Current File : //opt/imunify360/venv/lib64/python3.11/site-packages/defence360agent/contracts/config.py |
"""
All the config settings for defence360 in one place
"""
import functools
import logging
import os
from abc import abstractmethod
from bisect import bisect_left, bisect_right
from copy import deepcopy
from datetime import datetime, timedelta
from enum import Enum
from pathlib import Path
from typing import (
Any,
Callable,
Dict,
List,
Mapping,
Optional,
Protocol,
Sequence,
Tuple,
Union,
_ProtocolMeta,
)
from cerberus import Validator
from defence360agent.api.integration_conf import IntegrationConfig
from defence360agent.contracts.config_provider import (
CachedConfigReader,
ConfigError,
ConfigReader,
UserConfigReader,
WriteOnlyConfigReader,
)
from defence360agent.feature_management.checkers import (
config_cleanup as fm_config_cleanup,
)
from defence360agent.utils import Singleton, dict_deep_update, importer
av_version = importer.get(
module="imav._version", name="__version__", default=None
)
logger = logging.getLogger(__name__)
ANTIVIRUS_MODE = not importer.exists("im360")
# feature flag for those clients who want to test Myimunify
FREEMIUM_FEATURE_FLAG = "/var/imunify360/myimunify-freemium.flag"
MY_IMUNIFY_KEY = "MY_IMUNIFY"
_version = importer.get(
module="im360._version", name="__version__", default=av_version
)
AGENT_CONF = "../."
CONFIG_VALIDATORS_DIR_PATH = Path(
os.environ.get(
"IM360_CONFIG_SCHEMA_PATH",
"/opt/imunify360/venv/share/imunify360/config_schema/",
)
)
# TODO: remove after av-7.16.0 release
NOTIFY, CLEANUP = "notify", "cleanup"
NONE, DAY, WEEK, MONTH = "none", "day", "week", "month"
DEFAULT_INTENSITY_CPU = 2
DEFAULT_INTENSITY_IO = 2
DEFAULT_INTENSITY_RAM = 2048
DEFAULT_RESOURCE_MANAGEMENT_CPU_LIMIT = 2
DEFAULT_RESOURCE_MANAGEMENT_IO_LIMIT = 2
DEFAULT_RESOURCE_MANAGEMENT_RAM_LIMIT = 500
MODSEC_RULESET_FULL = "FULL"
MODSEC_RULESET_MINIMAL = "MINIMAL"
_DOS_DETECTOR_DEFAULT_LIMIT = 250
_DOS_DETECTOR_MIN_LIMIT = 1
_DOS_DETECTOR_MIN_INTERVAL = 1
PORT_BLOCKING_MODE_DENY = "DENY"
PORT_BLOCKING_MODE_ALLOW = "ALLOW"
DO_NOT_MODIFY_DISCLAMER = """\
############################################################################
# DO NOT MODIFY THIS FILE!!! #
# USE /etc/sysconfig/imunify360/imunify360.config.d/ TO OVERRIDE DEFAULTS #
############################################################################
"""
DEFAULT_CONFIG_DISCLAMER = """\
############################################################################
# DO NOT MODIFY THIS FILE!!! #
# USE /etc/sysconfig/imunify360/imunify360.config.d/ TO OVERRIDE DEFAULTS #
# This is an example of default values only #
# Changing this file will have no effect #
############################################################################
"""
CPANEL, PLESK, DIRECTADMIN = "cpanel", "plesk", "directadmin"
ACRONIS, R1SOFT, CLUSTERLOGICS = "acronis", "r1soft", "clusterlogics"
SAMPLE_BACKEND = "sample"
CLOUDLINUX, CLOUDLINUX_ON_PREMISE = "cloudlinux", "cloudlinux_on_premise"
GENERIC_SENSOR_SOCKET_PATH = "/var/run/defence360agent/generic_sensor.sock.2"
def int_from_envvar(var: str, default: int, env: Mapping = os.environ) -> int:
try:
return int(env[var])
except KeyError:
return default
except ValueError as e:
raise ValueError("{}: integer required".format(var)) from e
def bool_from_envvar(
var: str, default: bool, env: Mapping = os.environ
) -> bool:
TRUE_VALS = ("true", "t", "yes", "y", "1")
FALSE_VALS = ("false", "f", "no", "n", "0")
try:
val = env[var]
except KeyError:
return default
else:
val = val.lower()
if val in TRUE_VALS:
return True
if val in FALSE_VALS:
return False
raise ValueError(
"{}: should be one of {}".format(var, TRUE_VALS + FALSE_VALS)
)
def _self_rel2abs(relpath):
return os.path.join(os.path.dirname(__file__), relpath)
def conf_rel2abs(relpath):
return os.path.join(os.path.dirname(_self_rel2abs(AGENT_CONF)), relpath)
def _slurp_file(path):
"""Returns content for existing file, otherwise None"""
try:
with open(path, "r") as f:
return f.read().strip()
except OSError:
return None
def choose_value_from_config(section, option, username=None):
"""
Choose action for config option by checking EndUser's Imunfiy360
config and Admin config. Admins config applies only if EndUser
didn't set the default action
"""
user_config = ConfigFile(username=username).config_to_dict()
user_section = user_config.get(section)
if user_section is not None:
user_value = user_section.get(option)
if user_value is not None:
return user_value, username
logger.debug("Cannot read %s:%s from user config", section, option)
root_config = ConfigFile().config_to_dict()
return root_config[section][option], UserType.ROOT
def is_mi_freemium_license():
"""
Just checks if this is server with MyImunify Freemium license
"""
return os.path.exists(FREEMIUM_FEATURE_FLAG)
