관리-도구
편집 파일: config.py
""" All the config settings for defence360 in one place """ import functools import logging import os from abc import abstractmethod from bisect import bisect_left, bisect_right from copy import deepcopy from datetime import datetime, timedelta from enum import Enum from pathlib import Path from typing import ( Any, Callable, Dict, List, Mapping, Optional, Protocol, Sequence, Tuple, Union, _ProtocolMeta, ) from cerberus import Validator from defence360agent.api.integration_conf import IntegrationConfig from defence360agent.contracts.config_provider import ( CachedConfigReader, ConfigError, ConfigReader, UserConfigReader, WriteOnlyConfigReader, ) from defence360agent.feature_management.checkers import ( config_cleanup as fm_config_cleanup, ) from defence360agent.utils import Singleton, dict_deep_update, importer av_version = importer.get( module="imav._version", name="__version__", default=None ) logger = logging.getLogger(__name__) ANTIVIRUS_MODE = not importer.exists("im360") # feature flag for those clients who want to test Myimunify FREEMIUM_FEATURE_FLAG = "/var/imunify360/myimunify-freemium.flag" MY_IMUNIFY_KEY = "MY_IMUNIFY" _version = importer.get( module="im360._version", name="__version__", default=av_version ) AGENT_CONF = "../." CONFIG_VALIDATORS_DIR_PATH = Path( os.environ.get( "IM360_CONFIG_SCHEMA_PATH", "/opt/imunify360/venv/share/imunify360/config_schema/", ) ) # TODO: remove after av-7.16.0 release NOTIFY, CLEANUP = "notify", "cleanup" NONE, DAY, WEEK, MONTH = "none", "day", "week", "month" DEFAULT_INTENSITY_CPU = 2 DEFAULT_INTENSITY_IO = 2 DEFAULT_INTENSITY_RAM = 2048 DEFAULT_RESOURCE_MANAGEMENT_CPU_LIMIT = 2 DEFAULT_RESOURCE_MANAGEMENT_IO_LIMIT = 2 DEFAULT_RESOURCE_MANAGEMENT_RAM_LIMIT = 500 MODSEC_RULESET_FULL = "FULL" MODSEC_RULESET_MINIMAL = "MINIMAL" _DOS_DETECTOR_DEFAULT_LIMIT = 250 _DOS_DETECTOR_MIN_LIMIT = 1 _DOS_DETECTOR_MIN_INTERVAL = 1 PORT_BLOCKING_MODE_DENY = "DENY" PORT_BLOCKING_MODE_ALLOW = "ALLOW" DO_NOT_MODIFY_DISCLAMER = """\ ############################################################################ # DO NOT MODIFY THIS FILE!!! # # USE /etc/sysconfig/imunify360/imunify360.config.d/ TO OVERRIDE DEFAULTS # ############################################################################ """ DEFAULT_CONFIG_DISCLAMER = """\ ############################################################################ # DO NOT MODIFY THIS FILE!!! # # USE /etc/sysconfig/imunify360/imunify360.config.d/ TO OVERRIDE DEFAULTS # # This is an example of default values only # # Changing this file will have no effect # ############################################################################ """ CPANEL, PLESK, DIRECTADMIN = "cpanel", "plesk", "directadmin" ACRONIS, R1SOFT, CLUSTERLOGICS = "acronis", "r1soft", "clusterlogics" SAMPLE_BACKEND = "sample" CLOUDLINUX, CLOUDLINUX_ON_PREMISE = "cloudlinux", "cloudlinux_on_premise" GENERIC_SENSOR_SOCKET_PATH = "/var/run/defence360agent/generic_sensor.sock.2" def int_from_envvar(var: str, default: int, env: Mapping = os.environ) -> int: try: return int(env[var]) except KeyError: return default except ValueError as e: raise ValueError("{}: integer required".format(var)) from e def bool_from_envvar( var: str, default: bool, env: Mapping = os.environ ) -> bool: TRUE_VALS = ("true", "t", "yes", "y", "1") FALSE_VALS = ("false", "f", "no", "n", "0") try: val = env[var] except KeyError: return default else: val = val.lower() if val in TRUE_VALS: return True if val in FALSE_VALS: return False raise ValueError( "{}: should be one of {}".format(var, TRUE_VALS + FALSE_VALS) ) def _self_rel2abs(relpath): return os.path.join(os.path.dirname(__file__), relpath) def conf_rel2abs(relpath): return os.path.join(os.path.dirname(_self_rel2abs(AGENT_CONF)), relpath) def _slurp_file(path): """Returns content for existing file, otherwise None""" try: with open(path, "r") as f: return f.read().strip() except OSError: return None def choose_value_from_config(section, option, username=None): """ Choose action for config option by checking EndUser's Imunfiy360 config and Admin config. Admins config applies only if EndUser didn't set the default action """ user_config = ConfigFile(username=username).config_to_dict() user_section = user_config.get(section) if user_section is not None: user_value = user_section.get(option) if user_value is not None: return user_value, username logger.debug("Cannot read %s:%s from user config", section, option) root_config = ConfigFile().config_to_dict() return root_config[section][option], UserType.ROOT def is_mi_freemium_license(): """ Just checks if this is server with MyImunify Freemium license """ return os.path.exists(FREEMIUM_FEATURE_FLAG) class FromConfig: def __init__(self, section, option=None, config_cls=None): self.section = section self.option = option self._config_cls = config_cls self._config_instance = None def __get__(self, instance, owner): if self._config_instance is None: if self._config_cls is None: self._config_instance = ConfigFile() else: self._config_instance = self._config_cls() section_value = self._config_instance.config_to_dict()[self.section] if self.option is not None: return section_value[self.option] return section_value class FromFlagFile: LOCATION = Path("/var/imunify360") def __init__(self, name, *, coerce=bool, default=...): self.name = name self.coerce = coerce self.default = default def __get__(self, instance, owner): path = self.LOCATION / self.name if path.exists(): return self.coerce(path.read_text() or self.default) def _get_combined_validation_schema(*, root=True): func_name = "get_root_config" if root else "get_non_root_config" combined_schema = {} for module in importer.iter_modules([CONFIG_VALIDATORS_DIR_PATH]): get_schema = getattr(module, func_name, lambda: {}) schema = get_schema() dict_deep_update(combined_schema, schema, allow_overwrite=False) return combined_schema @functools.lru_cache(maxsize=1) def config_schema_root(): return _get_combined_validation_schema() @functools.lru_cache(maxsize=1) def config_schema_non_root(): return _get_combined_validation_schema(root=False) CONFIG_SCHEMA_CUSTOM_BILLING = { "CUSTOM_BILLING": { "type": "dict", "schema": { "upgrade_url": { "type": "string", "default": None, "nullable": True, }, "upgrade_url_360": { "type": "string", "default": None, "nullable": True, }, "billing_notifications": {"type": "boolean", "default": True}, "ip_license": {"type": "boolean", "default": True}, }, "default": {}, } } class ConfigValidationError(Exception): pass class Core: PRODUCT = "imunify360" NAME = "%s agent" % PRODUCT if not ANTIVIRUS_MODE else "imunify antivirus" AV_VERSION = av_version VERSION = _version # AV or IM360 API_BASE_URL = os.environ.get( "IMUNIFY360_API_URL", "https://api.imunify360.com" ) DEFAULT_SOCKET_TIMEOUT = 10 DIST = ".el8" FILE_UMASK = 0o007 TMPDIR = "/var/imunify360/tmp" MERGED_CONFIG_FILE_NAME = "imunify360-merged.config" USER_CONFIG_FILE_NAME = "imunify360.config" LOCAL_CONFIG_FILE_NAME = "imunify360.config" CONFIG_DIR = "/etc/imunify360" USER_CONFDIR = os.path.join(CONFIG_DIR, "user_config") GLOBAL_CONFDIR = "/etc/sysconfig/imunify360" MERGED_CONFIG_FILE_PATH = os.path.join( GLOBAL_CONFDIR, MERGED_CONFIG_FILE_NAME ) MERGED_CONFIG_FILE_PERMISSION = 0o644 LOCAL_CONFIG_FILE_PATH = os.path.join(GLOBAL_CONFDIR, "imunify360.config") CONFIG_D_NAME = "imunify360.config.d" BACKUP_CONFIGFILENAME = ".imunify360.backup_config" HOOKS_CONFIGFILENAME = "hooks.yaml" CUSTOM_BILLING_CONFIGFILENAME = "custom_billing.config" INBOX_HOOKS_DIR = "/var/imunify360/hooks" SVC_NAME = "imunify360" if not ANTIVIRUS_MODE else "imunify-antivirus" UNIFIED_ACCESS_LOGGER_CONFIGFILENAME = "unified-access-logger.conf" GO_FLAG_FILE = Path("/etc/sysconfig/imunify360/.go_agent") class IConfig(Protocol): @abstractmethod def config_to_dict( self, normalize: bool = True, force_read: bool = False ) -> dict: raise NotImplementedError @abstractmethod def dict_to_config( self, data: Mapping, validate: bool = True, normalize: bool = True, overwrite: bool = False, without_defaults: bool = False, ) -> None: raise NotImplementedError @abstractmethod def validate(self) -> None: raise NotImplementedError @abstractmethod def normalize( self, config: Mapping, without_defaults: bool = False ) -> dict: raise NotImplementedError @abstractmethod def modified_since(self, timestamp: Optional[float]) -> bool: raise NotImplementedError def get(self, section: str, option: Optional[str]) -> Any: if option: return self.config_to_dict().get(section, {}).get(option) return None def set(self, section: str, option: Optional[str], value: Any) -> None: if option: self.dict_to_config({section: {option: value}}) class IConfigFile(IConfig, Protocol): path: str class ProtocolSingleton(_ProtocolMeta, Singleton): """ Needed to avoid metaclass conflict when implementing protocols that are also Singletons """ class Normalizer: def __init__(self, validation_schema): self._config: Optional[Mapping] = None self._normalized_config: dict = {} self._schema = ConfigsValidator.get_validation_schema( validation_schema ) self._schema_without_defaults = self._get_schema_without_defaults( self._schema ) @classmethod def _get_schema_without_defaults(cls, _dict: Mapping) -> dict: return { key: cls._get_schema_without_defaults(value) if isinstance(value, dict) else value for key, value in _dict.items() if key not in ["default", "default_setter"] } @staticmethod def remove_null(config: Mapping) -> dict: new_config: Dict[str, Union[dict, List[Tuple]]] = {} for section, options in config.items(): # We only support dict for option removal if isinstance(options, dict): for option, value in options.items(): if value is not None: new_config.setdefault(section, {})[option] = value elif options: # Let cerberus coerce this to dict # and leave the None's as is new_config[section] = options return new_config @staticmethod def _normalize_with_schema(config: Mapping, schema) -> dict: validator = ConfigValidator(schema) normalized: Optional[dict] = validator.normalized(config) if validator.errors: raise ConfigValidationError(validator.errors) if normalized is None: raise ConfigValidationError(f"Cerberus returned None for {config}") return normalized def normalize(self, config: Mapping, without_defaults: bool) -> dict: schema = ( self._schema_without_defaults if without_defaults else self._schema ) if without_defaults: config = self.remove_null(config) return self._normalize_with_schema(config, schema) # Utilize cache if config == self._config: return self._normalized_config normalized = self._normalize_with_schema(config, schema) self._config = config self._normalized_config = normalized return self._normalized_config class Config(IConfig, metaclass=ProtocolSingleton): DISCLAIMER = "" def __init__( self, *, # FIXME: allow pathlib.Path path: str = None, config_reader: ConfigReader = None, validation_schema: Union[Mapping, Callable[[], Mapping]] = None, disclaimer: str = None, cached: bool = True, permissions: int = None, ): super().__init__() assert path or config_reader config_reader_cls = CachedConfigReader if cached else ConfigReader self._config_reader = config_reader or config_reader_cls( path, disclaimer=disclaimer or self.DISCLAIMER, permissions=permissions, ) self.path = self._config_reader.path self.validation_schema = validation_schema or config_schema_root self._normalizer = Normalizer(self.validation_schema) def __repr__(self): return ( "<{classname}(config_reader={config_reader!r}," " validation_schema={validation_schema!r})" ">" ).format( classname=self.__class__.__qualname__, config_reader=self._config_reader, validation_schema=self.validation_schema, ) def normalize(self, config: Mapping, without_defaults=False) -> dict: return self._normalizer.normalize(config, without_defaults) def config_to_dict(self, normalize=True, force_read: bool = False) -> dict: """ Converts config file to dict :return dict: dictionary (key (section) / value (options)) """ config = self._config_reader.read_config_file(force_read=force_read) if normalize: config = self.normalize(config) return deepcopy(config) def dict_to_config( self, data: Mapping, validate: bool = True, normalize: bool = True, overwrite: bool = False, without_defaults: bool = False, ) -> None: """ Converts dict to config file New options will be mixed in with old ones unless overwrite is specified :param dict data: dictionary (key (section) / value (options)) :param bool validate: indicates if we need validation :param bool normalize: normalize config :param overwrite: overwrite existing conf :param without_defaults: do not fill defaults :return: None """ if overwrite: self._dict_to_config_overwrite( data=data, validate=validate, normalize=normalize, without_defaults=without_defaults, ) else: self._dict_to_config( data=data, validate=validate, normalize=normalize, without_defaults=without_defaults, ) def _dict_to_config_overwrite( self, data, validate, normalize, without_defaults ): if validate: ConfigsValidator.validate(data, self.validation_schema) if normalize: data = self.normalize(data, without_defaults=without_defaults) self._config_reader.write_config_file(data) def _dict_to_config(self, data, validate, normalize, without_defaults): config = deepcopy(self._config_reader.read_config_file()) if dict_deep_update(config, data): if validate: ConfigsValidator.validate(config, self.validation_schema) if normalize: config = self.normalize( config, without_defaults=without_defaults ) self._config_reader.write_config_file(config) def validate(self): """ :raises ConfigsValidatorError """ try: config_dict = self._config_reader.read_config_file( ignore_errors=False ) except ConfigError as e: message = "Error during config validation" logger.error("%s: %s", message, e) raise ConfigsValidatorError({self: message}) from e try: ConfigsValidator.validate(config_dict, self.validation_schema) except ConfigValidationError as e: message = "Imunify360 config does not match the scheme" logger.error("%s: %s", message, e) raise ConfigsValidatorError({self: message}) from e def modified_since(self, timestamp: Optional[float]) -> bool: return self._config_reader.modified_since(timestamp) class UserConfig(Config): def __init__(self, *, username): self.username = username path = os.path.join( Core.USER_CONFDIR, username, Core.USER_CONFIG_FILE_NAME ) super().__init__( path=path, config_reader=UserConfigReader(path, username), validation_schema=config_schema_non_root, ) class SystemConfig(IConfig, metaclass=ProtocolSingleton): def __init__( self, *, local_config: Config = None, merged_config: Config = None ): super().__init__() self._local_config = local_config or LocalConfig() self._merged_config = merged_config or MergedConfig() def config_to_dict( self, normalize: bool = True, force_read: bool = False ) -> dict: return self._merged_config.config_to_dict( normalize=normalize, force_read=force_read ) def dict_to_config( self, data: Mapping, validate: bool = True, normalize: bool = True, overwrite: bool = False, without_defaults: bool = True, ) -> None: self._local_config.dict_to_config( data, validate=validate, normalize=normalize, overwrite=overwrite, without_defaults=without_defaults, ) def validate(self) -> None: self._merged_config.validate() def normalize( self, config: Mapping, without_defaults: bool = False ) -> dict: return self._merged_config.normalize( config=config, without_defaults=without_defaults ) def modified_since(self, timestamp: Optional[float]) -> bool: return self._merged_config.modified_since(timestamp) def config_file_factory( username: Optional[Union[str, int]] = None, path: Optional[str] = None ) -> IConfig: if username and not isinstance(username, int): return UserConfig(username=username) elif path: return Config(path=path) else: return SystemConfig() # TODO: move all layer related functions to another module def any_layer_modified_since(timestamp) -> bool: merger = Merger(Merger.get_layer_names()) for layer in merger.layers: if layer.modified_since(timestamp): return True return False MergedConfig = functools.partial( Config, config_reader=WriteOnlyConfigReader( path=Core.MERGED_CONFIG_FILE_PATH, disclaimer=DO_NOT_MODIFY_DISCLAMER, permissions=Core.MERGED_CONFIG_FILE_PERMISSION, ), ) class LocalConfig(Config): """ Config (/etc/sysconfig/imunify360/imunify360.config) should contain options changed by a customer only """ def __init__( self, *, path=Core.LOCAL_CONFIG_FILE_PATH, # overrides the parent default value config_reader: ConfigReader = None, validation_schema: Union[Mapping, Callable[[], Mapping]] = None, disclaimer: str = None, cached=False, # overrides the parent default value ): super().