def do_api(self, msg, sender): """ API ENTRY """ try: if not self.check_auth(sender): raise Exception('no authority') rules = self.GRAC.data_center.get_json_rules() if not rules: raise Exception('not ready yet') letter = msg['letter'] fname = letter['func_name'] if not fname in self.api_list: raise Exception('unknown function name') getattr(self, fname)(msg) except Exception as e: self.logger.error(grac_format_exc()) self.make_response(msg, API_ERROR, str(e)) except: e = grac_format_exc() self.logger.error(e) self.make_response(msg, API_ERROR, 'INTERNAL ERROR') return json.dumps(msg)
def save_printers(self): """ 사용하고 있는 프린터 정보를 저장. """ try: printers = self._conn.getPrinters() if len(printers) <= 0: return except: self.logger.error(grac_format_exc()) return backup_path = META_FILE_PRINTER_BACKUP_PATH os.makedirs(backup_path, exist_ok=True) with open(backup_path + '/' + META_FILE_PRINTER_LIST, 'w') as f: for printer_name, v in printers.items(): try: uri = v['device-uri'] ppd = self._conn.getPPD(printer_name) with open(ppd) as f2: with open(backup_path + '/' + printer_name, 'w') as f3: f3.write(f2.read()) f.write('{}{}{}\n'.format(printer_name, GRAC_PRINTER_DELIM, uri)) except: self.logger.error(grac_format_exc())
def reload(self, args): """ reload """ try: self.logger.info('GRAC RELOADING BY DBUS') try: self.check_cert() except: self.logger.error(grac_format_exc()) self.data_center.show() #SOUND/MICROPHONE INOTIFY THREAD try: if not self.data_center.sound_mic_inotify: self.data_center.sound_mic_inotify = \ SoundMicInotify(self.data_center) self.data_center.sound_mic_inotify.WM = \ self.start_sound_mic_inotify(self.data_center) else: self.reload_snd_mic_dev( self.data_center.sound_mic_inotify.WM) except: self.logger.error(grac_format_exc()) #CLIPBOARD ''' try: if not self.clipboard_init: self.clipboard_init = True self.start_clipboard_handler(self.data_center) except: self.logger.error(grac_format_exc()) ''' if self.udev_dispatcher: self.udev_dispatcher.stop_monitor() self.synchronize_json_rule_and_device() self.udev_dispatcher.start_monitor() if self.grac_printer: self.grac_printer.reload() if self.grac_network: self.grac_network.reload() self.logger.info('GRAC RELOADED BY DBUS') except: self.logger.error(grac_format_exc()) return GRAC_OK
def stop(self, args): """ dbus stop """ try: self.logger.info('GRAC STOPPING BY DBUS') if self.udev_dispatcher: self.udev_dispatcher.stop_monitor() if self.grac_printer: self.grac_printer.teardown() if self._loop and self._loop.is_running(): self._loop.quit() self.logger.info('GRAC STOPPED BY DBUS') except: e = grac_format_exc() self.logger.error(e) return e return GRAC_OK
def rescan_pci(self): """ rescan pci devices """ try: if os.path.exists(META_FILE_PCI_RESCAN): ''' with open(META_FILE_PCI_RESCAN, 'r') as f: lines = f.read().split('\n') for line in lines: if not line: continue media, path = line.split('=>') parent_path = '/'.join(path.split('/')[:-2]) if os.path.exists(parent_path+'/rescan'): with open(parent_path+'/rescan', 'w') as f2: f2.write('1') self.logger.info( 'rescan media={}:parent_path={}'.format( media, parent_path)) ''' with open('/sys/bus/pci/rescan', 'w') as f: f.write('1') os.unlink(META_FILE_PCI_RESCAN) self.logger.info('---rescan pci---') except: self.logger.error(grac_format_exc())
def do_task(param, data_center): """ do task """ logger = GracLog.get_logger() try: mode = param[0] authorized_path = search_file_reversely('/sys/' + param[1], 'authorized', REVERSE_LOOKUP_LIMIT) with open(authorized_path, 'w') as f: f.write('0') logger.info('mode has changed to {}'.format(mode)) logger.debug('***** DVD MODULE disallow {}'.format(param[1])) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_CD_DVD, mode) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) write_event_log( SOMANSA, datetime.datetime.now().strftime('%Y%m%d %H:%M:%S'), JSON_RULE_CD_DVD, SOMANSA_STATE_DISALLOW, 'null', 'null', 'null', 'null') except: e = grac_format_exc() logger.error(e) return GRAC_OK
