Merge branch 'main' into release-2.5

Author: ramanan-ravi

Makefile

@@ -18,7 +18,7 @@ export IMAGE_REPOSITORY?=quay.io/deepfenceio
 export DF_IMG_TAG?=latest
 export STEAMPIPE_IMG_TAG?=0.23.x
 export IS_DEV_BUILD?=false
-export VERSION?=v2.5.0
+export VERSION?=v2.5.1
 export AGENT_BINARY_BUILD=$(DEEPFENCE_FARGATE_DIR)/build
 export AGENT_BINARY_BUILD_RELATIVE=deepfence_agent/agent-binary/build
 export AGENT_BINARY_DIST=$(DEEPFENCE_FARGATE_DIR)/dist

README.md

@@ -93,10 +93,10 @@ docker run -dit \
     -e http_proxy="" \
     -e https_proxy="" \
     -e no_proxy="" \
-    quay.io/deepfenceio/deepfence_agent_ce:2.5.0
+    quay.io/deepfenceio/deepfence_agent_ce:2.5.1
 ```
 
-Note: Image tag `quay.io/deepfenceio/deepfence_agent_ce:2.5.0-multiarch` is supported in amd64 and arm64/v8 architectures.
+Note: Image tag `quay.io/deepfenceio/deepfence_agent_ce:2.5.1-multiarch` is supported in amd64 and arm64/v8 architectures.
 
 On a Kubernetes platform, the sensors are installed using [helm chart](https://community.deepfence.io/threatmapper/docs/v2.5/sensors/kubernetes/)
 

deepfence_agent/agent-binary/Dockerfile.fargate

@@ -1,113 +1,3 @@
-FROM alpine:3.19 as builder
-
-# renovate: source=github-tags name=curl/curl versioning=regex:^(?:curl-)?(?<major>\d+)_(?<minor>\d+)_(?<patch>\d+)$ extractVersion=^(?:curl-)?(?<version>[\d_]+)$
-ENV CURL_VERSION="8_5_0"
-
-# install system dependencies
-RUN apk add \
-    build-base \
-    clang \
-    openssl-dev \
-    nghttp2-dev \
-    nghttp2-static \
-    openssl-libs-static \
-    zlib-static \
-    autoconf \
-    automake \
-    libtool
-
-WORKDIR /tmp
-
-# download curl sources
-RUN set -x \
-    && CURL_VERSION=$(echo $CURL_VERSION | sed s/_/./g) \
-    && wget -O curl.tar.gz "https://curl.haxx.se/download/curl-$CURL_VERSION.tar.gz" \
-    && tar xzf curl.tar.gz \
-    && rm curl.tar.gz \
-    && mv ./curl-* ./src
-
-# change working directory to the directory with curl sources
-WORKDIR /tmp/src
-
-# apply patches to the source code
-# COPY ./patches ./patches
-RUN mkdir -p ./patches \
-    && wget https://raw.githubusercontent.com/tarampampam/curl-docker/master/patches/fail-exit-code.patch -O ./patches/fail-exit-code.patch
-RUN for f in ./patches/*.patch; do patch -p1 < "$f"; done
-
-ENV CC="clang" \
-    LDFLAGS="-static" \
-    PKG_CONFIG="pkg-config --static"
-
-RUN autoreconf -fi
-
-#RUN ./configure --help=short && exit 1 # show the help
-
-RUN ./configure \
-    --disable-shared \
-    --enable-static \
-    \
-    --enable-dnsshuffle \
-    --enable-werror \
-    \
-    --disable-cookies \
-    --disable-crypto-auth \
-    --disable-dict \
-    --disable-file \
-    --disable-ftp \
-    --disable-gopher \
-    --disable-imap \
-    --disable-ldap \
-    --disable-pop3 \
-    --disable-proxy \
-    --disable-rtmp \
-    --disable-rtsp \
-    --disable-scp \
-    --disable-sftp \
-    --disable-smtp \
-    --disable-telnet \
-    --disable-tftp \
-    --disable-versioned-symbols \
-    --disable-doh \
-    --disable-netrc \
-    --disable-mqtt \
-    --disable-largefile \
-    --without-gssapi \
-    --without-libidn2 \
-    --without-libpsl \
-    --without-librtmp \
-    --without-libssh2 \
-    --without-nghttp2 \
-    --without-ntlm-auth \
-    --without-brotli \
-    --without-zlib \
-    --with-ssl
-
-# compile the curl