class FromConfig:
def __init__(self, section, option=None, config_cls=None):
self.section = section
self.option = option
self._config_cls = config_cls
self._config_instance = None
def __get__(self, instance, owner):
if self._config_instance is None:
if self._config_cls is None:
self._config_instance = ConfigFile()
else:
self._config_instance = self._config_cls()
section_value = self._config_instance.config_to_dict()[self.section]
if self.option is not None:
return section_value[self.option]
return section_value
class FromFlagFile:
LOCATION = Path("/var/imunify360")
def __init__(self, name, *, coerce=bool, default=...):
self.name = name
self.coerce = coerce
self.default = default
def __get__(self, instance, owner):
path = self.LOCATION / self.name
if path.exists():
return self.coerce(path.read_text() or self.default)
def _get_combined_validation_schema(*, root=True):
func_name = "get_root_config" if root else "get_non_root_config"
combined_schema = {}
for module in importer.iter_modules([CONFIG_VALIDATORS_DIR_PATH]):
get_schema = getattr(module, func_name, lambda: {})
schema = get_schema()
dict_deep_update(combined_schema, schema, allow_overwrite=False)
return combined_schema
@functools.lru_cache(maxsize=1)
def config_schema_root():
return _get_combined_validation_schema()
@functools.lru_cache(maxsize=1)
def config_schema_non_root():
return _get_combined_validation_schema(root=False)
CONFIG_SCHEMA_CUSTOM_BILLING = {
"CUSTOM_BILLING": {
"type": "dict",
"schema": {
"upgrade_url": {
"type": "string",
"default": None,
"nullable": True,
},
"upgrade_url_360": {
"type": "string",
"default": None,
"nullable": True,
},
"billing_notifications": {"type": "boolean", "default": True},
"ip_license": {"type": "boolean", "default": True},
},
"default": {},
}
}
class ConfigValidationError(Exception):
pass
class Core:
PRODUCT = "imunify360"
NAME = "%s agent" % PRODUCT if not ANTIVIRUS_MODE else "imunify antivirus"
AV_VERSION = av_version
VERSION = _version # AV or IM360
API_BASE_URL = os.environ.get(
"IMUNIFY360_API_URL", "https://api.imunify360.com"
)
DEFAULT_SOCKET_TIMEOUT = 10
DIST = ".el8"
FILE_UMASK = 0o007
TMPDIR = "/var/imunify360/tmp"
MERGED_CONFIG_FILE_NAME = "imunify360-merged.config"
USER_CONFIG_FILE_NAME = "imunify360.config"
LOCAL_CONFIG_FILE_NAME = "imunify360.config"
CONFIG_DIR = "/etc/imunify360"
USER_CONFDIR = os.path.join(CONFIG_DIR, "user_config")
GLOBAL_CONFDIR = "/etc/sysconfig/imunify360"
MERGED_CONFIG_FILE_PATH = os.path.join(
GLOBAL_CONFDIR, MERGED_CONFIG_FILE_NAME
)
MERGED_CONFIG_FILE_PERMISSION = 0o644
LOCAL_CONFIG_FILE_PATH = os.path.join(GLOBAL_CONFDIR, "imunify360.config")
CONFIG_D_NAME = "imunify360.config.d"
BACKUP_CONFIGFILENAME = ".imunify360.backup_config"
HOOKS_CONFIGFILENAME = "hooks.yaml"
CUSTOM_BILLING_CONFIGFILENAME = "custom_billing.config"
INBOX_HOOKS_DIR = "/var/imunify360/hooks"
SVC_NAME = "imunify360" if not ANTIVIRUS_MODE else "imunify-antivirus"
UNIFIED_ACCESS_LOGGER_CONFIGFILENAME = "unified-access-logger.conf"
GO_FLAG_FILE = Path("/etc/sysconfig/imunify360/.go_agent")
class IConfig(Protocol):
@abstractmethod
def config_to_dict(
self, normalize: bool = True, force_read: bool = False
) -> dict:
raise NotImplementedError
@abstractmethod
def dict_to_config(
self,
data: Mapping,
validate: bool = True,
normalize: bool = True,
overwrite: bool = False,
without_defaults: bool = False,
) -> None:
raise NotImplementedError
@abstractmethod
def validate(self) -> None:
raise NotImplementedError
@abstractmethod
def normalize(
self, config: Mapping, without_defaults: bool = False
) -> dict:
raise NotImplementedError
@abstractmethod
def modified_since(self, timestamp: Optional[float]) -> bool:
raise NotImplementedError
def get(self, section: str, option: Optional[str]) -> Any:
if option:
return self.config_to_dict().get(section, {}).get(option)
return None
def set(self, section: str, option: Optional[str], value: Any) -> None:
if option:
self.dict_to_config({section: {option: value}})
class IConfigFile(IConfig, Protocol):
path: str
class ProtocolSingleton(_ProtocolMeta, Singleton):
"""
Needed to avoid metaclass conflict when implementing protocols that are
also Singletons
"""
class Normalizer:
def __init__(self, validation_schema):
self._config: Optional[Mapping] = None
self._normalized_config: dict = {}
self._schema = ConfigsValidator.get_validation_schema(
validation_schema
)
self._schema_without_defaults = self._get_schema_without_defaults(
self._schema
)
@classmethod
def _get_schema_without_defaults(cls, _dict: Mapping) -> dict:
return {
key: cls._get_schema_without_defaults(value)
if isinstance(value, dict)
else value
for key, value in _dict.items()
if key not in ["default", "default_setter"]
}
@staticmethod
def remove_null(config: Mapping) -> dict:
new_config: Dict[str, Union[dict, List[Tuple]]] = {}
