="$env_options -e FAIL_ON_MISSING_SECRET=$FAIL_ON_MISSING_SECRET" + fi + if [ ! -z "$AQUA_GW_MODE" ]; then + env_options="$env_options -e AQUA_GW_MODE=$AQUA_GW_MODE" + fi + if [ ! -z "$AQUA_MARKETPLACE" ]; then + env_options="$env_options -e AQUA_MARKETPLACE=$AQUA_MARKETPLACE" + fi + if [ ! -z "$PROXYLITE_MODE" ]; then + env_options="$env_options -e PROXYLITE_MODE=$PROXYLITE_MODE" + fi + if [ ! -z "$PROXYLITE_THREADPOOL" ]; then + env_options="$env_options -e PROXYLITE_THREADPOOL=$PROXYLITE_THREADPOOL" + fi + if [ ! -z "$PROXYLITE_VAULT" ]; then + env_options="$env_options -e PROXYLITE_VAULT=$PROXYLITE_VAULT" + fi + if [ ! -z "$AQUA_PRIVILEGED" ]; then + env_options="$env_options -e AQUA_PRIVILEGED=$AQUA_PRIVILEGED" + fi + if [ ! -z "$AQUA_SSH_PROXYLITE_MODE" ]; then + env_options="$env_options -e AQUA_SSH_PROXYLITE_MODE=$AQUA_SSH_PROXYLITE_MODE" + fi + if [ ! -z "$AQUA_GRPC_ONLY_MODE" ]; then + env_options="$env_options -e AQUA_GRPC_ONLY_MODE=$AQUA_GRPC_ONLY_MODE" + fi + if [ ! -z "$AQUA_SSH_ONLY_MODE" ]; then + env_options="$env_options -e AQUA_SSH_ONLY_MODE=$AQUA_SSH_ONLY_MODE" + fi + if [ ! -z "$AQUA_ROOT_CA" ]; then + env_options="$env_options -e AQUA_ROOT_CA=$AQUA_ROOT_CA" + fi + if [ ! -z "$AQUA_PRIVATE_KEY" ]; then + env_options="$env_options -e AQUA_PRIVATE_KEY=$AQUA_PRIVATE_KEY" + fi + if [ ! -z "$AQUA_PUBLIC_KEY" ]; then + env_options="$env_options -e AQUA_PUBLIC_KEY=$AQUA_PUBLIC_KEY" + fi + if [ ! -z "$AQUA_INTERCEPTOR_PROXYLITE_MODE" ]; then + env_options="$env_options -e AQUA_INTERCEPTOR_PROXYLITE_MODE=$AQUA_INTERCEPTOR_PROXYLITE_MODE" + fi + if [ ! -z "$AQUA_HEALTH_PROBE_SUPPORT" ]; then + env_options="$env_options -e AQUA_HEALTH_PROBE_SUPPORT=$AQUA_HEALTH_PROBE_SUPPORT" + fi + if [ ! -z "$AQUA_HOST_IMAGES_DISABLED" ]; then + env_options="$env_options -e AQUA_HOST_IMAGES_DISABLED=$AQUA_HOST_IMAGES_DISABLED" + fi + if [ ! -z "$AQUA_PAM" ]; then + env_options="$env_options -e AQUA_PAM=$AQUA_PAM" + fi + if [ ! -z "$AQUA_AUTO_DISCOVERY" ]; then + env_options="$env_options -e AQUA_AUTO_DISCOVERY=$AQUA_AUTO_DISCOVERY" + fi + if [ ! -z "$AQUA_PRIVILEGED" ]; then + env_options="$env_options -e AQUA_PRIVILEGED=$AQUA_PRIVILEGED" + fi + if [ ! -z "$AQUA_PING_INTERVAL" ]; then + env_options="$env_options -e AQUA_PING_INTERVAL=$AQUA_PING_INTERVAL" + fi + if [ ! -z "$AQUA_DOCKER_SOCKET" ]; then + env_options="$env_options -e AQUA_DOCKER_SOCKET=$AQUA_DOCKER_SOCKET" + fi + if [ ! -z "$AQUA_ENFORCER_TYPE" ]; then + env_options="$env_options -e AQUA_ENFORCER_TYPE=$AQUA_ENFORCER_TYPE" + fi + if [ ! -z "$AQUA_MASK_CONTAINER_ENV" ]; then + env_options="$env_options -e AQUA_MASK_CONTAINER_ENV=$AQUA_MASK_CONTAINER_ENV" + fi + if [ ! -z "$AQUA_PAS" ]; then + env_options="$env_options -e AQUA_PAS=$AQUA_PAS" + fi + if [ ! -z "$AQUA_IMAGE_LITE_SYNC" ]; then + env_options="$env_options -e AQUA_IMAGE_LITE_SYNC=$AQUA_IMAGE_LITE_SYNC" + fi + if [ ! -z "$AQUA_32BIT_SUPPORT" ]; then + env_options="$env_options -e AQUA_32BIT_SUPPORT=$AQUA_32BIT_SUPPORT" + fi + if [ ! -z "$AQUA_LEAN_WORKLOADS" ]; then + env_options="$env_options -e AQUA_LEAN_WORKLOADS=$AQUA_LEAN_WORKLOADS" + fi + if [ ! -z "$AQUA_FAIL_MODE" ]; then + env_options="$env_options -e AQUA_FAIL_MODE=$AQUA_FAIL_MODE" + fi + if [ ! -z "$AQUA_STREAM_SCAN_RESULTS" ]; then + env_options="$env_options -e AQUA_STREAM_SCAN_RESULTS=$AQUA_STREAM_SCAN_RESULTS" + fi + if [ ! -z "$AQUA_LITE_SYNC_SERVICE" ]; then + env_options="$env_options -e AQUA_LITE_SYNC_SERVICE=$AQUA_LITE_SYNC_SERVICE" + fi + if [ ! -z "$AQUA_PRELOAD_NO_LIBDL" ]; then + env_options="$env_options -e AQUA_PRELOAD_NO_LIBDL=$AQUA_PRELOAD_NO_LIBDL" + fi + if [ ! -z "$AQUA_INO_MAX_NUM_WATCH" ]; then + env_options="$env_options -e AQUA_INO_MAX_NUM_WATCH=$AQUA_INO_MAX_NUM_WATCH" + fi + if [ ! -z "$AQUA_PING_FAIL_MODE" ]; then + env_options="$env_options -e AQUA_PING_FAIL_MODE=$AQUA_PING_FAIL_MODE" + fi + if [ ! -z "$AQUA_MEMORY_PRESSURE" ]; then + env_options="$env_options -e AQUA_MEMORY_PRESSURE=$AQUA_MEMORY_PRESSURE" + fi + if [ ! -z "$AQUA_TLS_VERIFY" ]; then + env_options="$env_options -e AQUA_TLS_VERIFY=$AQUA_TLS_VERIFY" + fi + if [ ! -z "$AQUA_HEALTH_MONITOR_ENABLED" ]; then + env_options="$env_options -e AQUA_HEALTH_MONITOR_ENABLED=$AQUA_HEALTH_MONITOR_ENABLED" + fi + if [ ! -z "$AQUA_HEALTH_MONITOR" ]; then + env_options="$env_options -e AQUA_HEALTH_MONITOR=$AQUA_HEALTH_MONITOR" + fi + if [ ! -z "$AQUA_PROTECT_EXISTING_CONTAINERS" ]; then + env_options="$env_options -e AQUA_PROTECT_EXISTING_CONTAINERS=$AQUA_PROTECT_EXISTING_CONTAINERS" + fi + if [ ! -z "$AQUA_SUPPORT_MUTABLE_TAGS" ]; then + env_options="$env_options -e AQUA_SUPPORT_MUTABLE_TAGS=$AQUA_SUPPORT_MUTABLE_TAGS" + fi + + # register agent for aws usage + if [ ! -z "$AQUA_MARKETPLACE" ]; then + export AQUA_HOST_PATH=$AQUA_HOST_PATH + export AQUA_CONTAINER_PATH=$AQUA_CONTAINER_PATH + $AQUA_CONTAINER_PATH/awsregister & + fi + + log_options="--log-driver=json-file" + aquasec_exec /slkinst run -d -t --image "$AQUA_CURRENT_IMAGE_NAME" --name "$AQUA_CONTAINER_NAME" $priv_options $docker_restart $options $log_options $mount_options $tls_options $tcp_options $network_options $env_options +} + +aquasec_check_access_socket() +{ + if [ $AQUA_RUNTIME != docker ];then + return + fi + touch $AQUA_DOCKER_SOCKET > /dev/null 2>&1 + if [ $? != 0 ]; then + echo "Failed to access docker socket. If docker daemon is running in" + echo "user namespace, start installing the container with flag '--userns=host'." + echo "If SELinux is in enforcing mode, start installing the container with flag '--privileged'." + aquasec_terminate + fi +} + +aquasec_start_watcher() +{ + aquasec_log "start watcher" + + if [ ! -z "$AQUA_RUN_WATCHER" ]; then + # set trap to stop watcher + trap "aquasec_watcher_stop_agent_and_exit" SIGTERM + + if [ ! -f /watcher_info ]; then + # get agent id and write to /watcher_info + local agent_container_id=$(/slkinst ps --quiet --all --filter name-prefix=aquasec-agent --exclude $AQUA_CURRENT_CONTAINER_ID --exclude $AQUA_DATA_CONT_NAME --latest) + [ -n "$agent_container_id" ] && echo "agent-id=$agent_container_id" > /watcher_info + fi + + echo "Starting the Aqua Security agent watcher..." + while true; do sleep 10; done + fi +} + +aquasec_enable_coreos_semodule() +{ + aquasec_log "enable coreos semodule" + + cont_id=$(/slkinst container-id) + /slkinst run -t --rm $(get_security_options) --net=none -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME sh -c "[ ! -e /host/var/lib/selinux/policy ] && rm /host/etc/selinux/mcs > /dev/null 2>&1; cp -a /host/usr/lib/selinux/mcs /host/etc/selinux; rm /host/var/lib/selinux > /dev/null 2>&1; cp -a /host/usr/lib/selinux/policy /host/var/lib/selinux" +} + +aquasec_selinux_policy() +{ + if [ $AQUA_RUNTIME = garden ]; then + aquasec_log "selinux policy