ok

Mini Shell

Direktori : /proc/thread-self/root/opt/imunify360/venv/share/imunify360/config_schema/
Upload File :
Current File : //proc/thread-self/root/opt/imunify360/venv/share/imunify360/config_schema/firewall.py

import functools
import re

from defence360agent.subsys.panels.hosting_panel import HostingPanel

MODSEC_RULESET_FULL = "FULL"
MODSEC_RULESET_MINIMAL = "MINIMAL"
_DOS_DETECTOR_DEFAULT_LIMIT = 250
_DOS_DETECTOR_MIN_LIMIT = 1
_DOS_DETECTOR_MIN_INTERVAL = 1

PORT_BLOCKING_MODE_DENY = "DENY"
PORT_BLOCKING_MODE_ALLOW = "ALLOW"


def not_less_than(minimum):
    return functools.partial(max, minimum)


def coerce_sort_ports(value):
    return sorted(
        list(set([v.replace(":", "-") for v in value])),
        key=lambda v: int(v.rsplit("-")[0]),
    )


def get_default_ports(protocol, direction):
    return HostingPanel().OPEN_PORTS[protocol][direction]


def port_in_range(port):
    return 1 <= int(port) <= 65535


def validate_port_in_range(field, value, error):
    if not port_in_range(value):
        error(field, "Port should be within range 0-65535")


def validate_intable_string(field, value, error):
    try:
        int(value)
    except ValueError:
        error(field, "Value should be int")


def _validate_is_port_or_range(field, value, error):
    """
    {'type': 'boolean'}
    """
    ports = re.match(r"^(\d+)([:|-](\d+))?$", value)
    if not ports:
        error(field, "Port should be integer or range (2-4 or 2:4)")
        return
    if not port_in_range(ports.group(1)):
        error(field, "Port should be within range 0-65535")
        return
    if ports.group(3) is not None and not port_in_range(ports.group(3)):
        error(field, "Port should be within range 0-65535")
        return


def list_of_ports(proto, direction):
    return {
        "type": "list",
        "schema": {
            "type": "string",
            "check_with": _validate_is_port_or_range,
        },
        "default_setter": lambda value: get_default_ports(proto, direction),
        "coerce": coerce_sort_ports,
    }


def proactive_defense_rules(proactive_defense):
    if (
        "php_immunity" in proactive_defense
        and proactive_defense["php_immunity"]
    ):
        proactive_defense["mode"] = "KILL"
        proactive_defense["blamer"] = True
    return proactive_defense