for section, options in config.items():
# We only support dict for option removal
if isinstance(options, dict):
for option, value in options.items():
if value is not None:
new_config.setdefault(section, {})[option] = value
elif options:
# Let cerberus coerce this to dict
# and leave the None's as is
new_config[section] = options
return new_config
@staticmethod
def _normalize_with_schema(config: Mapping, schema) -> dict:
validator = ConfigValidator(schema)
normalized: Optional[dict] = validator.normalized(config)
if validator.errors:
raise ConfigValidationError(validator.errors)
if normalized is None:
raise ConfigValidationError(f"Cerberus returned None for {config}")
return normalized
def normalize(self, config: Mapping, without_defaults: bool) -> dict:
schema = (
self._schema_without_defaults if without_defaults else self._schema
)
if without_defaults:
config = self.remove_null(config)
return self._normalize_with_schema(config, schema)
# Utilize cache
if config == self._config:
return self._normalized_config
normalized = self._normalize_with_schema(config, schema)
self._config = config
self._normalized_config = normalized
return self._normalized_config
class Config(IConfig, metaclass=ProtocolSingleton):
DISCLAIMER = ""
def __init__(
self,
*,
# FIXME: allow pathlib.Path
path: str = None,
config_reader: ConfigReader = None,
validation_schema: Union[Mapping, Callable[[], Mapping]] = None,
disclaimer: str = None,
cached: bool = True,
permissions: int = None,
):
super().__init__()
assert path or config_reader
config_reader_cls = CachedConfigReader if cached else ConfigReader
self._config_reader = config_reader or config_reader_cls(
path,
disclaimer=disclaimer or self.DISCLAIMER,
permissions=permissions,
)
self.path = self._config_reader.path
self.validation_schema = validation_schema or config_schema_root
self._normalizer = Normalizer(self.validation_schema)
def __repr__(self):
return (
"<{classname}(config_reader={config_reader!r},"
" validation_schema={validation_schema!r})"
">"
).format(
classname=self.__class__.__qualname__,
config_reader=self._config_reader,
validation_schema=self.validation_schema,
)
def normalize(self, config: Mapping, without_defaults=False) -> dict:
return self._normalizer.normalize(config, without_defaults)
def config_to_dict(self, normalize=True, force_read: bool = False) -> dict:
"""
Converts config file to dict
:return dict: dictionary (key (section) / value (options))
"""
config = self._config_reader.read_config_file(force_read=force_read)
if normalize:
config = self.normalize(config)
return deepcopy(config)
def dict_to_config(
self,
data: Mapping,
validate: bool = True,
normalize: bool = True,
overwrite: bool = False,
without_defaults: bool = False,
) -> None:
"""
Converts dict to config file
New options will be mixed in with old ones
unless overwrite is specified
:param dict data: dictionary (key (section) / value (options))
:param bool validate: indicates if we need validation
:param bool normalize: normalize config
:param overwrite: overwrite existing conf
:param without_defaults: do not fill defaults
:return: None
"""
if overwrite:
self._dict_to_config_overwrite(
data=data,
validate=validate,
normalize=normalize,
without_defaults=without_defaults,
)
else:
self._dict_to_config(
data=data,
validate=validate,
normalize=normalize,
without_defaults=without_defaults,
)
def _dict_to_config_overwrite(
self, data, validate, normalize, without_defaults
):
if validate:
ConfigsValidator.validate(data, self.validation_schema)
if normalize:
data = self.normalize(data, without_defaults=without_defaults)
self._config_reader.write_config_file(data)
def _dict_to_config(self, data, validate, normalize, without_defaults):
config = deepcopy(self._config_reader.read_config_file())
if dict_deep_update(config, data):
if validate:
ConfigsValidator.validate(config, self.validation_schema)
if normalize:
config = self.normalize(
config, without_defaults=without_defaults
)
self._config_reader.write_config_file(config)
def validate(self):
"""
:raises ConfigsValidatorError
"""
try:
config_dict = self._config_reader.read_config_file(
ignore_errors=False
)
except ConfigError as e:
message = "Error during config validation"
logger.error("%s: %s", message, e)
raise ConfigsValidatorError({self: message}) from e
try:
ConfigsValidator.validate(config_dict, self.validation_schema)
except ConfigValidationError as e:
message = "Imunify360 config does not match the scheme"
logger.error("%s: %s", message, e)
raise ConfigsValidatorError({self: message}) from e
def modified_since(self, timestamp: Optional[float]) -> bool:
return self._config_reader.modified_since(timestamp)
class UserConfig(Config):
def __init__(self, *, username):
self.username = username
path = os.path.join(
Core.USER_CONFDIR, username, Core.USER_CONFIG_FILE_NAME