__init__( path=path, config_reader=config_reader, validation_schema=validation_schema, disclaimer=disclaimer, cached=cached, ) def dict_to_config( self, data: Mapping, validate: bool = True, normalize: bool = True, overwrite: bool = False, without_defaults: bool = True, # overrides the parent default value ) -> None: return super().dict_to_config( data, validate=validate, normalize=normalize, overwrite=overwrite, without_defaults=without_defaults, ) class BaseMerger: DIR = os.path.join(Core.GLOBAL_CONFDIR, Core.CONFIG_D_NAME) LOCAL_CONFIG_NAME = "90-local.config" def __init__(self, names, include_defaults=False): self._include_defaults = include_defaults self.layers = [ Config(path=os.path.join(self.DIR, name)) for name in names ] @classmethod def get_layer_names(cls): return sorted(os.listdir(cls.DIR)) if os.path.isdir(cls.DIR) else [] def configs_to_dict(self, force_read=False): layer_dict_list = [] if self._include_defaults: defaults = Normalizer(config_schema_root).normalize( {}, without_defaults=False ) layer_dict_list.append(defaults) layer_dict_list += [ layer.config_to_dict(normalize=False, force_read=force_read) for layer in self.layers ] return self._build_effective_config(layer_dict_list) @classmethod def _build_effective_config(cls, layer_dict_list: list): effective: Dict[str, dict] = {} for layer_dict in layer_dict_list: for section, options in layer_dict.items(): if options is None: continue if section not in effective: effective[section] = {} for option, value in options.items(): if value is not None: effective[section][option] = value return effective class MutableMerger(BaseMerger): def __init__(self, names: Sequence): idx = bisect_left(names, self.LOCAL_CONFIG_NAME) names = names[:idx] super().__init__(names, include_defaults=True) class ImmutableMerger(BaseMerger): def __init__(self, names: Sequence): idx = bisect_right(names, self.LOCAL_CONFIG_NAME) names = names[idx:] super().__init__(names, include_defaults=False) class NonBaseMerger(BaseMerger): def __init__(self, names: Sequence): super().__init__(names, include_defaults=False) class Merger(BaseMerger): def __init__(self, names): super().__init__(names, include_defaults=True) @classmethod def update_merged_config(cls): merged_config = MergedConfig() merger = cls(cls.get_layer_names()) config_dict = merger.configs_to_dict() try: ConfigsValidator.validate(config_dict) except ConfigsValidatorError: logger.warning("Config file is invalid!") else: merged_config.dict_to_config(config_dict, validate=False) class ConfigValidator(Validator): def __init__( self, *args, allow_unknown=ANTIVIRUS_MODE, purge_readonly=True, **kwargs, ): """ Initialises ConfigValidator(Validator) for more details on Validator params please check https://docs.python-cerberus.org/en/stable/validation-rules.html """ super().__init__( *args, allow_unknown=allow_unknown, purge_readonly=purge_readonly, **kwargs, ) def _normalize_coerce_user_override_pd_rules(self, value): if self.root_document.get("MY_IMUNIFY", {}).get("enable", False): return True return value class Packaging: DATADIR = "/opt/imunify360/venv/share/%s" % Core.PRODUCT class SimpleRpc: # how long to wait for the response from RPC server in seconds CLIENT_TIMEOUT = 3600 SOCKET_PATH = "/var/run/defence360agent/simple_rpc.sock" # end-user stuff NON_ROOT_SOCKET_PATH = "/var/run/defence360agent/non_root_simple_rpc.sock" TOKEN_FILE_TMPL = ".imunify360_token_{suffix}" # -r-------- TOKEN_MASK = 0o400 SOCKET_ACTIVATION = bool_from_envvar( "I360_SOCKET_ACTIVATION", ANTIVIRUS_MODE, ) INACTIVITY_TIMEOUT = int_from_envvar( "IMUNIFY360_INACTIVITY_TIMEOUT", int(timedelta(minutes=5).total_seconds()), ) class Model: # type sqlite3 - sqlite only supported PATH = "/var/%s/%s.db" % (Core.PRODUCT, Core.PRODUCT) PROACTIVE_PATH = "/var/%s/proactive.db" % (Core.PRODUCT,) RESIDENT_PATH = "/var/%s/%s-resident.db" % (Core.PRODUCT, Core.PRODUCT) class FilesUpdate: # Check files update periodically PERIOD = timedelta(minutes=30).total_seconds() # Timeout for single Index update (group of files) DEF-11501 # It has to be less than watchdog timeout (60 min) TIMEOUT = timedelta(minutes=15).total_seconds() # Timeout for individual socket operations (connect, recv/read, etc.) # For instance ssl-handshake timeout == SOCKET_TIMEOUT # Than less the value than better, to do not wait to long SOCKET_TIMEOUT = 3 # seconds class CountryInfo: DB = "/var/imunify360/files/geo/v1/GeoLite2-Country.mmdb" LOCATIONS_DB = ( "/var/imunify360/files/geo/v1/GeoLite2-Country-Locations-en.csv" ) @staticmethod def country_subnets_file(country_code): return "/var/imunify360/files/geo/v1/CountrySubnets-{}.txt".format( country_code ) class Sentry: DSN = os.getenv( "IMUNITY360_SENTRY_DSN", _slurp_file("%s/sentry" % Packaging.DATADIR) ) ENABLE = FromConfig("ERROR_REPORTING", "enable") class Malware: SCAN_CHECK_PERIOD = 300 CONSECUTIVE_ERROR_LIMIT = 10 INOTIFY_SCAN_PERIOD = 60 CONFIG_CHECK_PERIOD = 30 CONFLICTS_CHECK_PERIOD = 300 INOTIFY_ENABLED = FromConfig("MALWARE_SCANNING", "enable_scan_inotify") PURE_SCAN = FromConfig("MALWARE_SCANNING", "enable_scan_pure_ftpd") SEND_FILES = FromConfig("MALWARE_SCANNING", "sends_file_for_analysis") CLOUD_ASSISTED_SCAN = FromConfig("MALWARE_SCANNING", "cloud_assisted_scan") RAPID_SCAN = FromConfig("MALWARE_SCANNING", "rapid_scan") CRONTABS_SCAN_ENABLED = FromConfig("MALWARE_SCANNING", "crontabs") SCANS_PATH = "/var/imunify360/aibolit/scans.pickle" FILE_PREVIEW_BYTES_NUM = 1024 * 100 # 100 KB CLEANUP_STORAGE = "/var/imunify360/cleanup_storage" CLEANUP_TRIM = FromConfig( section="MALWARE_CLEANUP", option="trim_file_instead_of_removal", ) CLEANUP_KEEP = FromConfig( section="MALWARE_CLEANUP", option="keep_original_files_days", ) SCAN_MODIFIED_FILES = FromConfig( section="MALWARE_SCANNING", option="scan_modified_files", ) MAX_SIGNATURE_SIZE_TO_SCAN = FromConfig( "MALWARE_SCANNING", "max_signature_size_to_scan" ) MAX_CLOUDSCAN_SIZE_TO_SCAN = FromConfig( "MALWARE_SCANNING", "max_cloudscan_size_to_scan" ) MAX_MRS_UPLOAD_FILE = FromConfig("MALWARE_SCANNING", "max_mrs_upload_file") RAPID_SCAN_RESCAN_UNCHANGING_FILES_FREQUENCY = FromConfig( "MALWARE_SCANNING", "rapid_scan_rescan_unchanging_files_frequency" ) HYPERSCAN = FromConfig("MALWARE_SCANNING", "hyperscan") DATABASE_SCAN_ENABLED = FromConfig("MALWARE_DATABASE_SCAN", "enable") CPANEL_SCAN_ENABLED = FromConfig("MALWARE_SCANNING", "enable_scan_cpanel") CLEANUP_DISABLE_CLOUDAV = FromFlagFile("disable_cloudav") MDS_DB_TIMEOUT = FromConfig("MALWARE_DATABASE_SCAN", "db_timeout") class MalwareGeneric: BASEDIR = None PATTERN_TO_WATCH = "" # static initializer for MalwareGeneric class integration_conf = IntegrationConfig() if integration_conf.exists(): try: malware_section = integration_conf.to_dict()["malware"] except KeyError: pass # inotify settings are not necessary # it even may be not supported by system else: MalwareGeneric.BASEDIR = malware_section["basedir"] MalwareGeneric.PATTERN_TO_WATCH = malware_section["pattern_to_watch"] class MalwareScanScheduleInterval: NONE = NONE DAY = DAY WEEK = WEEK MONTH = MONTH class MalwareScanSchedule: CMD = "/usr/bin/imunify360-agent malware user scan --background" CRON_PATH = "/etc/cron.d/imunify_scan_schedule" CRON_STRING = """\ # DO NOT EDIT. AUTOMATICALLY GENERATED. 0 {0} {1} * {2} root {cmd} >/dev/null 2>&1 """ INTERVAL = FromConfig( section="MALWARE_SCAN_SCHEDULE", option="interval", ) HOUR = FromConfig( section="MALWARE_SCAN_SCHEDULE", option="hour", ) DAY_OF_WEEK = FromConfig( section="MALWARE_SCAN_SCHEDULE", option="day_of_week", ) DAY_OF_MONTH = FromConfig( section="MALWARE_SCAN_SCHEDULE", option="day_of_month", ) class MalwareScanIntensity: CPU = FromConfig( section="MALWARE_SCAN_INTENSITY", option="cpu", ) IO = FromConfig( section="MALWARE_SCAN_INTENSITY", option="io", ) RAM = FromConfig( section="MALWARE_SCAN_INTENSITY", option="ram", ) USER_CPU = FromConfig( section="MALWARE_SCAN_INTENSITY", option="user_scan_cpu", ) USER_IO = FromConfig( section="MALWARE_SCAN_INTENSITY", option="user_scan_io", ) USER_RAM = FromConfig( section="MALWARE_SCAN_INTENSITY", option="user_scan_ram", ) class FileBasedResourceLimits: CPU = FromConfig( section="RESOURCE_MANAGEMENT", option="cpu_limit", ) IO = FromConfig( section="RESOURCE_MANAGEMENT", option="io_limit", ) RAM = FromConfig( section="RESOURCE_MANAGEMENT", option="ram_limit", ) class KernelCare: EDF = FromConfig( section="KERNELCARE", option="edf", ) def get_rapid_rescan_frequency(): value = Malware.RAPID_SCAN_RESCAN_UNCHANGING_FILES_FREQUENCY if value is None: freq = { MalwareScanScheduleInterval.NONE: 1, MalwareScanScheduleInterval.MONTH: 2, MalwareScanScheduleInterval.WEEK: 5, MalwareScanScheduleInterval.DAY: 10, } return freq.get(MalwareScanSchedule.INTERVAL, 1) return value class MalwareSignatures: _dir = "/var/imunify360/files/sigs/v1/" RFXN = os.path.join(_dir, "rfxn") i360 = os.path.join(_dir, "i360") AI_BOLIT_HOSTER = os.path.join(_dir, "aibolit", "ai-bolit-hoster-full.db") AI_BOLIT_HYPERSCAN = os.path.join(_dir, "aibolit", "hyperscan") MDS_AI_BOLIT_HOSTER = os.path.join( _dir, "aibolit", "mds-ai-bolit-hoster.db" ) PROCU_DB = os.path.join(_dir, "aibolit", "procu2.db") MDS_PROCU_DB = os.path.join(_dir, "aibolit", "mds-procu2.db") class Logger: MAX_LOG_FILE_SIZE = FromConfig( section="LOGGER", option="max_log_file_size", ) BACKUP_COUNT = FromConfig( section="LOGGER", option="backup_count", ) # directory mode for main log directory and all inner LOG_DIR_PERM = 0o700 # file mode for main log directory and all inner LOG_FILE_PERM = 0o660 class UserType: ROOT = "root" NON_ROOT = "non_root" class UIRole: CLIENT = "client" ADMIN = "admin" class NoCP: # path to script implementing No CP API CLIENT_SCRIPT = "/etc/imunify360/scripts/domains" # latest version of the API supported by agent LATEST_VERSION = 1 class CustomBillingConfig(Config): def __init__(self): path = os.path.join( "/etc/sysconfig/imunify360", Core.CUSTOM_BILLING_CONFIGFILENAME ) super().__init__( path=path, validation_schema=CONFIG_SCHEMA_CUSTOM_BILLING ) class CustomBilling: UPGRADE_URL = FromConfig( section="CUSTOM_BILLING", option="upgrade_url", config_cls=CustomBillingConfig, ) UPGRADE_URL_360 = FromConfig( section="CUSTOM_BILLING", option="upgrade_url_360", config_cls=CustomBillingConfig, ) NOTIFICATIONS = FromConfig( section="CUSTOM_BILLING", option="billing_notifications", config_cls=CustomBillingConfig, ) IP_LICENSE = FromConfig( section="CUSTOM_BILLING", option="ip_license", config_cls=CustomBillingConfig, ) class PermissionsConfig: USER_IGNORE_LIST = FromConfig( section="PERMISSIONS", option="user_ignore_list", ) ALLOW_MALWARE_SCAN = FromConfig( section="PERMISSIONS", option="allow_malware_scan", ) USER_OVERRIDE_MALWARE_ACTIONS = FromConfig( section="PERMISSIONS", option="user_override_malware_actions" ) USER_OVERRIDE_PROACTIVE_DEFENSE = FromConfig( section="PERMISSIONS", option="user_override_proactive_defense", ) ALLOW_LOCAL_MALWARE_IGNORE_LIST_MANAGEMENT = FromConfig( section="PERMISSIONS", option="allow_local_malware_ignore_list_management", ) class MyImunifyConfig: ENABLED = FromConfig( section="MY_IMUNIFY", option="enable", ) PURCHASE_PAGE_URL = FromConfig( section="MY_IMUNIFY", option="purchase_page_url", ) class ControlPanelConfig: SMART_ADVICE_ALLOWED = FromConfig( section="CONTROL_PANEL", option="smart_advice_allowed", ) ADVICE_EMAIL_NOTIFICATION = FromConfig( section="CONTROL_PANEL", option="advice_email_notification", ) def effective_user_config(admin_config, user_config): allowed_sections = [ "BACKUP_RESTORE", "MALWARE_CLEANUP", "MALWARE_SCANNING", "ERROR_REPORTING", "PROACTIVE_DEFENCE", "PERMISSIONS", "MY_IMUNIFY", "CONTROL_PANEL", ] overridable = { ( "MALWARE_SCANNING", "default_action", ): PermissionsConfig.USER_OVERRIDE_MALWARE_ACTIONS, ( "PROACTIVE_DEFENCE", "mode", ): PermissionsConfig.USER_OVERRIDE_PROACTIVE_DEFENSE, } admin_dict = admin_config.config_to_dict() user_dict = user_config.config_to_dict() def normalize_section(section): admin_options = deepcopy(admin_dict.get(section)) user_options = deepcopy(user_dict.get(section, {})) resulting_dict = {} for option, admin_value in admin_options.items(): user_value = user_options.get(option) if ( user_value is not None # All options available to user are overridable by default and overridable.get((section, option), True) ): resulting_dict[option] = user_value else: resulting_dict[option] = admin_value return resulting_dict effective_config = { section: normalize_section(section) for section in allowed_sections } return fm_config_cleanup(effective_config, user_config.username) class HookEvents: IM360_EVENTS = ( AGENT, LICENSE, MALWARE_SCANNING, MALWARE_CLEANUP, MALWARE_DETECTED, ) = ( "agent", "license", "malware-scanning", "malware-cleanup", "malware-detected", ) IMAV_EVENTS = ( LICENSE, MALWARE_SCANNING, MALWARE_CLEANUP, MALWARE_DETECTED, ) EVENTS = IMAV_EVENTS if ANTIVIRUS_MODE else IM360_EVENTS class ConfigsValidatorError(Exception): def __init__(self, configs_to_errors: Dict[Config, str]): self.configs_to_errors = configs_to_errors def __repr__(self): errors = [] for config, error in self.configs_to_errors.items(): errors.append(f"{config!r}: {error}") return "\n".join(errors) class ConfigsValidator: """A class that has methods to validate configs bypassing the cache""" @classmethod def validate_system_config(cls): """ Validate merged config :raises ConfigsValidatorError """ SystemConfig().validate() @classmethod def validate_config_layers(cls): """ Validate all config layers, collect all errors :raises