currently not supported in garden container-engine" + return 0 + fi + + if [ "$AQUA_ENFORCER_TYPE" = "host" ]; then + aquasec_log "selinux policy currently not supported in host type installation" + return 0 + fi + + aquasec_log "setting selinux policy" + + if [ "x$AQUA_SELINUX_CONFIG" = "xfalse" ]; then + aquasec_log "Bypass set SELinux policy" + fi + + echo "$AQUA_OS_INFO" | grep -iq "coreos\|Flatcar Container" + if [ $? = 0 ]; then + aquasec_enable_coreos_semodule + echo "$AQUA_OS_INFO" | grep -iq "Red Hat\|Fedora" + if [ $? = 0 ]; then + # Red Hat Enterprise Linux CoreOS or Fedora CoreOS + # OS can load SELinux policy for module version 19. + /slkinst run -t --rm $(get_security_options) --net=none -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME sh -c "cp /host/$AQUA_HOST_PATH/scalock-mv19.pp /host/$AQUA_HOST_PATH/scalock.pp" + # change squa path ecurity context for openshift 4.2 crio + /slkinst run -t --rm $(get_security_options) --net=none -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME sh -c "chcon -Rt svirt_sandbox_file_t /host/$AQUA_HOST_PATH" + else + # CoreOS can load SELinux policy only for module version 17. + /slkinst run -t --rm $(get_security_options) --net=none -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME sh -c "cp /host/$AQUA_HOST_PATH/scalock-mv17.pp /host/$AQUA_HOST_PATH/scalock.pp" + fi + else + # Other OS can load SELinux policy for module version 19. + /slkinst run -t --rm $(get_security_options) --net=none -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME sh -c "cp /host/$AQUA_HOST_PATH/scalock-mv19.pp /host/$AQUA_HOST_PATH/scalock.pp" + fi + + SEMODULE="" + if [ "$AQUA_RUNTIME" == podman ]; then + sem=$(/slkinst run -t --rm $(get_security_options) --net=none --log-driver=none -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME sh -c "$AQUA_CONTAINER_PATH/slkexecns which semodule > /host/$AQUA_HOST_PATH/semodule.txt") + sleep 1 + elif [ "$AQUA_RUNTIME" == cri ]; then + # for OKD output of which command is lost and also log file empty + # if container was created with pid host, possible to check semodule file on host + sem=$(ls /proc/1/root/usr/sbin/semodule 2>/dev/null) + if [ -z "$sem" ]; then + # Used --overwrite-log-path-prefix because on CRI engines the default log path directory is /var/log, but here we need specific provided log path to the file. + sem=$(/slkinst run -t --rm $(get_security_options) --net=none --log-driver=json-file --log-path=$AQUA_HOST_PATH/semodule.txt --overwrite-log-path-prefix -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME sh -c "$AQUA_CONTAINER_PATH/slkexecns which semodule") + fi + else + sem=$(/slkinst run -t --rm $(get_security_options) --net=none --log-driver=json-file --log-path=$AQUA_HOST_PATH/semodule.txt -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME sh -c "$AQUA_CONTAINER_PATH/slkexecns which semodule") + fi + + if [ ! -z "$sem" ]; then + echo $sem | grep -v which | grep -q semodule + if [ $? -eq 0 ]; then + SEMODULE="true" + fi + elif [ -f "/host/$AQUA_CONTAINER_PATH/semodule.txt" ]; then + cat "/host/$AQUA_CONTAINER_PATH/semodule.txt" | grep -v which | grep -q semodule + if [ $? -eq 0 ]; then + SEMODULE="true" + fi + rm -f "/host/$AQUA_CONTAINER_PATH/semodule.txt" 2>/dev/null + fi + if [ ! -z $SEMODULE ]; then + skip_selinux_error="false" + # skip SELinux errors on new CoreOS (2345.3.0) and Flatcar Container Linux + echo "$AQUA_OS_INFO" | grep -iq "coreos\|Flatcar Container" + if [ $? = 0 ]; then + echo "$AQUA_OS_INFO" | grep -iq "Red Hat" + if [ $? != 0 ]; then + skip_selinux_error="true" + fi + fi + if [ "$skip_selinux_error" = "true" ]; then + aquasec_exec /slkinst run -t --rm $(get_security_options) --net=none -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME $AQUA_CONTAINER_PATH/slkexecns semodule -i $AQUA_HOST_PATH/scalock.pp | grep -v 'file_contexts.