Release/v11.2.6

.github/workflows/reusable-java.yml

@@ -36,6 +36,11 @@ on:
         type: string
         default: "clean install"
         description: "Maven goals to execute"
+      copy_filters_and_rules:
+        required: false
+        type: boolean
+        default: false
+        description: "Copy filters and rules folders to build context"
 
 jobs:
   build:
@@ -99,6 +104,13 @@ jobs:
           username: utmstack
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Copy filters and rules to build context
+        if: ${{ inputs.copy_filters_and_rules }}
+        run: |
+          cp -r filters ./${{ inputs.image_name }}/
+          cp -r rules ./${{ inputs.image_name }}/
+          echo "✅ Copied filters and rules to ./${{ inputs.image_name }}/"
+
       - name: Build and Push the Image
         uses: docker/build-push-action@v6
         with:

.github/workflows/v11-deployment-pipeline.yml

@@ -493,6 +493,7 @@ jobs:
       use_tag_as_version: true
       maven_profile: 'prod'
       maven_goals: 'clean package'
+      copy_filters_and_rules: true
 
   build_frontend:
     name: Build Frontend Microservice

agent-manager/agent/agent_imp.go

@@ -29,13 +29,20 @@ type AgentService struct {
 	AgentStreamMap        map[uint]AgentService_AgentStreamServer
 	AgentStreamMutex      sync.Mutex
 	CacheAgentKey         map[uint]string
-	CacheAgentKeyMutex    sync.Mutex
+	CacheAgentKeyMutex    sync.RWMutex
 	CommandResultChannel  map[string]chan *CommandResult
 	CommandResultChannelM sync.Mutex
 
 	DBConnection *database.DB
 }
 
+func (s *AgentService) ValidateAgentKey(key string, id uint) bool {
+	s.CacheAgentKeyMutex.RLock()
+	defer s.CacheAgentKeyMutex.RUnlock()
+	_, valid := utils.IsKeyPairValid(key, id, s.CacheAgentKey)
+	return valid
+}
+
 func InitAgentService() error {
 	var err error
 	agentServOnce.Do(func() {
@@ -338,20 +345,35 @@ func (s *AgentService) ProcessCommand(stream PanelService_ProcessCommandServer)
 			return status.Errorf(codes.Internal, "failed to send command to agent: %v", err)
 		}
 
-		result := <-s.CommandResultChannel[cmdID]
-		err = s.DBConnection.Upsert(
-			&models.AgentCommand{},
-			"agent_id = ? AND cmd_id = ?",
-			map[string]interface{}{"command_status": models.Executed, "result": result.Result},
-			cmd.AgentId, cmdID,
-		)
-		if err != nil {
-			catcher.Error("failed to update command status", err, map[string]any{"process": "agent-manager"})
-		}
+		select {
+		case result := <-s.CommandResultChannel[cmdID]:
+			err = s.DBConnection.Upsert(
+				&models.AgentCommand{},
+				"agent_id = ? AND cmd_id = ?",
+				map[string]interface{}{"command_status": models.Executed, "result": result.Result},
+				cmd.AgentId, cmdID,
+			)
+			if err != nil {
+				catcher.Error("failed to update command status", err, map[string]any{"process": "agent-manager"})
+			}
 
-		err = stream.Send(result)
-		if err != nil {
-			return err
+			err = stream.Send(result)
+			if err != nil {
+				return err
+			}
+		case <-time.After(5 * time.Minute):
+			s.CommandResultChannelM.Lock()
+			delete(s.CommandResultChannel, cmdID)
+			s.CommandResultChannelM.Unlock()
+
+			_ = s.DBConnection.Upsert(
+				&models.AgentCommand{},
+				"agent_id = ? AND cmd_id = ?",
+				map[string]interface{}{"command_status": models.Error, "result": "command timed out after 5 minutes"},
+				cmd.AgentId, cmdID,
+			)
+
+			return status.Errorf(codes.DeadlineExceeded, "agent did not respond within 5 minutes")
 		}
 
 		s.CommandResultChannelM.Lock()

agent-manager/agent/collector_imp.go

@@ -43,13 +43,20 @@ type CollectorService struct {
 	CollectorConfigsCache     map[uint][]*CollectorConfigGroup
 	CollectorConfigsCacheM    sync.Mutex
 	CacheCollectorKey         map[uint]string
-	CacheCollectorKeyMutex    sync.Mutex
+	CacheCollectorKeyMutex    sync.RWMutex
 	CollectorPendigConfigChan chan *CollectorConfig
 	CollectorTypes            []enum.UTMModule
 