)
super().__init__(
path=path,
config_reader=UserConfigReader(path, username),
validation_schema=config_schema_non_root,
)
class SystemConfig(IConfig, metaclass=ProtocolSingleton):
def __init__(
self, *, local_config: Config = None, merged_config: Config = None
):
super().__init__()
self._local_config = local_config or LocalConfig()
self._merged_config = merged_config or MergedConfig()
def config_to_dict(
self, normalize: bool = True, force_read: bool = False
) -> dict:
return self._merged_config.config_to_dict(
normalize=normalize, force_read=force_read
)
def dict_to_config(
self,
data: Mapping,
validate: bool = True,
normalize: bool = True,
overwrite: bool = False,
without_defaults: bool = True,
) -> None:
self._local_config.dict_to_config(
data,
validate=validate,
normalize=normalize,
overwrite=overwrite,
without_defaults=without_defaults,
)
def validate(self) -> None:
self._merged_config.validate()
def normalize(
self, config: Mapping, without_defaults: bool = False
) -> dict:
return self._merged_config.normalize(
config=config, without_defaults=without_defaults
)
def modified_since(self, timestamp: Optional[float]) -> bool:
return self._merged_config.modified_since(timestamp)
def config_file_factory(
username: Optional[Union[str, int]] = None, path: Optional[str] = None
) -> IConfig:
if username and not isinstance(username, int):
return UserConfig(username=username)
elif path:
return Config(path=path)
else:
return SystemConfig()
# TODO: move all layer related functions to another module
def any_layer_modified_since(timestamp) -> bool:
merger = Merger(Merger.get_layer_names())
for layer in merger.layers:
if layer.modified_since(timestamp):
return True
return False
MergedConfig = functools.partial(
Config,
config_reader=WriteOnlyConfigReader(
path=Core.MERGED_CONFIG_FILE_PATH,
disclaimer=DO_NOT_MODIFY_DISCLAMER,
permissions=Core.MERGED_CONFIG_FILE_PERMISSION,
),
)
class LocalConfig(Config):
"""
Config (/etc/sysconfig/imunify360/imunify360.config) should contain
options changed by a customer only
"""
def __init__(
self,
*,
path=Core.LOCAL_CONFIG_FILE_PATH, # overrides the parent default value
config_reader: ConfigReader = None,
validation_schema: Union[Mapping, Callable[[], Mapping]] = None,
disclaimer: str = None,
cached=False, # overrides the parent default value
):
super().__init__(
path=path,
config_reader=config_reader,
validation_schema=validation_schema,
disclaimer=disclaimer,
cached=cached,
)
def dict_to_config(
self,
data: Mapping,
validate: bool = True,
normalize: bool = True,
overwrite: bool = False,
without_defaults: bool = True, # overrides the parent default value
) -> None:
return super().dict_to_config(
data,
validate=validate,
normalize=normalize,
overwrite=overwrite,
without_defaults=without_defaults,
)
class BaseMerger:
DIR = os.path.join(Core.GLOBAL_CONFDIR, Core.CONFIG_D_NAME)
LOCAL_CONFIG_NAME = "90-local.config"
def __init__(self, names, include_defaults=False):
self._include_defaults = include_defaults
self.layers = [
Config(path=os.path.join(self.DIR, name)) for name in names
]
@classmethod
def get_layer_names(cls):
return sorted(os.listdir(cls.DIR)) if os.path.isdir(cls.DIR) else []
def configs_to_dict(self, force_read=False):
layer_dict_list = []
if self._include_defaults:
defaults = Normalizer(config_schema_root).normalize(
{}, without_defaults=False
)
layer_dict_list.append(defaults)
layer_dict_list += [
layer.config_to_dict(normalize=False, force_read=force_read)
for layer in self.layers
]
return self._build_effective_config(layer_dict_list)
@classmethod
def _build_effective_config(cls, layer_dict_list: list):
effective: Dict[str, dict] = {}
for layer_dict in layer_dict_list:
for section, options in layer_dict.items():
if options is None:
continue
if section not in effective:
effective[section] = {}
for option, value in options.items():
if value is not None:
effective[section][option] = value
return effective
class MutableMerger(BaseMerger):
def __init__(self, names: Sequence):
idx = bisect_left(names, self.LOCAL_CONFIG_NAME)
names = names[:idx]
super().__init__(names, include_defaults=True)
class ImmutableMerger(BaseMerger):
def __init__(self, names: Sequence):
idx = bisect_right(names, self.LOCAL_CONFIG_NAME)
names = names[idx:]
super().__init__(names, include_defaults=False)
class NonBaseMerger(BaseMerger):
def __init__(self, names: Sequence):
super().__init__(names, include_defaults=False)
class Merger(BaseMerger):
def __init__(self, names):
super().__init__(names, include_defaults=True)
@classmethod
def update_merged_config(cls):
merged_config = MergedConfig()
merger = cls(cls.get_layer_names())
config_dict = merger.configs_to_dict()
try:
ConfigsValidator.validate(config_dict)
except ConfigsValidatorError:
logger.warning("Config file is invalid!")