ConfigsValidatorError """ configs_to_errors = {} for layer in Merger(Merger.get_layer_names()).layers: try: layer.validate() except ConfigsValidatorError as e: configs_to_errors.update(e.configs_to_errors) if configs_to_errors: raise ConfigsValidatorError(configs_to_errors) @classmethod def validate( cls, config_dict: dict, validation_schema: Union[dict, Callable] = config_schema_root, ) -> None: """ Validate config represented by a dict :param config_dict: config to validate :param validation_schema: schema to validate config against :raises ConfigValidationError """ schema = cls.get_validation_schema(validation_schema) v = ConfigValidator(schema) if not v.validate(config_dict): raise ConfigValidationError(v.errors) @staticmethod def get_validation_schema( validation_schema: Union[Mapping, Callable] ) -> Mapping: if callable(validation_schema): return validation_schema() return validation_schema ConfigFile = config_file_factory class AdminContacts: ENABLE_ICONTACT_NOTIFICATIONS = FromConfig( section="ADMIN_CONTACTS", option="enable_icontact_notifications", ) class IContactMessageType(str, Enum): MALWARE_FOUND = "MalwareFound" SCAN_NOT_SCHEDULED = "ScanNotScheduled" GENERIC = "Generic" def __str__(self): return self.value CONFIG_SCHEMA_BACKUP_SYSTEM = { "BACKUP_SYSTEM": { "type": "dict", "schema": { "enabled": { "type": "boolean", "default": False, }, "backup_system": { "type": "string", "default": None, "nullable": True, "allowed": [ CPANEL, PLESK, R1SOFT, ACRONIS, CLOUDLINUX, DIRECTADMIN, CLOUDLINUX_ON_PREMISE, CLUSTERLOGICS, SAMPLE_BACKEND, ], }, }, "default": {}, } } class BackupConfig(Config): DISCLAIMER = """\ # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # DO NOT EDIT. AUTOMATICALLY GENERATED. # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # # Direct modifications to this file WILL be lost upon subsequent # regeneration of this configuration file. # # To have your modifications retained, you should use CLI command # imunify360-agent backup-systems <init|disable> <backup-system> # or activate/deactivate appropriate feature in UI. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # """ def __init__( self, *, path=os.path.join( "/etc/sysconfig/imunify360", Core.BACKUP_CONFIGFILENAME ), validation_schema=CONFIG_SCHEMA_BACKUP_SYSTEM, ): super().__init__(path=path, validation_schema=validation_schema) class BackupRestore: ENABLED = FromConfig( section="BACKUP_SYSTEM", option="enabled", config_cls=BackupConfig ) _BACKUP_SYSTEM = FromConfig( section="BACKUP_SYSTEM", option="backup_system", config_cls=BackupConfig, ) CL_BACKUP_ALLOWED = FromConfig( section="BACKUP_RESTORE", option="cl_backup_allowed", ) CL_ON_PREMISE_BACKUP_ALLOWED = FromConfig( section="BACKUP_RESTORE", option="cl_on_premise_backup_allowed", ) @classmethod def backup_system(cls): return _get_backend_system(cls._BACKUP_SYSTEM) def _get_backend_system(name): """ Get backup module from its name :param name: backup system name :return: backup system module """ from restore_infected import backup_backends if name in (CLOUDLINUX, CLOUDLINUX_ON_PREMISE): # cloudlinux backup is actually acronis one name = ACRONIS elif name is None: return None return backup_backends.backend(name, async_=True) class AcronisBackup: # https://kb.acronis.com/content/1711 # https://kb.acronis.com/content/47189 LOG_NAME = "acronis-installer.log" PORTS = (8443, 44445, 55556) RANGE = {(7770, 7800)} def should_try_autorestore_malicious(username: str) -> bool: """ Checks is Agent should try restore malware file firts and returns user that set this action in config """ try_restore, _ = choose_value_from_config( "MALWARE_SCANNING", "try_restore_from_backup_first", username ) return BackupRestore.ENABLED and try_restore def choose_use_backups_start_from_date(username: str) -> datetime: max_days, _ = choose_value_from_config( "BACKUP_RESTORE", "max_days_in_backup", username ) until = datetime.now() - timedelta(days=max_days) return until def should_send_user_notifications(username: str) -> bool: should_send, _ = choose_value_from_config( "CONTROL_PANEL", "generic_user_notifications", username=username, ) return should_send class HackerTrap: DIR = "/var/imunify360" NAME = "malware_found_b64.list" SA_NAME = "malware_standalone_b64.list" DIR_PD = "/opt/imunify360/proactive/dangerlist/"