* is missing fields, skipping' + else + aquasec_exec /slkinst run -t --rm $(get_security_options) --net=none -v /:/host `user_namespace_supported` --image $AQUA_CURRENT_IMAGE_NAME $AQUA_CONTAINER_PATH/slkexecns semodule -i $AQUA_HOST_PATH/scalock.pp + fi + else + aquasec_log "semodule not found" + fi +} + +aquasec_run() +{ + if [ ! -z "$AQUA_HOST_PATH" ] && [ "$AQUA_HOST_PATH" != "/opt/aquasec" ]; then + export AQUA_PRODUCT_PATH=$AQUA_HOST_PATH + fi + + # register agent for aws usage + if [ ! -z "$AQUA_MARKETPLACE" ]; then + export AQUA_HOST_PATH=$AQUA_HOST_PATH + export AQUA_CONTAINER_PATH=$AQUA_CONTAINER_PATH + $AQUA_CONTAINER_PATH/awsregister & + fi + + exec $AQUA_CONTAINER_PATH/slkd +} + +aquasec_container_install() +{ + aquasec_check_access_socket + aquasec_create_container_name + aquasec_create_data_container + aquasec_copy_host_files + aquasec_selinux_policy + aquasec_create_agent_container + aquasec_start_watcher +} + +aquasec_service_install() +{ + aquasec_check_access_socket + aquasec_create_data_directory + aquasec_copy_host_files + aquasec_selinux_policy + aquasec_run +} + +aquasec_add_current_container_to_cachedb() +{ + # add the new agent container to the cache db in the data conatiner + AQUA_INSTALLED_AGENT_CONT=$(/slkinst ps --quiet --all --filter label=com.aquasec.component=agent --exclude $AQUA_CURRENT_CONTAINER_ID --latest) + /slkinst run -t --rm $(get_security_options) $(user_namespace_supported) --net=none -v /:/host --volumes-from=$AQUA_INSTALLED_AGENT_CONT --pid=host --image $AQUA_CURRENT_IMAGE_NAME sh -c "/slkinst insert $AQUA_CURRENT_CONTAINER_NAME $AQUA_CURRENT_CONTAINER_ID $AQUA_CURRENT_IMAGE_NAME 000000000000000000 /data/cache.db" +} + +aquasec_install() +{ + if [ "$AQUA_INSTALL_MODE" = "CONTAINER" ]; then + # For docker stop, docker run flow: + # remove old agent container -- avoids name conflict for docker stop, docker run flow. + # remove the old wrapping container -- avoids start of non-existent agent by old wrapping container. + local old_container_ids=$(/slkinst ps --quiet --all --filter label=com.aquasec.version=$MAJOR_VERSION.$MINOR_VERSION --exclude "$AQUA_CURRENT_CONTAINER_ID") + [ -n "$old_container_ids" ] && /slkinst rm $old_container_ids + + aquasec_container_install + else + aquasec_service_install + fi +} + +aquasec_terminate() +{ + aquasec_log "terminate installation" + + if [ "$AQUA_INSTALL_MODE" = "SERVICE" ]; then + # For service mode installation/upgrade -- need to disable restart policy for the current container. + # This is done so that the container won't be started again after it exited. + local current_agent_container_id=$AQUA_CURRENT_CONTAINER_ID + aquasec_disable_restart_policy "$current_agent_container_id" + fi + + exit 1 +} + +aquasec_get_installed_agent_mode() +{ + local installed_mode="" + + local installed_agent_container_id=$(/slkinst ps --quiet --filter label=com.aquasec.component=agent --exclude $AQUA_CURRENT_CONTAINER_ID --latest) + [ -z "$installed_agent_container_id" ] && installed_agent_container_id="$(/slkinst ps --quiet --filter name-prefix=aquasec-agent --exclude $AQUA_CURRENT_CONTAINER_ID --exclude $AQUA_DATA_CONT_NAME --latest)" + + if [ -n "$installed_agent_container_id" ]; then + installed_mode=$(/slkinst inspect -f \ + '{{range $index, $value := .Config.Env}}{{println $value}}{{end}}' \ + "$installed_agent_container_id" | grep AQUA_MODE | awk -F '=' '{print $2}') + + [ -n "$installed_mode" ] && break + fi + + echo "$installed_mode" +} + +aquasec_watcher_stop_agent_and_exit() +{ + local agent_container_id=$(grep "agent-id" /watcher_info | awk -F '=' '{print $2}') + + if [ -n "$agent_container_id" ]; then + aquasec_log "watcher stop agent $agent_container_id" + /slkinst stop --time 60 "$agent_container_id" + fi + + exit 0 +} + +aquasec_try_start_watcher() +{ + local agent_container_id="" + if [ "$AQUA_INSTALL_MODE" = "CONTAINER" ] && [ -f /watcher_info ]; then + # Case where there is an existing watcher container started -- start the agent container. + agent_container_id=$(grep "agent-id" /watcher_info | awk -F '=' '{print $2}') + + aquasec_log "watcher start agent $agent_container_id" + /slkinst start $agent_container_id + + aquasec_start_watcher + fi +} + +aquasec_get_reserved_container_id() +{ + local reserved_container_id="" + + # try get installed agent container id + reserved_container_id=$(/slkinst ps --quiet --filter name-prefix=aquasec-agent --exclude "$AQUA_CURRENT_CONTAINER_ID" --latest) + + # fallback to get watcher id by version label + [ -z "$reserved_container_id" ] && reserved_container_id=$(/slkinst ps --quiet --all --filter label=com.aquasec.version=$MAJOR_VERSION.$MINOR_VERSION --exclude "$AQUA_CURRENT_CONTAINER_ID") + + # fallback to get current container id + [ -z "$reserved_container_id" ] && reserved_container_id=$AQUA_CURRENT_CONTAINER_ID + + echo $reserved_container_id +} + +aquasec_check_runc_mode() +{ + runc_mode=0 + if [ ! -z "$AQUA_RUNC_INTERCEPTION" ]; then + echo "0 false" | grep -iq "$AQUA_RUNC_INTERCEPTION" + if [ $? != 0 ]; then + runc_mode=1 + fi + fi + return $runc_mode +} + +aquasec_set_docker_socket() +{ + [ -z "$AQUA_DOCKER_SOCKET" ] && AQUA_DOCKER_SOCKET="/var/run/docker.sock" + export AQUA_DOCKER_SOCKET=$AQUA_DOCKER_SOCKET +} + +aquasec_check_already_installed() +{ + if pgrep -x slkaudit > /dev/null && pgrep -x slkscan > /dev/null ; then + echo "Enforcer is already running, terminating current one.">&2 2>&1 + exit 0 + fi + aquasec_log "enforcer is not installed. continue" +} + +########################## main ########################## + +aquasec_check_already_installed +aquasec_set_docker_socket +AQUA_RUNTIME="`/slkinst runtime-type`" +aquasec_check_prerequisite + +aquasec_init_debug +aquasec_init +aquasec_set_install_type +aquasec_set_install_path + +# orchestrators delete enforcer container without run uninstall script. +# when enforcer container was created with db directory mount, +# acl.db was remained on host after enforcer container was deleted. +# check if exists preload library with the same version to distinguish +# if autorun.sh is called after enforcer container stop or delete. +if ([ "$AQUA_INSTALL_MODE" = "SERVICE" ] && + [ -f "/data/acl.db" ] && + [ -f "/host/opt/aquasec/audit/bin/slklib.$MAJOR_VERSION.