else:
merged_config.dict_to_config(config_dict, validate=False)
class ConfigValidator(Validator):
def __init__(
self,
*args,
allow_unknown=ANTIVIRUS_MODE,
purge_readonly=True,
**kwargs,
):
"""
Initialises ConfigValidator(Validator)
for more details on Validator params please check
https://docs.python-cerberus.org/en/stable/validation-rules.html
"""
super().__init__(
*args,
allow_unknown=allow_unknown,
purge_readonly=purge_readonly,
**kwargs,
)
def _normalize_coerce_user_override_pd_rules(self, value):
if self.root_document.get("MY_IMUNIFY", {}).get("enable", False):
return True
return value
class Packaging:
DATADIR = "/opt/imunify360/venv/share/%s" % Core.PRODUCT
class SimpleRpc:
# how long to wait for the response from RPC server in seconds
CLIENT_TIMEOUT = 3600
SOCKET_PATH = "/var/run/defence360agent/simple_rpc.sock"
# end-user stuff
NON_ROOT_SOCKET_PATH = "/var/run/defence360agent/non_root_simple_rpc.sock"
TOKEN_FILE_TMPL = ".imunify360_token_{suffix}"
# -r--------
TOKEN_MASK = 0o400
SOCKET_ACTIVATION = bool_from_envvar(
"I360_SOCKET_ACTIVATION",
ANTIVIRUS_MODE,
)
INACTIVITY_TIMEOUT = int_from_envvar(
"IMUNIFY360_INACTIVITY_TIMEOUT",
int(timedelta(minutes=5).total_seconds()),
)
class Model:
# type sqlite3 - sqlite only supported
PATH = "/var/%s/%s.db" % (Core.PRODUCT, Core.PRODUCT)
PROACTIVE_PATH = "/var/%s/proactive.db" % (Core.PRODUCT,)
RESIDENT_PATH = "/var/%s/%s-resident.db" % (Core.PRODUCT, Core.PRODUCT)
class FilesUpdate:
# Check files update periodically
PERIOD = timedelta(minutes=30).total_seconds()
# Timeout for single Index update (group of files) DEF-11501
# It has to be less than watchdog timeout (60 min)
TIMEOUT = timedelta(minutes=15).total_seconds()
# Timeout for individual socket operations (connect, recv/read, etc.)
# For instance ssl-handshake timeout == SOCKET_TIMEOUT
# Than less the value than better, to do not wait to long
SOCKET_TIMEOUT = 3 # seconds
class CountryInfo:
DB = "/var/imunify360/files/geo/v1/GeoLite2-Country.mmdb"
LOCATIONS_DB = (
"/var/imunify360/files/geo/v1/GeoLite2-Country-Locations-en.csv"
)
@staticmethod
def country_subnets_file(country_code):
return "/var/imunify360/files/geo/v1/CountrySubnets-{}.txt".format(
country_code
)
class Sentry:
DSN = os.getenv(
"IMUNITY360_SENTRY_DSN", _slurp_file("%s/sentry" % Packaging.DATADIR)
)
ENABLE = FromConfig("ERROR_REPORTING", "enable")
class Malware:
SCAN_CHECK_PERIOD = 300
CONSECUTIVE_ERROR_LIMIT = 10
INOTIFY_SCAN_PERIOD = 60
CONFIG_CHECK_PERIOD = 30
CONFLICTS_CHECK_PERIOD = 300
INOTIFY_ENABLED = FromConfig("MALWARE_SCANNING", "enable_scan_inotify")
PURE_SCAN = FromConfig("MALWARE_SCANNING", "enable_scan_pure_ftpd")
SEND_FILES = FromConfig("MALWARE_SCANNING", "sends_file_for_analysis")
CLOUD_ASSISTED_SCAN = FromConfig("MALWARE_SCANNING", "cloud_assisted_scan")
RAPID_SCAN = FromConfig("MALWARE_SCANNING", "rapid_scan")
CRONTABS_SCAN_ENABLED = FromConfig("MALWARE_SCANNING", "crontabs")
SCANS_PATH = "/var/imunify360/aibolit/scans.pickle"
FILE_PREVIEW_BYTES_NUM = 1024 * 100 # 100 KB
CLEANUP_STORAGE = "/var/imunify360/cleanup_storage"
CLEANUP_TRIM = FromConfig(
section="MALWARE_CLEANUP",
option="trim_file_instead_of_removal",
)
CLEANUP_KEEP = FromConfig(
section="MALWARE_CLEANUP",
option="keep_original_files_days",
)
SCAN_MODIFIED_FILES = FromConfig(
section="MALWARE_SCANNING",
option="scan_modified_files",
)
MAX_SIGNATURE_SIZE_TO_SCAN = FromConfig(
"MALWARE_SCANNING", "max_signature_size_to_scan"
)
MAX_CLOUDSCAN_SIZE_TO_SCAN = FromConfig(
"MALWARE_SCANNING", "max_cloudscan_size_to_scan"
)
MAX_MRS_UPLOAD_FILE = FromConfig("MALWARE_SCANNING", "max_mrs_upload_file")
RAPID_SCAN_RESCAN_UNCHANGING_FILES_FREQUENCY = FromConfig(
"MALWARE_SCANNING", "rapid_scan_rescan_unchanging_files_frequency"
)
HYPERSCAN = FromConfig("MALWARE_SCANNING", "hyperscan")
DATABASE_SCAN_ENABLED = FromConfig("MALWARE_DATABASE_SCAN", "enable")