def get_root_config():
    return {
        "AUTO_WHITELIST": {
            "type": "dict",
            "schema": {
                "timeout": {
                    "type": "integer",
                    "coerce": int,
                    "min": 0,
                    "max": 70000,
                    "default": 1440,
                },
                "after_unblock_timeout": {
                    "type": "integer",
                    "coerce": int,
                    "min": 0,
                    "max": 70000,
                    "default": 1440,
                },
            },
            "default": {},
        },
        "NETWORK_INTERFACE": {
            "type": "dict",
            "schema": {
                "eth_device": {
                    "type": "string",
                    "default": None,
                    "nullable": True,
                },
                "eth6_device": {
                    "type": "string",
                    "default": None,
                    "nullable": True,
                },
                "eth_device_skip": {"type": "list", "default": []},
            },
            "default": {},
        },
        "FIREWALL": {
            "type": "dict",
            "default": {},
            "schema": {
                "unified_access_logger": {
                    "type": "boolean",
                    "default": True,
                },
                "port_blocking_mode": {
                    "type": "string",
                    "default": PORT_BLOCKING_MODE_ALLOW,
                    "allowed": [
                        PORT_BLOCKING_MODE_DENY,
                        PORT_BLOCKING_MODE_ALLOW,
                    ],
                },
                "block_port_scan": {
                    "type": "boolean",
                    "default": False,
                },
                "TCP_IN_IPv4": list_of_ports("tcp", "in"),
                "TCP_OUT_IPv4": list_of_ports("tcp", "out"),
                "UDP_IN_IPv4": list_of_ports("udp", "in"),
                "UDP_OUT_IPv4": list_of_ports("udp", "out"),
                # artifact from DEF-17989
                "internal_use_remote_iplist": {
                    "type": "boolean",
                    "default": False,
                },
            },
        },
        "DOS": {
            "type": "dict",
            "schema": {
                "default_limit": {
                    "type": "integer",
                    "coerce": (int, not_less_than(_DOS_DETECTOR_MIN_LIMIT)),
                    "min": _DOS_DETECTOR_MIN_LIMIT,
                    "default": _DOS_DETECTOR_DEFAULT_LIMIT,
                },
                "interval": {
                    "type": "integer",
                    "coerce": (int, not_less_than(_DOS_DETECTOR_MIN_INTERVAL)),
                    "min": 1,
                    "default": 30,
                },
                "port_limits": {
                    "type": "dict",
                    "keysrules": {
                        "type": "string",
                        "coerce": str,
                        "check_with": validate_port_in_range,
                    },
                    "valuesrules": {
                        "type": "integer",
                        "coerce": (
                            int,
                            not_less_than(_DOS_DETECTOR_MIN_LIMIT),
                        ),
                        "min": _DOS_DETECTOR_MIN_LIMIT,
                    },
                    "default": {},
                },
                "enabled": {
                    "type": "boolean",
                    "default": True,
                },
            },
            "default": {},
        },
        "ENHANCED_DOS": {
            "type": "dict",
            "schema": {
                "enabled": {
                    "type": "boolean",
                    "default": False,
                },
                "timeframe": {
                    "type": "integer",
                    "coerce": int,
                    "default": 30,
                },
                "default_limit": {
                    "type": "integer",
                    "coerce": int,
                    "default": 250,
                },
                "port_limits": {
                    "type": "dict",
                    "keysrules": {
                        # Since JSON/YAML standard doesn't support integer
                        # for the dict keys, we have to make them strings
                        # and do a type casting as needed.
                        "type": "string",
                        "coerce": str,
                        "check_with": validate_port_in_range,
                    },
                    "valuesrules": {
                        "type": "integer",
                        "coerce": (
                            int,
                            not_less_than(_DOS_DETECTOR_MIN_LIMIT),
                        ),
                        "min": _DOS_DETECTOR_MIN_LIMIT,
                    },
                    "default": {},
                },
            },
            "default": {},
        },
        "MOD_SEC": {
            "type": "dict",
            "schema": {
                "app_specific_ruleset": {
                    "type": "boolean",
                    "default": True,
                },
                "ruleset": {
                    "type": "string",
                    "default": MODSEC_RULESET_FULL,
                    "allowed": [MODSEC_RULESET_MINIMAL, MODSEC_RULESET_FULL],
                },
                "cms_account_compromise_prevention": {
                    "type": "boolean",
                    "nullable": False,
                    "default": False,
                },
                "prev_settings": {
                    "type": "string",
                    "required": False,
                    "default": "",
                },
            },
            "default": {},
        },
        "MOD_SEC_BLOCK_BY_SEVERITY": {
            "type": "dict",
            "schema": {
                "enable": {
                    "type": "boolean",
                    "default": True,
                },
                "max_incidents": {
                    "type": "integer",
                    "coerce": int,
                    "min": 1,
                    "default": 2,
                },
                "check_period": {
                    "type": "integer",
                    "coerce": int,
                    "min": 1,
                    "default": 120,
                },
                "severity_limit": {
                    "type": "integer",
                    "coerce": int,
                    "min": 0,
                    "max": 7,
                    "default": 2,
                },
                "denied_num_limit": {  # FIXME: Depreciated, must be removed.
                    "type": "integer",
                    "coerce": int,
                    "min": 1,
                    "default": 2,
                },
            },
            "default": {},
        },
        "MOD_SEC_BLOCK_BY_CUSTOM_RULE": {
            "type": "dict",
            "keysrules": {
                "type": "string",
                "coerce": str,
                "check_with": validate_intable_string,
            },
            "valuesrules": {
                "type": "dict",
                "schema": {
                    "max_incidents": {
                        "type": "integer",
                        "coerce": int,
                        "min": 1,
                        "default": 2,
                    },
                    "check_period": {
                        "type": "integer",
                        "coerce": int,
                        "min": 1,
                        "default": 120,
                    },
                },
            },
            "default": {
                "33332": {"check_period": 120, "max_incidents": 10},
                "33339": {"check_period": 120, "max_incidents": 10},
            },
        },
        "INCIDENT_LOGGING": {
            "type": "dict",
            "schema": {
                "num_days": {
                    "type": "integer",
                    "coerce": int,
                    "min": 1,
                    "default": 100,
                },
                "limit": {
                    "type": "integer",
                    "coerce": int,
                    "min": 1,
                    "default": 100000,
                },
                "min_log_level": {
                    "type": "integer",
                    "coerce": int,
                    "min": 0,
                    "default": 4,
                },
                "ui_autorefresh_timeout": {
                    "type": "integer",
                    "coerce": int,
                    "min": 5,
                    "default": 10,
                },
            },
            "default": {},
        },
        "WEB_SERVICES": {
            "type": "dict",
            "schema": {
                "http_ports": {
                    "type": "list",
                    "schema": {"type": "integer"},
                    "default": [],
                },
                "https_ports": {
                    "type": "list",
                    "schema": {"type": "integer"},
                    "default": [],
                },
            },
            "default": {},
        },
        "CAPTCHA": {
            "type": "dict",
            "schema": {
                "cert_refresh_timeout": {"type": "integer", "default": 3600}
            },
            "default": {},
        },
        "CAPTCHA_DOS": {
            "type": "dict",
            "schema": {
                "enabled": {
                    "type": "boolean",
                    "default": True,
                },
                "time_frame": {
                    "type": "integer",
                    "default": 21600,
                },
                "max_count": {"type": "integer", "default": 100},
                "timeout": {"type": "integer", "default": 864000},
            },
            "default": {},
        },
        "BLOCKED_PORTS": {
            "type": "dict",
            "schema": {
                "default_mode": {
                    "type": "string",
                    "default": "allowed",
                    "allowed": ["allowed", "denied"],
                }
            },
            "default": {},
        },
        "STOP_MANAGING": {
            "type": "dict",
            "schema": {
                "modsec_directives": {
                    "type": "boolean",
                    "default": False,
                },
            },
            "default": {},
        },
        "PROACTIVE_DEFENCE": {
            "type": "dict",
            "coerce": (dict, proactive_defense_rules),
            "schema": {
                "mode": {
                    "type": "string",
                    "nullable": False,
                    "default": "LOG",
                    "allowed": ["DISABLED", "LOG", "KILL"],
                },
                "blamer": {
                    "type": "boolean",
                    "nullable": False,
                    "default": True,
                },
                "php_immunity": {
                    "type": "boolean",
                    "nullable": False,
                    "default": False,
                },
            },
            "default": {},
        },
        "WEBSHIELD": {
            "type": "dict",
            "schema": {
                "enable": {"type": "boolean", "default": True},
                "known_proxies_support": {
                    "type": "boolean",
                    "nullable": False,
                    "default": True,
                },
                "captcha_site_key": {  # FIXME: Depreciated, must be removed.
                    "type": "string",
                    "nullable": True,
                    "readonly": True,
                },
                "captcha_secret_key": {  # FIXME: Depreciated, must be removed.
                    "type": "string",
                    "nullable": True,
                    "readonly": True,
                },
                "splash_screen": {