$MINOR_VERSION" ]) || + ([ "$AQUA_INSTALL_MODE" = "CONTAINER" ] && [ -d "/data" ]); then + aquasec_run + exit 0 +fi + +aquasec_try_start_watcher +aquasec_install + +exit 0 -- GitLab From 86e5b9e6bc431de12b687d7a2a5ba707c7482ec6 Mon Sep 17 00:00:00 2001 From: Aviv Shavit Date: Sun, 7 Feb 2021 13:59:22 +0200 Subject: [PATCH 2/4] update 21026 - update to release 5.3 (artifacts generated from server@1cfdcea) --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6e2fcff..ce8780c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ ENV VERSION=${AQUA_VERSION}.${AQUA_TAG} ARG CONTAINER=enforcer ARG COMPONENT=enforcer ARG BUILDDATE -ARG COMMIT=1b329dd +ARG COMMIT=1cfdcea # 'LABEL' instructions should include at least the following information and any other helpful details. LABEL name="Aqua Enterprise ${CONTAINER}" \ @@ -60,7 +60,7 @@ RUN rm -rf /build COPY scripts/* / RUN groupadd -g 11433 --system aqua && \ - adduser --home-dir /home/aqua --comment "aqua user" --shell /sbin/nologin -g aqua --system -u 11433 aqua && \ + adduser -m --home-dir /home/aqua --comment "aqua user" --shell /sbin/nologin -g aqua --system -u 11431 aqua && \ chown -R aqua:root /opt/aquasec && chown -R aqua:root /opt/aquascans RUN microdnf remove ${BUILD_ONLY_PACKAGES} -- GitLab From 5a6fdb5c7cd2e594edfe3d718d5058268cec6815 Mon Sep 17 00:00:00 2001 From: Jeffrey Weatherford Date: Mon, 8 Feb 2021 15:18:37 +0000 Subject: [PATCH 3/4] Update Dockerfile to remove the label directives. --- Dockerfile | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index ce8780c..91726b5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,7 @@ ARG BASE_TAG=8.3 # FROM statement must reference the base image using the three ARGs established FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -# needed again for label below + ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal ARG BASE_TAG=8.3 @@ -25,20 +25,6 @@ ARG COMPONENT=enforcer ARG BUILDDATE ARG COMMIT=1cfdcea -# 'LABEL' instructions should include at least the following information and any other helpful details. -LABEL name="Aqua Enterprise ${CONTAINER}" \ - maintainer="admin@aquasec.com" \ - vendor="Aqua Security Software Ltd." \ - summary="Aqua Security Enterprise - ${CONTAINER}" \ - description="Aqua Security Enterprise - ${CONTAINER}" -LABEL com.aquasec.release=${VERSION} -LABEL com.aquasec.version=${VERSION} -LABEL com.aquasec.component=$COMPONENT -LABEL com.aquasec.builddate=${BUILDDATE} -LABEL com.aquasec.commit=${COMMIT} -LABEL com.aquasec.baseimage=${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - - ENV BUILD_ONLY_PACKAGES="tar gzip shadow-utils" RUN microdnf install $BUILD_ONLY_PACKAGES @@ -83,4 +69,4 @@ RUN microdnf install iptables libmnl && \ RUN cp /opt/aquasec/slkinst / ENV LD_LIBRARY_PATH=/opt/aquasec -CMD ["/autorun.sh"] \ No newline at end of file +CMD ["/autorun.sh"] -- GitLab From 30dfc7ff429cac3049587c24e86a88ff23ec3481 Mon Sep 17 00:00:00 2001 From: Jeffrey Weatherford Date: Mon, 8 Feb 2021 15:20:49 +0000 Subject: [PATCH 4/4] Update Dockerfile, missed a label directive. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 91726b5..26d7974 100644 --- a/Dockerfile +++ b/Dockerfile @@ -62,7 +62,7 @@ RUN microdnf clean all VOLUME /opt/aquascans WORKDIR /opt/aquasec/ -LABEL com.aquasec.restart=no + HEALTHCHECK --interval=1m --start-period=3m CMD /opt/aquasec/slk ping || exit 1 RUN microdnf install iptables libmnl && \ microdnf clean all -- GitLab