ok
Direktori : /opt/imunify360/venv/share/imunify360/config_schema/ |
Current File : //opt/imunify360/venv/share/imunify360/config_schema/firewall.py |
import functools import re from defence360agent.subsys.panels.hosting_panel import HostingPanel MODSEC_RULESET_FULL = "FULL" MODSEC_RULESET_MINIMAL = "MINIMAL" _DOS_DETECTOR_DEFAULT_LIMIT = 250 _DOS_DETECTOR_MIN_LIMIT = 1 _DOS_DETECTOR_MIN_INTERVAL = 1 PORT_BLOCKING_MODE_DENY = "DENY" PORT_BLOCKING_MODE_ALLOW = "ALLOW" def not_less_than(minimum): return functools.partial(max, minimum) def coerce_sort_ports(value): return sorted( list(set([v.replace(":", "-") for v in value])), key=lambda v: int(v.rsplit("-")[0]), ) def get_default_ports(protocol, direction): return HostingPanel().OPEN_PORTS[protocol][direction] def port_in_range(port): return 1 <= int(port) <= 65535 def validate_port_in_range(field, value, error): if not port_in_range(value): error(field, "Port should be within range 0-65535") def validate_intable_string(field, value, error): try: int(value) except ValueError: error(field, "Value should be int") def _validate_is_port_or_range(field, value, error): """ {'type': 'boolean'} """ ports = re.match(r"^(\d+)([:|-](\d+))?$", value) if not ports: error(field, "Port should be integer or range (2-4 or 2:4)") return if not port_in_range(ports.group(1)): error(field, "Port should be within range 0-65535") return if ports.group(3) is not None and not port_in_range(ports.group(3)): error(field, "Port should be within range 0-65535") return def list_of_ports(proto, direction): return { "type": "list", "schema": { "type": "string", "check_with": _validate_is_port_or_range, }, "default_setter": lambda value: get_default_ports(proto, direction), "coerce": coerce_sort_ports, } def proactive_defense_rules(proactive_defense): if ( "php_immunity" in proactive_defense and proactive_defense["php_immunity"] ): proactive_defense["mode"] = "KILL" proactive_defense["blamer"] = True return proactive_defense def get_root_config(): return { "AUTO_WHITELIST": { "type": "dict", "schema": { "timeout": { "type": "integer", "coerce": int, "min": 0, "max": 70000, "default": 1440, }, "after_unblock_timeout": { "type": "integer", "coerce": int, "min": 0, "max": 70000, "default": 1440, }, }, "default": {}, }, "NETWORK_INTERFACE": { "type": "dict", "schema": { "eth_device": { "type": "string", "default": None, "nullable": True, }, "eth6_device": { "type": "string", "default": None, "nullable": True, }, "eth_device_skip": {"type": "list", "default": []}, }, "default": {}, }, "FIREWALL": { "type": "dict", "default": {}, "schema": { "unified_access_logger": { "type": "boolean", "default": True, }, "port_blocking_mode": { "type": "string", "default": PORT_BLOCKING_MODE_ALLOW, "allowed": [ PORT_BLOCKING_MODE_DENY, PORT_BLOCKING_MODE_ALLOW, ], }, "block_port_scan": { "type": "boolean", "default": False, }, "TCP_IN_IPv4": list_of_ports("tcp", "in"), "TCP_OUT_IPv4": list_of_ports("tcp", "out"), "UDP_IN_IPv4": list_of_ports("udp", "in"), "UDP_OUT_IPv4": list_of_ports("udp", "out"), # artifact from DEF-17989 "internal_use_remote_iplist": { "type": "boolean", "default": False, }, }, }, "DOS": { "type": "dict", "schema": { "default_limit": { "type": "integer", "coerce": (int, not_less_than(_DOS_DETECTOR_MIN_LIMIT)), "min": _DOS_DETECTOR_MIN_LIMIT, "default": _DOS_DETECTOR_DEFAULT_LIMIT, }, "interval": { "type": "integer", "coerce": (int, not_less_than(_DOS_DETECTOR_MIN_INTERVAL)), "min": 1, "default": 30, }, "port_limits": { "type": "dict", "keysrules": { "type": "string", "coerce": str, "check_with": validate_port_in_range, }, "valuesrules": { "type": "integer", "coerce": ( int, not_less_than(_DOS_DETECTOR_MIN_LIMIT), ), "min": _DOS_DETECTOR_MIN_LIMIT, }, "default": {}, }, "enabled": { "type": "boolean", "default": True, }, }, "default": {}, }, "ENHANCED_DOS": { "type": "dict", "schema": { "enabled": { "type": "boolean", "default": False, }, "timeframe": { "type": "integer", "coerce": int, "default": 30, }, "default_limit": { "type": "integer", "coerce": int, "default": 250, }, "port_limits": { "type": "dict", "keysrules": { # Since JSON/YAML standard doesn't support integer # for the dict keys, we have to make them strings # and do a type casting as needed. "type": "string", "coerce": str, "check_with": validate_port_in_range, }, "valuesrules": { "type": "integer", "coerce": ( int, not_less_than(_DOS_DETECTOR_MIN_LIMIT), ), "min": _DOS_DETECTOR_MIN_LIMIT, }, "default": {}, }, }, "default": {}, }, "MOD_SEC": { "type": "dict", "schema": { "app_specific_ruleset": { "type": "boolean", "default": True, }, "ruleset": { "type": "string", "default": MODSEC_RULESET_FULL, "allowed": [MODSEC_RULESET_MINIMAL, MODSEC_RULESET_FULL], }, "cms_account_compromise_prevention": { "type": "boolean", "nullable": False, "default": False, }, "prev_settings": { "type": "string", "required": False, "default": "", }, }, "default": {}, }, "MOD_SEC_BLOCK_BY_SEVERITY": { "type": "dict", "schema": { "enable": { "type": "boolean", "default": True, }, "max_incidents": { "type": "integer", "coerce": int, "min": 1, "default": 2, }, "check_period": { "type": "integer", "coerce": int, "min": 1, "default": 120, }, "severity_limit": { "type": "integer", "coerce": int, "min": 0, "max": 7, "default": 2, }, "denied_num_limit": { # FIXME: Depreciated, must be removed. "type": "integer", "coerce": int, "min": 1, "default": 2, }, }, "default": {}, }, "MOD_SEC_BLOCK_BY_CUSTOM_RULE": { "type": "dict", "keysrules": { "type": "string", "coerce": str, "check_with": validate_intable_string, }, "valuesrules": { "type": "dict", "schema": { "max_incidents": { "type": "integer", "coerce": int, "min": 1, "default": 2, }, "check_period": { "type": "integer", "coerce": int, "min": 1, "default": 120, }, }, }, "default": { "33332": {"check_period": 120, "max_incidents": 10}, "33339": {"check_period": 120, "max_incidents": 10}, }, }, "INCIDENT_LOGGING": { "type": "dict", "schema": { "num_days": { "type": "integer", "coerce": int, "min": 1, "default": 100, }, "limit": { "type": "integer", "coerce": int, "min": 1, "default": 100000, }, "min_log_level": { "type": "integer", "coerce": int, "min": 0, "default": 4, }, "ui_autorefresh_timeout": { "type": "integer", "coerce": int, "min": 5, "default": 10, }, }, "default": {}, }, "WEB_SERVICES": { "type": "dict", "schema": { "http_ports": { "type": "list", "schema": {"type": "integer"}, "default": [], }, "https_ports": { "type": "list", "schema": {"type": "integer"}, "default": [], }, }, "default": {}, }, "CAPTCHA": { "type": "dict", "schema": { "cert_refresh_timeout": {"type": "integer", "default": 3600} }, "default": {}, }, "CAPTCHA_DOS": { "type": "dict", "schema": { "enabled": { "type": "boolean", "default": True, }, "time_frame": { "type": "integer", "default": 21600, }, "max_count": {"type": "integer", "default": 100}, "timeout": {"type": "integer", "default": 864000}, }, "default": {}, }, "BLOCKED_PORTS": { "type": "dict", "schema": { "default_mode": { "type": "string", "default": "allowed", "allowed": ["allowed", "denied"], } }, "default": {}, }, "STOP_MANAGING": { "type": "dict", "schema": { "modsec_directives": { "type": "boolean", "default": False, }, }, "default": {}, }, "PROACTIVE_DEFENCE": { "type": "dict", "coerce": (dict, proactive_defense_rules), "schema": { "mode": { "type": "string", "nullable": False, "default": "LOG", "allowed": ["DISABLED", "LOG", "KILL"], }, "blamer": { "type": "boolean", "nullable": False, "default": True, }, "php_immunity": { "type": "boolean", "nullable": False, "default": False, }, }, "default": {}, }, "WEBSHIELD": { "type": "dict", "schema": { "enable": {"type": "boolean", "default": True}, "known_proxies_support": { "type": "boolean", "nullable": False, "default": True, }, "captcha_site_key": { # FIXME: Depreciated, must be removed. "type": "string", "nullable": True, "readonly": True, }, "captcha_secret_key": { # FIXME: Depreciated, must be removed. "type": "string", "nullable": True, "readonly": True, }, "splash_screen": { "type": "boolean", "default": True, }, "invisible_captcha": { # FIXME: Depreciated, must be removed. "type": "boolean", "nullable": True, "readonly": True, }, "panel_protection": { "type": "boolean", "default": False, }, "mode": { "type": "string", "default": "proxy", }, }, "default": {}, }, "SCANLOGD": { "type": "dict", "schema": { "enable": { "type": "boolean", "nullable": False, "default": False, }, }, "default": {}, }, "OSSEC": { "type": "dict", "schema": { "active_response": { "type": "boolean", "nullable": False, "default": False, } }, "default": {}, }, "CSF_INTEGRATION": { "type": "dict", "schema": { "catch_lfd_events": { "type": "boolean", "nullable": False, "default": False, } }, "default": {}, }, "PAM": { "type": "dict", "schema": { "enable": { "type": "boolean", "nullable": False, "default": True, }, "exim_dovecot_protection": { "type": "boolean", "nullable": False, "default": True, }, "exim_dovecot_native": { "type": "boolean", "nullable": False, "default": False, }, "ftp_protection": { "type": "boolean", "nullable": False, "default": False, }, }, "default": {}, }, "KERNELCARE": { "type": "dict", "schema": { "edf": { "type": "boolean", "nullable": False, "default": False, }, }, "default": {}, }, "SMTP_BLOCKING": { "type": "dict", "schema": { "enable": { "type": "boolean", "default": False, }, "ports": { "type": "list", "schema": { "type": "integer", "coerce": int, }, "default": [25, 587, 465], }, "allow_users": { "type": "list", "schema": { "type": "string", }, "default": [], }, "allow_groups": { "type": "list", "schema": { "type": "string", }, "default": ["mail"], }, "allow_local": { "type": "boolean", "default": False, }, "redirect": { "type": "boolean", "default": False, }, }, "default": {}, }, "CONTROL_PANEL": { "type": "dict", "schema": { "compromised_user_password_reset": { "type": "boolean", "default": False, }, "compromised_user_admin_notification": { "type": "boolean", "default": True, }, # whether to install must use plugin "smart_advice_allowed": { "type": "boolean", "default": True, }, # whether to allow advice notifications "advice_email_notification": { "type": "boolean", "default": True, }, }, "default": {}, }, "PERMISSIONS": { "type": "dict", "schema": { "allow_local_rules_management": { "type": "boolean", "default": True, }, }, "default": {}, }, } def get_non_root_config(): return { "PROACTIVE_DEFENCE": { "type": "dict", "schema": { "mode": { "type": "string", "nullable": True, "allowed": ["DISABLED", "LOG", "KILL"], "default": None, }, "blamer": { "type": "boolean", "nullable": True, "default": None, }, }, "default": {}, }, "CONTROL_PANEL": { "type": "dict", "schema": { # whether to install must use plugin "smart_advice_allowed": { "type": "boolean", "default": True, "nullable": True, }, # whether to allow advice notifications "advice_email_notification": { "type": "boolean", "default": True, "nullable": True, }, }, "default": {}, }, }