C-Prot Linux User Account Management (#159) #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Secure GitHub Actions Workflow with Webhook Secret | |
| # Place this file in your EDR-Telemetry repository at: | |
| # .github/workflows/update-database.yml | |
| name: Update EDR Telemetry Database (Secure) | |
| on: | |
| push: | |
| branches: [ main ] | |
| paths: | |
| - 'EDR_telem_windows.json' | |
| - 'EDR_telem_linux.json' | |
| - 'partially_value_explanations_windows.json' | |
| - 'partially_value_explanations_linux.json' | |
| - 'mitre_att&ck_mappings.json' | |
| # Allow manual triggering | |
| workflow_dispatch: | |
| inputs: | |
| platform: | |
| description: 'Platform to update (windows, linux, both)' | |
| required: false | |
| default: 'both' | |
| type: choice | |
| options: | |
| - both | |
| - windows | |
| - linux | |
| jobs: | |
| update-database: | |
| runs-on: ubuntu-latest | |
| name: Update Database via Cloud Function | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Detect Platform | |
| id: detect | |
| shell: bash | |
| run: | | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ github.event.inputs.platform }}" ]; then | |
| echo "platform=${{ github.event.inputs.platform }}" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| BEFORE_SHA="${{ github.event.before }}" | |
| AFTER_SHA="${{ github.sha }}" | |
| if [ -n "$BEFORE_SHA" ] && [ "$BEFORE_SHA" != "0000000000000000000000000000000000000000" ]; then | |
| CHANGED_FILES=$(git diff --name-only "$BEFORE_SHA" "$AFTER_SHA") | |
| else | |
| CHANGED_FILES=$(git diff-tree --no-commit-id --name-only -r "$AFTER_SHA") | |
| fi | |
| echo "Changed files:" | |
| echo "$CHANGED_FILES" | |
| HAS_LINUX=0 | |
| HAS_WINDOWS=0 | |
| if echo "$CHANGED_FILES" | grep -qE '^(EDR_telem_linux\.json|partially_value_explanations_linux\.json)$'; then | |
| HAS_LINUX=1 | |
| fi | |
| if echo "$CHANGED_FILES" | grep -qE '^(EDR_telem_windows\.json|partially_value_explanations_windows\.json)$'; then | |
| HAS_WINDOWS=1 | |
| fi | |
| if [ "$HAS_LINUX" -eq 1 ] && [ "$HAS_WINDOWS" -eq 0 ]; then | |
| echo "platform=linux" >> "$GITHUB_OUTPUT" | |
| elif [ "$HAS_WINDOWS" -eq 1 ] && [ "$HAS_LINUX" -eq 0 ]; then | |
| echo "platform=windows" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "platform=both" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Generate Webhook Signature | |
| id: signature | |
| run: | | |
| echo "🔐 Generating webhook signature for secure authentication" | |
| # Prepare the payload | |
| PAYLOAD=$(cat <<EOF | |
| { | |
| "source": "github_actions", | |
| "repository": "${{ github.repository }}", | |
| "ref": "${{ github.ref }}", | |
| "sha": "${{ github.sha }}", | |
| "actor": "${{ github.actor }}", | |
| "workflow": "${{ github.workflow }}", | |
| "run_id": "${{ github.run_id }}", | |
| "triggered_at": "$(date -u +%Y-%m-%dT%H:%M:%SZ)" | |
| } | |
| EOF | |
| ) | |
| # Generate HMAC-SHA256 signature | |
| SIGNATURE=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.WEBHOOK_SECRET }}" | sed 's/^.* //') | |
| # Set outputs for next step | |
| echo "payload<<EOF" >> $GITHUB_OUTPUT | |
| echo "$PAYLOAD" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| echo "signature=sha256=$SIGNATURE" >> $GITHUB_OUTPUT | |
| env: | |
| # This secret must be set in GitHub repository settings | |
| WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }} | |
| - name: Trigger Database Update | |
| run: | | |
| echo "🚀 Triggering secure database update for platform: ${{ steps.detect.outputs.platform }}" | |
| PLATFORM="${{ steps.detect.outputs.platform }}" | |
| call_update() { | |
| local p="$1" | |
| RESPONSE=$(curl -sS -w "\n%{http_code}" -X POST \ | |
| "${{ secrets.CLOUD_FUNCTION_URL }}?platform=${p}" \ | |
| -H "Content-Type: application/json" \ | |
| -H "X-GitHub-Event: ${{ github.event_name }}" \ | |
| -H "X-Hub-Signature-256: ${{ steps.signature.outputs.signature }}" \ | |
| -d '${{ steps.signature.outputs.payload }}') | |
| HTTP_CODE=$(echo "$RESPONSE" | tail -n1) | |
| RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d') | |
| echo "📊 Response Status (${p}): $HTTP_CODE" | |
| echo "📄 Response Body (${p}):" | |
| echo "$RESPONSE_BODY" | jq '.' 2>/dev/null || echo "$RESPONSE_BODY" | |
| if [ "$HTTP_CODE" -eq 200 ]; then | |
| return 0 | |
| elif [ "$HTTP_CODE" -eq 401 ]; then | |
| echo "❌ Authentication failed - check WEBHOOK_SECRET" | |
| echo "Make sure the WEBHOOK_SECRET in GitHub matches your Cloud Function" | |
| return 1 | |
| else | |
| echo "❌ Database update failed with status code: $HTTP_CODE" | |
| return 1 | |
| fi | |
| } | |
| if [ "$PLATFORM" = "both" ]; then | |
| call_update "windows" || exit 1 | |
| call_update "linux" || exit 1 | |
| echo "✅ Database updates completed successfully" | |
| else | |
| call_update "$PLATFORM" || exit 1 | |
| echo "✅ Database update completed successfully" | |
| fi | |
| env: | |
| # These secrets must be set in GitHub repository settings: | |
| # Settings → Secrets and variables → Actions → New repository secret | |
| CLOUD_FUNCTION_URL: ${{ secrets.CLOUD_FUNCTION_URL }} | |
| - name: Notify on Success | |
| if: success() | |
| run: | | |
| echo "🎉 Database update completed successfully!" | |
| echo "📋 Summary:" | |
| echo " Repository: ${{ github.repository }}" | |
| echo " Branch: ${{ github.ref_name }}" | |
| echo " Commit: ${{ github.sha }}" | |
| echo " Actor: ${{ github.actor }}" | |
| echo " Platform: ${{ steps.detect.outputs.platform }}" | |
| - name: Notify on Failure | |
| if: failure() | |
| run: | | |
| echo "💥 Database update failed!" | |
| echo "🔍 Troubleshooting steps:" | |
| echo " 1. Verify CLOUD_FUNCTION_URL is correct in repository secrets" | |
| echo " 2. Check WEBHOOK_SECRET matches between GitHub and Cloud Function" | |
| echo " 3. Ensure Cloud Function is deployed and accessible" | |
| echo " 4. Verify Supabase database is operational" | |
| echo " 5. Review Cloud Function logs in GCP Console:" | |
| echo " gcloud functions logs read edr-telemetry-updater --region=us-central1" | |
| # Optional: Add Slack notification job | |
| # uncomment and configure if you want Slack notifications | |
| # notify-slack: | |
| # needs: update-database | |
| # runs-on: ubuntu-latest | |
| # if: always() | |
| # steps: | |
| # - name: Notify Slack | |
| # uses: 8398a7/action-slack@v3 | |
| # with: | |
| # status: ${{ needs.update-database.result }} | |
| # text: | | |
| # EDR Telemetry Database Update: ${{ needs.update-database.result }} | |
| # Repository: ${{ github.repository }} | |
| # Commit: ${{ github.sha }} | |
| # Actor: ${{ github.actor }} | |
| # env: | |
| # SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |