ok

Mini Shell

Direktori : /opt/imunify360/venv/lib/python3.11/site-packages/im360/contracts/
Upload File :
Current File : //opt/imunify360/venv/lib/python3.11/site-packages/im360/contracts/config.py

import os
from datetime import timedelta
from functools import partial
from typing import Any, Literal

from defence360agent.contracts.config import (
    Config,
    Core,
    FromConfig,
    int_from_envvar,
)
from im360.utils import RulesLock
from im360.utils.validate import IP

RBL_WHITELIST_FILE = "rbl_whitelist"
IPSET_LISTS_PATH = "/var/%s/%s-ipsetlists.db" % (
    Core.PRODUCT,
    Core.PRODUCT,
)


class AutoWhiteList:
    TTL_VALUE = FromConfig(
        "AUTO_WHITELIST",
        "timeout",
    )

    @classmethod
    def ttl_value(cls):
        return cls.TTL_VALUE * 60

    UNBLOCK_WHITELIST_TTL = FromConfig(
        "AUTO_WHITELIST",
        "after_unblock_timeout",
    )

    @classmethod
    def unblock_whitelist_ttl(cls):
        return cls.UNBLOCK_WHITELIST_TTL * 60


class CaptchaDOS:
    """
    X = TIMEFRAME
    T = MAX_COUNT
    N = TIMEOUT
    were taken from this doc:
    https://docs.google.com/a/cloudlinux.com/document/d/1uYMwy89dbF7FxKSzUehhJYcDadWhk0l5YRKuvZpSeq0/edit?usp=sharing
    """  # noqa: E501

    ENABLED = FromConfig("CAPTCHA_DOS", "enabled")
    TIME_FRAME = FromConfig("CAPTCHA_DOS", "time_frame")
    MAX_COUNT = FromConfig("CAPTCHA_DOS", "max_count")

    TIMEOUT = FromConfig("CAPTCHA_DOS", "timeout")


class CSFIntegration:
    ENABLED = FromConfig(
        section="CSF_INTEGRATION",
        option="catch_lfd_events",
    )


class ProactiveDefence:
    PHP_IMMUNITY = FromConfig(
        section="PROACTIVE_DEFENCE",
        option="php_immunity",
    )


class DOS:
    ENABLED = FromConfig("DOS", "enabled")
    INTERVAL = FromConfig("DOS", "interval")
    PER_PORT = FromConfig("DOS", "port_limits")
    DEFAULT_LIMIT = FromConfig("DOS", "default_limit")


class EnhancedDOS:
    ENABLED = FromConfig("ENHANCED_DOS", "enabled")
    TIMEFRAME = FromConfig("ENHANCED_DOS", "timeframe")
    PER_PORT = FromConfig("ENHANCED_DOS", "port_limits")
    DEFAULT_LIMIT = FromConfig("ENHANCED_DOS", "default_limit")

    @staticmethod
    def as_dict() -> dict[str, Any]:
        return {
            name: getattr(EnhancedDOS, name)
            for name in dir(EnhancedDOS)
            if not name.startswith("_") and name.upper() == name
        }


class IncidentLogging:
    MIN_LOG_LEVEL = FromConfig("INCIDENT_LOGGING", "min_log_level")
    # automatically delete data from db, if it's older that NUM_DAYS
    NUM_DAYS = FromConfig("INCIDENT_LOGGING", "num_days")
    # max number of incidents in db
    LIMIT = FromConfig("INCIDENT_LOGGING", "limit")
    FREQUENCY = timedelta(days=1).total_seconds()


class LocalIncidentReporting:
    #: report [to server] only those local (without ip) incidents
    #  with severity no less (>=) than the given minimum
    MIN_SEVERITY = int_from_envvar("IMUNIFY360_NOIP_MIN_REPORT_SEVERITY", 4)


class Modsec:
    # MINIMAL|FULL
    RULESET = FromConfig("MOD_SEC", "ruleset")
    CMS_ACCOUNT_COMPROMISE_PREVENTION = FromConfig(
        "MOD_SEC", "cms_account_compromise_prevention"
    )
    APP_SPECIFIC_RULESET = FromConfig("MOD_SEC", "app_specific_ruleset")


class ModsecSensor:
    PLUGIN_ID = "modsec"
    SEND_ADDITIONAL_DATA = FromConfig("SEND_ADDITIONAL_DATA", "enable")


class ModsecBlockByCustomRules:
    RULES = FromConfig("MOD_SEC_BLOCK_BY_CUSTOM_RULE")
    DEFAULT_MAX_REPETITION = 2
    DEFAULT_PERIOD = 120

    @classmethod
    def get_limit(cls, rule):
        return cls.RULES[rule].get("max_incidents", cls.DEFAULT_MAX_REPETITION)

    @classmethod
    def get_timeout(cls, rule):
        return cls.RULES[rule].get("check_period", cls.DEFAULT_PERIOD)


class ModsecBlockBySeverity:
    ENABLED = FromConfig(
        "MOD_SEC_BLOCK_BY_SEVERITY",
        "enable",
    )
    CHECK_PERIOD = FromConfig(
        "MOD_SEC_BLOCK_BY_SEVERITY",
        "check_period",
    )
    MAX_REPETITION = FromConfig(
        "MOD_SEC_BLOCK_BY_SEVERITY",
        "max_incidents",
    )
    SEVERITY_LIMIT = FromConfig(
        "MOD_SEC_BLOCK_BY_SEVERITY",
        "severity_limit",
    )
    DENIED_NUM_LIMIT = FromConfig(
        "MOD_SEC_BLOCK_BY_SEVERITY",
        "denied_num_limit",
    )


class ModSecurityDirectives:
    """Values for `{check,fix} modsec directives` commands."""

    # https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#Configuration_Directives
    SecAuditEngine = "RelevantOnly"
    SecConnEngine = "Off"
    SecRuleEngine = "On"


class NetworkInterface:
    """
    Applies or ignores Imunify360's firewall rules
    to specific network interfaces
    """

    ETH_DEVICE = FromConfig("NETWORK_INTERFACE", "eth_device")
    ETH6_DEVICE = FromConfig("NETWORK_INTERFACE", "eth6_device")
    ETH_DEVICE_SKIP = FromConfig("NETWORK_INTERFACE", "eth_device_skip")
    DEVICE_SKIP = "device_skip"

    @classmethod
    def get_interface_conf(cls):
        return {
            IP.V4: cls.ETH_DEVICE,
            IP.V6: cls.ETH6_DEVICE,
            cls.DEVICE_SKIP: cls.ETH_DEVICE_SKIP,
        }


class OssecSensor:
    PLUGIN_ID = "ossec"


class ControlPanelProtector:
    PLUGIN_ID = "control_panel_protector"


class Protector:
    RULE_EDIT_LOCK = RulesLock()


class Subsys:
    THIRD_PARTY_IDS = ("cPHulk", "fail2ban")
    # time 3rdpary IDS last check result will be cached for (30 seconds)
    THIRD_PARTY_IDS_CHECK_TIMEOUT = 30


class Webshield:
    ENABLE = FromConfig("WEBSHIELD", "enable")
    KNOWN_PROXIES_SUPPORT = FromConfig("WEBSHIELD", "known_proxies_support")
    SPLASH_SCREEN = FromConfig("WEBSHIELD", "splash_screen")
    SPLASH_CAPTCHA_SHOWN_LOG_ENTRY_RULE = 6068
    PANEL_PROTECTION = FromConfig("WEBSHIELD", "panel_protection")
    MODE: Literal["module", "proxy"] = FromConfig("WEBSHIELD", "mode")


class Scanlogd:
    ENABLE = FromConfig("SCANLOGD", "enable")


class WebServices:
    HTTP_PORTS = FromConfig(
        "WEB_SERVICES",
        "http_ports",
    )
    HTTPS_PORTS = FromConfig("WEB_SERVICES", "https_ports")