-RUN set -x \
-    && make -j$(nproc) V=1 LDFLAGS="-static -all-static" \
-    && strip ./src/curl
-
-# exit with error code 1 if the executable is dynamic, not static
-RUN ldd ./src/curl && exit 1 || true
-
-# print out some info about binary file
-RUN set -x \
-    && ls -lh ./src/curl \
-    && file ./src/curl \
-    && ./src/curl --version
-
-WORKDIR /tmp/rootfs
-
-# prepare the rootfs for scratch
-RUN set -x \
-    && mkdir -p ./bin ./etc/ssl \
-    && mv /tmp/src/src/curl ./bin/curl \
-    && echo 'curl:x:10001:10001::/nonexistent:/sbin/nologin' > ./etc/passwd \
-    && echo 'curl:x:10001:' > ./etc/group \
-    && cp -R /etc/ssl/certs ./etc/ssl/certs
-
-
 FROM scratch
 
 ARG AGENT_BINARY_BUILD_RELATIVE
@@ -120,7 +10,6 @@ WORKDIR /
 COPY $AGENT_BINARY_BUILD_RELATIVE /deepfence
 
 COPY deepfence_agent/agent-binary/deepfence-entry-point-scratch.sh deepfence/usr/local/bin/deepfence-entry-point-scratch.sh
-COPY --from=builder /tmp/rootfs/bin/curl /deepfence/bin/curl
 COPY deepfence_agent/agent-binary/start-df-services-fargate.sh deepfence/usr/local/bin/start-df-services-fargate.sh
 
 VOLUME ["/deepfence"]

deepfence_agent/etc/fenced_logrotate.conf

@@ -1,21 +1,5 @@
 su root root
 
-$DF_INSTALL_DIR/var/log/fenced/*.log {
-    missingok
-    notifempty
-    compress
-    size 4M
-    copytruncate
-    rotate 1
-}
-$DF_INSTALL_DIR/var/log/fenced/*.logfile {
-    missingok
-    notifempty
-    compress
-    size 1M
-    copytruncate
-    rotate 1
-}
 $DF_INSTALL_DIR/var/log/supervisor/*.log {
     missingok
     notifempty
@@ -24,54 +8,6 @@ $DF_INSTALL_DIR/var/log/supervisor/*.log {
     copytruncate
     rotate 1
 }
-$DF_INSTALL_DIR/var/log/fenced/secret-scan/*.log {
-    missingok
-    notifempty
-    compress
-    size 20M
-    copytruncate
-    rotate 1
-}
-$DF_INSTALL_DIR/var/log/fenced/secret-scan-log/*.log {
-    missingok
-    notifempty
-    compress
-    size 20M
-    copytruncate
-    rotate 1
-}
-$DF_INSTALL_DIR/var/log/fenced/malware-scan/*.log {
-    missingok
-    notifempty
-    compress
-    size 20M
-    copytruncate
-    rotate 1
-}
-$DF_INSTALL_DIR/var/log/fenced/malware-scan-log/*.log {
-    missingok
-    notifempty
-    compress
-    size 20M
-    copytruncate
-    rotate 1
-}
-$DF_INSTALL_DIR/var/log/fenced/compliance/*.log {
-    missingok
-    notifempty
-    compress
-    size 20M
-    copytruncate
-    rotate 1
-}
-$DF_INSTALL_DIR/var/log/fenced/compliance-scan-logs/*.log {
-    missingok
-    notifempty
-    compress
-    size 20M
-    copytruncate
-    rotate 1
-}
 $DF_INSTALL_DIR/var/log/deepfenced/*.log {
     missingok
     notifempty

deepfence_agent/plugins/cloud-scanner

@@ -47,6 +47,7 @@ configure_cron() {
   #doesnt work smoothly inside docker!
   service cron start
   chmod 600 /etc/logrotate.d/fenced_logrotate.conf
+  sed -i "s/\$DF_INSTALL_DIR/$DF_INSTALL_DIR/g" /etc/logrotate.d/fenced_logrotate.conf
   MARK="/etc/logrotate.d/fenced_logrotate.conf"
   crontab_output=$(crontab -l)
   if [ $(echo "$crontab_output" | grep -ic "$MARK") -eq 0 ]

deepfence_agent/plugins/yara-rules

@@ -31,42 +31,88 @@ func (e ElasticSearch) SendNotification(ctx context.Context, message []map[strin
 
 	var err error
 
-	payloadMsg := ""
-	meta := "{\"index\":{\"_index\":\"" + e.Config.Index + "\"}}\n"
-	for _, payload := range message {
-		pl, err := json.Marshal(payload)