CPANEL_SCAN_ENABLED = FromConfig("MALWARE_SCANNING", "enable_scan_cpanel")
CLEANUP_DISABLE_CLOUDAV = FromFlagFile("disable_cloudav")
MDS_DB_TIMEOUT = FromConfig("MALWARE_DATABASE_SCAN", "db_timeout")
class MalwareGeneric:
BASEDIR = None
PATTERN_TO_WATCH = ""
# static initializer for MalwareGeneric class
integration_conf = IntegrationConfig()
if integration_conf.exists():
try:
malware_section = integration_conf.to_dict()["malware"]
except KeyError:
pass
# inotify settings are not necessary
# it even may be not supported by system
else:
MalwareGeneric.BASEDIR = malware_section["basedir"]
MalwareGeneric.PATTERN_TO_WATCH = malware_section["pattern_to_watch"]
class MalwareScanScheduleInterval:
NONE = NONE
DAY = DAY
WEEK = WEEK
MONTH = MONTH
class MalwareScanSchedule:
CMD = "/usr/bin/imunify360-agent malware user scan --background"
CRON_PATH = "/etc/cron.d/imunify_scan_schedule"
CRON_STRING = """\
# DO NOT EDIT. AUTOMATICALLY GENERATED.
0 {0} {1} * {2} root {cmd} >/dev/null 2>&1
"""
INTERVAL = FromConfig(
section="MALWARE_SCAN_SCHEDULE",
option="interval",
)
HOUR = FromConfig(
section="MALWARE_SCAN_SCHEDULE",
option="hour",
)
DAY_OF_WEEK = FromConfig(
section="MALWARE_SCAN_SCHEDULE",
option="day_of_week",
)
DAY_OF_MONTH = FromConfig(
section="MALWARE_SCAN_SCHEDULE",
option="day_of_month",
)
class MalwareScanIntensity:
CPU = FromConfig(
section="MALWARE_SCAN_INTENSITY",
option="cpu",
)
IO = FromConfig(
section="MALWARE_SCAN_INTENSITY",
option="io",
)
RAM = FromConfig(
section="MALWARE_SCAN_INTENSITY",
option="ram",
)
USER_CPU = FromConfig(
section="MALWARE_SCAN_INTENSITY",
option="user_scan_cpu",
)
USER_IO = FromConfig(
section="MALWARE_SCAN_INTENSITY",
option="user_scan_io",
)
USER_RAM = FromConfig(
section="MALWARE_SCAN_INTENSITY",
option="user_scan_ram",
)
class FileBasedResourceLimits:
CPU = FromConfig(
section="RESOURCE_MANAGEMENT",
option="cpu_limit",
)
IO = FromConfig(
section="RESOURCE_MANAGEMENT",
option="io_limit",
)
RAM = FromConfig(
section="RESOURCE_MANAGEMENT",
option="ram_limit",
)
class KernelCare:
EDF = FromConfig(
section="KERNELCARE",
option="edf",
)
def get_rapid_rescan_frequency():
value = Malware.RAPID_SCAN_RESCAN_UNCHANGING_FILES_FREQUENCY
if value is None:
freq = {
MalwareScanScheduleInterval.NONE: 1,
MalwareScanScheduleInterval.MONTH: 2,
MalwareScanScheduleInterval.WEEK: 5,
MalwareScanScheduleInterval.DAY: 10,
}
return freq.get(MalwareScanSchedule.INTERVAL, 1)
return value
class MalwareSignatures:
_dir = "/var/imunify360/files/sigs/v1/"
RFXN = os.path.join(_dir, "rfxn")
i360 = os.path.join(_dir, "i360")
AI_BOLIT_HOSTER = os.path.join(_dir, "aibolit", "ai-bolit-hoster-full.db")
AI_BOLIT_HYPERSCAN = os.path.join(_dir, "aibolit", "hyperscan")
MDS_AI_BOLIT_HOSTER = os.path.join(
_dir, "aibolit", "mds-ai-bolit-hoster.db"
)
PROCU_DB = os.path.join(_dir, "aibolit", "procu2.db")
MDS_PROCU_DB = os.path.join(_dir, "aibolit", "mds-procu2.db")
class Logger:
MAX_LOG_FILE_SIZE = FromConfig(
section="LOGGER",
option="max_log_file_size",
)
BACKUP_COUNT = FromConfig(
section="LOGGER",
option="backup_count",
)
# directory mode for main log directory and all inner
LOG_DIR_PERM = 0o700
# file mode for main log directory and all inner
LOG_FILE_PERM = 0o660
class UserType:
ROOT = "root"
NON_ROOT = "non_root"
class UIRole:
CLIENT = "client"
ADMIN = "admin"
class NoCP:
# path to script implementing No CP API
CLIENT_SCRIPT = "/etc/imunify360/scripts/domains"
# latest version of the API supported by agent
LATEST_VERSION = 1
class CustomBillingConfig(Config):
def __init__(self):
path = os.path.join(
"/etc/sysconfig/imunify360", Core.CUSTOM_BILLING_CONFIGFILENAME
)
super().__init__(
path=path, validation_schema=CONFIG_SCHEMA_CUSTOM_BILLING
)
class CustomBilling:
UPGRADE_URL = FromConfig(
section="CUSTOM_BILLING",
option="upgrade_url",
config_cls=CustomBillingConfig,