class Firewall:
    port_blocking_mode = FromConfig("FIREWALL", "port_blocking_mode")
    TCP_IN_IPV4 = FromConfig("FIREWALL", "TCP_IN_IPv4")
    TCP_OUT_IPV4 = FromConfig("FIREWALL", "TCP_OUT_IPv4")
    UDP_IN_IPV4 = FromConfig("FIREWALL", "UDP_IN_IPv4")
    UDP_OUT_IPV4 = FromConfig("FIREWALL", "UDP_OUT_IPv4")
    LOGGING_DISABLE_FLAG = "/var/imunify360/disable_iptables_logging"


class SMTPBlocking:
    getopt = partial(FromConfig, "SMTP_BLOCKING")

    ENABLED = getopt("enable")
    PORTS = getopt("ports")
    ALLOW_GROUPS = getopt("allow_groups")
    ALLOW_USERS = getopt("allow_users")
    ALLOW_LOCAL = getopt("allow_local")
    REDIRECT = getopt("redirect")


class StopManaging:
    """Categories to ignore by {validate,reset} agent's commands."""

    MODSEC_DIRECTIVES = FromConfig(
        section="STOP_MANAGING",
        option="modsec_directives",
    )


class ControlPanel:
    """
    Relates to actions to be performed by a host admin
    for compromised user accounts
    """

    COMPROMISED_USER_ADMIN_NOTIFICATION = FromConfig(
        "CONTROL_PANEL", "compromised_user_admin_notification"
    )
    COMPROMISED_USER_PASSWORD_RESET = FromConfig(
        "CONTROL_PANEL", "compromised_user_password_reset"
    )


class Permissions:
    ALLOW_LOCAL_RULES_MANAGEMENT = FromConfig(
        "PERMISSIONS", option="allow_local_rules_management"
    )


CONFIG_SCHEMA_UNIFIED_ACCESS_LOGGER = {
    "groups": {
        "type": "dict",
        "schema": {
            "ipv4": {
                "type": "integer",
                "coerce": int,
                "default": 36004,
            },
            "ipv6": {
                "type": "integer",
                "coerce": int,
                "default": 36006,
            },
        },
        "default": {},
    },
    "rules": {
        "type": "dict",
        "keysrules": {
            "type": "string",
        },
        "valuesrules": {
            "type": "dict",
            "schema": {
                "id": {
                    "type": "integer",
                    "coerce": int,
                },
                "name": {"type": "string"},
                "severity": {
                    "type": "integer",
                    "coerce": int,
                    "min": 1,
                    "max": 15,
                },
            },
        },
    },
}


class UnifiedAccessLoggerConfig(Config):
    DISCLAIMER = """\
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
#   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#   DO NOT EDIT. INTERNAL USAGE ONLY.
#   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
#   Direct modifications to this file prohibited.
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    """

    def __init__(
        self,
        *,
        path=os.path.join(
            Core.CONFIG_DIR, Core.UNIFIED_ACCESS_LOGGER_CONFIGFILENAME
        ),
        validation_schema=CONFIG_SCHEMA_UNIFIED_ACCESS_LOGGER
    ):
        super().__init__(path=path, validation_schema=validation_schema)


class UnifiedAccessLogger:
    ENABLED = FromConfig("FIREWALL", "unified_access_logger")
    NFLOG_GROUPS = FromConfig("groups", config_cls=UnifiedAccessLoggerConfig)
    _RULES_NAMES = (
        WHITELIST,
        BLACKLIST,
        GRAYLIST,
        BLOCKED_BY_PORT,
        WHITELIST_COUNTRY,
        BLACKLIST_COUNTRY,
        SMTP,
    ) = (
        "im360-whitelist",
        "im360-blacklist",
        "im360-graylist",
        "im360-blocked-by-port",
        "im360-whitelisted-country",
        "im360-blacklisted-country",
        "im360-outgoing-blocked",
    )
    RULES = FromConfig("rules", config_cls=UnifiedAccessLoggerConfig)

Zerion Mini Shell 1.0