                    "type": "boolean",
                    "default": True,
                },
                "invisible_captcha": {  # FIXME: Depreciated, must be removed.
                    "type": "boolean",
                    "nullable": True,
                    "readonly": True,
                },
                "panel_protection": {
                    "type": "boolean",
                    "default": False,
                },
                "mode": {
                    "type": "string",
                    "default": "proxy",
                },
            },
            "default": {},
        },
        "SCANLOGD": {
            "type": "dict",
            "schema": {
                "enable": {
                    "type": "boolean",
                    "nullable": False,
                    "default": False,
                },
            },
            "default": {},
        },
        "OSSEC": {
            "type": "dict",
            "schema": {
                "active_response": {
                    "type": "boolean",
                    "nullable": False,
                    "default": False,
                }
            },
            "default": {},
        },
        "CSF_INTEGRATION": {
            "type": "dict",
            "schema": {
                "catch_lfd_events": {
                    "type": "boolean",
                    "nullable": False,
                    "default": False,
                }
            },
            "default": {},
        },
        "PAM": {
            "type": "dict",
            "schema": {
                "enable": {
                    "type": "boolean",
                    "nullable": False,
                    "default": True,
                },
                "exim_dovecot_protection": {
                    "type": "boolean",
                    "nullable": False,
                    "default": True,
                },
                "exim_dovecot_native": {
                    "type": "boolean",
                    "nullable": False,
                    "default": False,
                },
                "ftp_protection": {
                    "type": "boolean",
                    "nullable": False,
                    "default": False,
                },
            },
            "default": {},
        },
        "KERNELCARE": {
            "type": "dict",
            "schema": {
                "edf": {
                    "type": "boolean",
                    "nullable": False,
                    "default": False,
                },
            },
            "default": {},
        },
        "SMTP_BLOCKING": {
            "type": "dict",
            "schema": {
                "enable": {
                    "type": "boolean",
                    "default": False,
                },
                "ports": {
                    "type": "list",
                    "schema": {
                        "type": "integer",
                        "coerce": int,
                    },
                    "default": [25, 587, 465],
                },
                "allow_users": {
                    "type": "list",
                    "schema": {
                        "type": "string",
                    },
                    "default": [],
                },
                "allow_groups": {
                    "type": "list",
                    "schema": {
                        "type": "string",
                    },
                    "default": ["mail"],
                },
                "allow_local": {
                    "type": "boolean",
                    "default": False,
                },
                "redirect": {
                    "type": "boolean",
                    "default": False,
                },
            },
            "default": {},
        },
        "CONTROL_PANEL": {
            "type": "dict",
            "schema": {
                "compromised_user_password_reset": {
                    "type": "boolean",
                    "default": False,
                },
                "compromised_user_admin_notification": {
                    "type": "boolean",
                    "default": True,
                },
                # whether to install must use plugin
                "smart_advice_allowed": {
                    "type": "boolean",
                    "default": True,
                },
                # whether to allow advice notifications
                "advice_email_notification": {
                    "type": "boolean",
                    "default": True,
                },
            },
            "default": {},
        },
        "PERMISSIONS": {
            "type": "dict",
            "schema": {
                "allow_local_rules_management": {
                    "type": "boolean",
                    "default": True,
                },
            },
            "default": {},
        },
    }


def get_non_root_config():
    return {
        "PROACTIVE_DEFENCE": {
            "type": "dict",
            "schema": {
                "mode": {
                    "type": "string",
                    "nullable": True,
                    "allowed": ["DISABLED", "LOG", "KILL"],
                    "default": None,
                },
                "blamer": {
                    "type": "boolean",
                    "nullable": True,
                    "default": None,
                },
            },
            "default": {},
        },
        "CONTROL_PANEL": {
            "type": "dict",
            "schema": {
                # whether to install must use plugin
                "smart_advice_allowed": {
                    "type": "boolean",
                    "default": True,
                    "nullable": True,
                },
                # whether to allow advice notifications
                "advice_email_notification": {
                    "type": "boolean",
                    "default": True,
                    "nullable": True,
                },
            },
            "default": {},
        },
    }

Zerion Mini Shell 1.0