)
UPGRADE_URL_360 = FromConfig(
section="CUSTOM_BILLING",
option="upgrade_url_360",
config_cls=CustomBillingConfig,
)
NOTIFICATIONS = FromConfig(
section="CUSTOM_BILLING",
option="billing_notifications",
config_cls=CustomBillingConfig,
)
IP_LICENSE = FromConfig(
section="CUSTOM_BILLING",
option="ip_license",
config_cls=CustomBillingConfig,
)
class PermissionsConfig:
USER_IGNORE_LIST = FromConfig(
section="PERMISSIONS",
option="user_ignore_list",
)
ALLOW_MALWARE_SCAN = FromConfig(
section="PERMISSIONS",
option="allow_malware_scan",
)
USER_OVERRIDE_MALWARE_ACTIONS = FromConfig(
section="PERMISSIONS", option="user_override_malware_actions"
)
USER_OVERRIDE_PROACTIVE_DEFENSE = FromConfig(
section="PERMISSIONS",
option="user_override_proactive_defense",
)
ALLOW_LOCAL_MALWARE_IGNORE_LIST_MANAGEMENT = FromConfig(
section="PERMISSIONS",
option="allow_local_malware_ignore_list_management",
)
class MyImunifyConfig:
ENABLED = FromConfig(
section="MY_IMUNIFY",
option="enable",
)
PURCHASE_PAGE_URL = FromConfig(
section="MY_IMUNIFY",
option="purchase_page_url",
)
class ControlPanelConfig:
SMART_ADVICE_ALLOWED = FromConfig(
section="CONTROL_PANEL",
option="smart_advice_allowed",
)
ADVICE_EMAIL_NOTIFICATION = FromConfig(
section="CONTROL_PANEL",
option="advice_email_notification",
)
def effective_user_config(admin_config, user_config):
allowed_sections = [
"BACKUP_RESTORE",
"MALWARE_CLEANUP",
"MALWARE_SCANNING",
"ERROR_REPORTING",
"PROACTIVE_DEFENCE",
"PERMISSIONS",
"MY_IMUNIFY",
"CONTROL_PANEL",
]
overridable = {
(
"MALWARE_SCANNING",
"default_action",
): PermissionsConfig.USER_OVERRIDE_MALWARE_ACTIONS,
(
"PROACTIVE_DEFENCE",
"mode",
): PermissionsConfig.USER_OVERRIDE_PROACTIVE_DEFENSE,
}
admin_dict = admin_config.config_to_dict()
user_dict = user_config.config_to_dict()
def normalize_section(section):
admin_options = deepcopy(admin_dict.get(section))
user_options = deepcopy(user_dict.get(section, {}))
resulting_dict = {}
for option, admin_value in admin_options.items():
user_value = user_options.get(option)
if (
user_value is not None
# All options available to user are overridable by default
and overridable.get((section, option), True)
):
resulting_dict[option] = user_value
else:
resulting_dict[option] = admin_value
return resulting_dict
effective_config = {
section: normalize_section(section) for section in allowed_sections
}
return fm_config_cleanup(effective_config, user_config.username)
class HookEvents:
IM360_EVENTS = (
AGENT,
LICENSE,
MALWARE_SCANNING,
MALWARE_CLEANUP,
MALWARE_DETECTED,
) = (
"agent",
"license",
"malware-scanning",
"malware-cleanup",
"malware-detected",
)
IMAV_EVENTS = (
LICENSE,
MALWARE_SCANNING,
MALWARE_CLEANUP,
MALWARE_DETECTED,
)
EVENTS = IMAV_EVENTS if ANTIVIRUS_MODE else IM360_EVENTS
class ConfigsValidatorError(Exception):
def __init__(self, configs_to_errors: Dict[Config, str]):
self.configs_to_errors = configs_to_errors
def __repr__(self):
errors = []
for config, error in self.configs_to_errors.items():
errors.append(f"{config!r}: {error}")
return "\n".join(errors)
class ConfigsValidator:
"""A class that has methods to validate configs bypassing the cache"""
@classmethod
def validate_system_config(cls):
"""
Validate merged config
:raises ConfigsValidatorError
"""
SystemConfig().validate()
@classmethod
def validate_config_layers(cls):
"""
Validate all config layers, collect all errors
:raises ConfigsValidatorError
"""
configs_to_errors = {}
for layer in Merger(Merger.get_layer_names()).layers:
try:
layer.validate()
except ConfigsValidatorError as e:
configs_to_errors.update(e.configs_to_errors)
if configs_to_errors:
raise ConfigsValidatorError(configs_to_errors)
@classmethod
def validate(
cls,
config_dict: dict,
validation_schema: Union[dict, Callable] = config_schema_root,
) -> None:
"""
Validate config represented by a dict
:param config_dict: config to validate