+	// send messages to bulk api
+	sendBulkRequest := func() error {
+		payloadMsg := ""
+		meta := "{\"index\":{\"_index\":\"" + e.Config.Index + "\"}}\n"
+		for _, payload := range message {
+			pl, err := json.Marshal(payload)
+			if err != nil {
+				return err
+			}
+			payloadMsg += meta + string(pl) + "\n"
+		}
+		endpointURL := strings.TrimRight(e.Config.EndpointURL, "/")
+		req, err := http.NewRequest(http.MethodPost, endpointURL+"/_bulk", bytes.NewBuffer([]byte(payloadMsg)))
 		if err != nil {
+			log.Error().Err(err).Msg("error on create http request")
 			return err
 		}
-		payloadMsg += meta + string(pl) + "\n"
-	}
 
-	// send message to this elasticsearch using http
-	// Set up the HTTP request.
-	endpointURL := strings.TrimRight(e.Config.EndpointURL, "/")
-	req, err := http.NewRequest(http.MethodPost, endpointURL+"/_bulk", bytes.NewBuffer([]byte(payloadMsg)))
-	if err != nil {
-		log.Error().Err(err).Msg("error on create http request")
-		span.EndWithErr(err)
-		return err
-	}
+		req.Header.Set("Content-Type", "application/x-ndjson")
 
-	req.Header.Set("Content-Type", "application/x-ndjson")
+		if e.Config.AuthHeader != "" {
+			req.Header.Set("Authorization", e.Config.AuthHeader)
+		}
 
-	if e.Config.AuthHeader != "" {
-		req.Header.Set("Authorization", e.Config.AuthHeader)
+		// Make the HTTP request.
+		resp, err := utils.GetHTTPClient().Do(req)
+		if err != nil {
+			log.Error().Err(err).Msg("error on http request")
+			return intgerr.CheckHTTPError(err)
+		}
+		defer resp.Body.Close()
+
+		return intgerr.CheckResponseCode(resp, http.StatusOK)
 	}
+	err = sendBulkRequest()
 
-	// Make the HTTP request.
-	resp, err := utils.GetHTTPClient().Do(req)
 	if err != nil {
-		log.Error().Err(err).Msg("error on http request")
-		span.EndWithErr(err)
-		return intgerr.CheckHTTPError(err)
-	}
-	defer resp.Body.Close()
+		log.Warn().Err(err).Msg("error sending to elasticsearch using bulk api, switching to individual requests")
+
+		// Try sending the messages individually
+		endpointURL := strings.TrimRight(e.Config.EndpointURL, "/")
+		postDocumentURL := fmt.Sprintf("%s/%s/_doc", endpointURL, e.Config.Index)
+
+		postDocumentRequest := func(message map[string]interface{}) error {
+			payloadMsg, err := json.Marshal(message)
+			if err != nil {
+				return err
+			}
+
+			req, err := http.NewRequest(http.MethodPost, postDocumentURL, bytes.NewBuffer(payloadMsg))
+			if err != nil {
+				log.Error().Err(err).Msg("error on create http request")
+				return err
+			}
+
+			req.Header.Set("Content-Type", "application/json")
+
+			if e.Config.AuthHeader != "" {
+				req.Header.Set("Authorization", e.Config.AuthHeader)
+			}
+
+			// Make the HTTP request.
+			resp, err := utils.GetHTTPClient().Do(req)
+			if err != nil {
+				log.Error().Err(err).Msg("error on http request")
+				return intgerr.CheckHTTPError(err)
+			}
+			defer resp.Body.Close()
+
+			return intgerr.CheckResponseCode(resp, http.StatusCreated)
+		}
 
-	return intgerr.CheckResponseCode(resp, http.StatusOK)
+		for _, msg := range message {
+			err = postDocumentRequest(msg)
+			if err != nil {
+				log.Error().Err(err).Msg("error sending to elasticsearch")
+				span.EndWithErr(err)
+				return err
+			}
+		}
+	}
+	return nil
 }
 
 func (e ElasticSearch) IsValidCredential(ctx context.Context) (bool, error) {