 	DBConnection *database.DB
 }
 
+func (s *CollectorService) ValidateCollectorKey(key string, id uint) bool {
+	s.CacheCollectorKeyMutex.RLock()
+	defer s.CacheCollectorKeyMutex.RUnlock()
+	_, valid := utils.IsKeyPairValid(key, id, s.CacheCollectorKey)
+	return valid
+}
+
 func InitCollectorService() {
 	collectorServOnce.Do(func() {
 		CollectorServ = &CollectorService{

agent-manager/agent/interceptor.go

@@ -2,7 +2,7 @@ package agent
 
 import (
 	"context"
-	_ "errors"
+	"crypto/subtle"
 	"fmt"
 	"strconv"
 	"strings"
@@ -79,11 +79,11 @@ func authHeaders(md metadata.MD, fullMethod string) error {
 		typ := strings.ToLower(connectorType[0])
 		switch typ {
 		case "agent":
-			if _, isValid := utils.IsKeyPairValid(key, uint(id), AgentServ.CacheAgentKey); !isValid {
+			if !AgentServ.ValidateAgentKey(key, uint(id)) {
 				return status.Error(codes.PermissionDenied, "invalid key")
 			}
 		case "collector":
-			if _, isValid := utils.IsKeyPairValid(key, uint(id), CollectorServ.CacheCollectorKey); !isValid {
+			if !CollectorServ.ValidateCollectorKey(key, uint(id)) {
 				return status.Error(codes.PermissionDenied, "invalid key")
 			}
 		default:
@@ -102,7 +102,7 @@ func authHeaders(md metadata.MD, fullMethod string) error {
 }
 
 func isInternalKeyValid(token string) bool {
-	return token == config.InternalKey
+	return subtle.ConstantTimeCompare([]byte(token), []byte(config.InternalKey)) == 1
 }
 
 func isInRoute(route string, list []string) bool {

agent-manager/agent/parser.go

@@ -100,7 +100,11 @@ func replaceSecretValues(input string) string {
 			return match
 		}
 		encryptedValue := matches[2]
-		decryptedValue, _ := utils.DecryptValue(config.EncryptionKey, encryptedValue)
+		decryptedValue, err := utils.DecryptValue(config.EncryptionKey, encryptedValue)
+		if err != nil {
+			catcher.Error("failed to decrypt secret value in command", err, map[string]any{"process": "agent-manager"})
+			return match
+		}
 		return decryptedValue
 	})
 }

agent-manager/utils/auth.go

@@ -1,6 +1,7 @@
 package utils
 
 import (
+	"crypto/subtle"
 	"crypto/tls"
 	"net/http"
 	"strings"
@@ -19,10 +20,12 @@ func IsConnectionKeyValid(panelUrl string, token string) bool {
 }
 
 func IsKeyPairValid(key string, id uint, cache map[uint]string) (string, bool) {
-	for agentId, agentKey := range cache {
-		if key == agentKey && id == agentId {
-			return agentKey, true
-		}
+	agentKey, ok := cache[id]
+	if !ok {
+		return "", false
+	}
+	if subtle.ConstantTimeCompare([]byte(key), []byte(agentKey)) == 1 {
+		return agentKey, true
 	}
 	return "", false
 }

agent-manager/utils/filter.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 
 	"gorm.io/gorm"
@@ -24,14 +25,14 @@ type Filter struct {
 	Value interface{}
 }
 