:param validation_schema: schema to validate config against
:raises ConfigValidationError
"""
schema = cls.get_validation_schema(validation_schema)
v = ConfigValidator(schema)
if not v.validate(config_dict):
raise ConfigValidationError(v.errors)
@staticmethod
def get_validation_schema(
validation_schema: Union[Mapping, Callable]
) -> Mapping:
if callable(validation_schema):
return validation_schema()
return validation_schema
ConfigFile = config_file_factory
class AdminContacts:
ENABLE_ICONTACT_NOTIFICATIONS = FromConfig(
section="ADMIN_CONTACTS",
option="enable_icontact_notifications",
)
class IContactMessageType(str, Enum):
MALWARE_FOUND = "MalwareFound"
SCAN_NOT_SCHEDULED = "ScanNotScheduled"
GENERIC = "Generic"
def __str__(self):
return self.value
CONFIG_SCHEMA_BACKUP_SYSTEM = {
"BACKUP_SYSTEM": {
"type": "dict",
"schema": {
"enabled": {
"type": "boolean",
"default": False,
},
"backup_system": {
"type": "string",
"default": None,
"nullable": True,
"allowed": [
CPANEL,
PLESK,
R1SOFT,
ACRONIS,
CLOUDLINUX,
DIRECTADMIN,
CLOUDLINUX_ON_PREMISE,
CLUSTERLOGICS,
SAMPLE_BACKEND,
],
},
},
"default": {},
}
}
class BackupConfig(Config):
DISCLAIMER = """\
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# DO NOT EDIT. AUTOMATICALLY GENERATED.
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# Direct modifications to this file WILL be lost upon subsequent
# regeneration of this configuration file.
#
# To have your modifications retained, you should use CLI command
# imunify360-agent backup-systems <init|disable> <backup-system>
# or activate/deactivate appropriate feature in UI.
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
"""
def __init__(
self,
*,
path=os.path.join(
"/etc/sysconfig/imunify360", Core.BACKUP_CONFIGFILENAME
),
validation_schema=CONFIG_SCHEMA_BACKUP_SYSTEM,
):
super().__init__(path=path, validation_schema=validation_schema)
class BackupRestore:
ENABLED = FromConfig(
section="BACKUP_SYSTEM", option="enabled", config_cls=BackupConfig
)
_BACKUP_SYSTEM = FromConfig(
section="BACKUP_SYSTEM",
option="backup_system",
config_cls=BackupConfig,
)
CL_BACKUP_ALLOWED = FromConfig(
section="BACKUP_RESTORE",
option="cl_backup_allowed",
)
CL_ON_PREMISE_BACKUP_ALLOWED = FromConfig(
section="BACKUP_RESTORE",
option="cl_on_premise_backup_allowed",
)
@classmethod
def backup_system(cls):
return _get_backend_system(cls._BACKUP_SYSTEM)
def _get_backend_system(name):
"""
Get backup module from its name
:param name: backup system name
:return: backup system module
"""
from restore_infected import backup_backends
if name in (CLOUDLINUX, CLOUDLINUX_ON_PREMISE):
# cloudlinux backup is actually acronis one
name = ACRONIS
elif name is None:
return None
return backup_backends.backend(name, async_=True)
class AcronisBackup:
# https://kb.acronis.com/content/1711
# https://kb.acronis.com/content/47189
LOG_NAME = "acronis-installer.log"
PORTS = (8443, 44445, 55556)
RANGE = {(7770, 7800)}
def should_try_autorestore_malicious(username: str) -> bool:
"""
Checks is Agent should try restore malware file firts
and returns user that set this action in config
"""
try_restore, _ = choose_value_from_config(
"MALWARE_SCANNING", "try_restore_from_backup_first", username
)
return BackupRestore.ENABLED and try_restore
def choose_use_backups_start_from_date(username: str) -> datetime:
max_days, _ = choose_value_from_config(
"BACKUP_RESTORE", "max_days_in_backup", username
)
until = datetime.now() - timedelta(days=max_days)
return until
def should_send_user_notifications(username: str) -> bool:
should_send, _ = choose_value_from_config(
"CONTROL_PANEL",
"generic_user_notifications",
username=username,
)
return should_send
class HackerTrap:
DIR = "/var/imunify360"
NAME = "malware_found_b64.list"
SA_NAME = "malware_standalone_b64.list"
DIR_PD = "/opt/imunify360/proactive/dangerlist/"