-func NewFilter(searchQuery string) []Filter {
-	defer func() {
-		if r := recover(); r != nil {
-			// Handle the panic here
-			fmt.Println("Panic occurred:", r)
-		}
-	}()
+// validFieldName ensures the field name only contains safe characters (letters, digits, underscores)
+var validFieldName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_]*$`)
 
+func IsValidFieldName(field string) bool {
+	return validFieldName.MatchString(field)
+}
+
+func NewFilter(searchQuery string) []Filter {
 	filters := make([]Filter, 0)
 	if searchQuery == "" {
 		return filters
@@ -42,11 +43,27 @@ func NewFilter(searchQuery string) []Filter {
 	}
 	for _, v := range query {
 		filter := strings.Split(v, "=")
+		if len(filter) != 2 {
+			continue
+		}
 		filerQuery := strings.Split(filter[0], ".")
+		if len(filerQuery) != 2 {
+			continue
+		}
+		field := filerQuery[0]
+		if !IsValidFieldName(field) {
+			fmt.Printf("Rejected invalid filter field: %s\n", field)
+			continue
+		}
+		op := resolveOperator(filerQuery[1])
+		if op == "" {
+			continue
+		}
 		filters = append(filters, Filter{
-			Field: filerQuery[0],
-			Op:    resolveOperator(filerQuery[1]),
-			Value: filter[1]})
+			Field: field,
+			Op:    op,
+			Value: filter[1],
+		})
 	}
 	return filters
 }

agent-manager/utils/paginator.go

@@ -28,7 +28,19 @@ func NewPaginator(limit int, page int, sort string) Pagination {
 	if len(sort) > 0 {
 		srt := make([]string, 0)
 		for _, s := range strings.Split(sort, "&") {
-			srt = append(srt, strings.Replace(s, ",", " ", 1))
+			parts := strings.SplitN(s, ",", 2)
+			field := parts[0]
+			if !IsValidFieldName(field) {
+				continue
+			}
+			direction := "asc"
+			if len(parts) == 2 {
+				d := strings.ToLower(strings.TrimSpace(parts[1]))
+				if d == "desc" {
+					direction = "desc"
+				}
+			}
+			srt = append(srt, field+" "+direction)
 		}
 		p.Sort = strings.Join(srt, ",")
 	}

agent/cmd/uninstall.go

@@ -47,6 +47,15 @@ var uninstallCmd = &cobra.Command{
 		if err = pb.DeleteAgent(cnf); err != nil {
 			utils.Logger.ErrorF("error deleting agent: %v", err)
 		}
+
+		// Uninstall dependencies (cleanup auditd rules, etc.)
+		fmt.Print("Cleaning up dependencies... ")
+		if err = dependency.UninstallAll(); err != nil {
+			fmt.Printf("Warning: %v\n", err)
+		} else {
+			fmt.Println("[OK]")
+		}
+
 		if err = collector.UninstallAll(); err != nil {
 			fmt.Printf("error uninstalling collectors: %v\n", err)
 			os.Exit(1)

agent/collector/auditd/auditd.go

@@ -0,0 +1,24 @@
+// Package auditd provides a native collector for Linux Audit Framework events.
+// It uses go-libaudit to receive events via netlink multicast and reassembles
+// them before sending to the log queue.
+package auditd
+
+import "time"
+
+const (
+	// auditdRestartDelay is the initial delay between reconnection attempts
+	auditdRestartDelay = 5 * time.Second
+
+	// auditdMaxRestartDelay is the maximum backoff delay for reconnection
+	auditdMaxRestartDelay = 5 * time.Minute
+
+	// reassemblerMaxInFlight is the maximum number of events held for reassembly
+	// Increased from 50 to 2048 to prevent buffer overflow under high event load
+	reassemblerMaxInFlight = 2048
+
+	// reassemblerTimeout is how long to wait for related messages before flushing
+	reassemblerTimeout = 2 * time.Second
+
+	// maintainInterval is how often to run Reassembler.Maintain() to flush stale events
+	maintainInterval = 500 * time.Millisecond
+)