def do_task(param, data_center): """ do task """ logger = GracLog.get_logger() try: mode = param[0] #skeep 'event' of mouse events #for processing task once if 'event' in param[1].split('/')[-1]: return GRAC_OK bConfigurationValue_path = search_file_reversely( '/sys/' + param[1], 'bConfigurationValue', REVERSE_LOOKUP_LIMIT) with open(bConfigurationValue_path, 'w') as f: f.write('0') logger.info('mode has changed to {}'.format(mode)) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_MOUSE, mode) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) except: e = grac_format_exc() logger.error(e) return GRAC_OK
def _watch_printers(self): """ thread target """ while True: if self._watchdog_dead: break if self._watchdog_bark_on: try: printers = self._conn.getPrinters() for printer_name in printers: self._conn.deletePrinter(printer_name) self.logger.debug( '(watch) delete printer({})'.format(printer_name)) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_PRINTER, JSON_RULE_DISALLOW) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, self.data_center) except: self.logger.error(grac_format_exc()) time.sleep(1)
def reload(self): """ grac reload """ self.logger.info('reloading') try: #printer state is allow or not json_rules = self.data_center.get_json_rules() v = json_rules[JSON_RULE_PRINTER] state = None if isinstance(v, str): state = v else: state = v[JSON_RULE_STATE] if state == JSON_RULE_ALLOW: self.stop_watching() self.load_and_add_printers() self.start_cups_browsed() else: self.stop_cups_browsed() self.save_printers() self.delete_printers() self.start_to_watch() except: self.logger.error(grac_format_exc()) self.logger.info('reloaded')
def get_usb_network_port_blacklist(self): """ get usb network whitelist regex """ usb_port_blacklist = '/usb[0-9]*/' try: block_usb_regex = re.compile('/usb[0-9]*/') whitelist = self._usb_network_whitelist ports = None for k, v in whitelist.items(): if k.strip().lower() == 'usbbus': ports = [int(n) for n in v.strip().split(',') if n] break if not ports: return usb_port_blacklist if ports: black = '' for n in range(10): if n in ports: continue black += str(n) if not black: return None return '/usb[{}]*/'.format(black) except: self.logger.error(grac_format_exc()) return usb_port_blacklist
def do_task(param, data_center): """ do task """ logger = GracLog.get_logger() try: mode = param[0] bConfigurationValue_path = search_file_reversely( '/sys/' + param[1], 'bConfigurationValue', REVERSE_LOOKUP_LIMIT) with open(bConfigurationValue_path, 'w') as f: f.write('0') with open('{}/{}.bcvp'.format(META_ROOT, JSON_RULE_CAMERA), 'w') as f2: f2.write(bConfigurationValue_path) logger.info('mode has changed to {}'.format(mode)) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_CAMERA, mode) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) except: e = grac_format_exc() logger.error(e) return GRAC_OK
def load_and_add_printers(self): """ 저장되어 있는 프린터정보를 이용해서 프린터 추가 """ backup_path = META_FILE_PRINTER_BACKUP_PATH if not os.path.exists(backup_path): return printer_list = backup_path + '/' + META_FILE_PRINTER_LIST if not os.path.exists(printer_list): return with open(printer_list) as f: try: for print_info in f.readlines(): print_name, uri = print_info.split(GRAC_PRINTER_DELIM) ppd = cups.PPD(backup_path + '/' + print_name) self._conn.addPrinter(print_name, device=uri, ppd=ppd) self._conn.enablePrinter(print_name) self._conn.acceptJobs(print_name) except: self.logger.error(grac_format_exc()) shutil.rmtree(backup_path)
def dns_resolver(self, domain): """ dns resolver """ try: import DNS req = DNS.DnsRequest(domain, qtype='A').req().answers return [r['data'] for r in req if r['typename'] == 'A'] except: self.logger.error(grac_format_exc()) return []
def stop_cups_browsed(self): """ stop cups-browsed.service """ try: bus = dbus.SystemBus() systemd1 = bus.get_object(SD_BUS_NAME, SD_BUS_OBJ) manager = dbus.Interface(systemd1, dbus_interface=SD_BUS_IFACE) manager.StopUnit('cups-browsed.service', "fail") except: self.logger.error(grac_format_exc())
def delete_printers(self): """ 사용하고 있는 프린터를 삭제 """ try: printers = self._conn.getPrinters() if len(printers) <= 0: return except: self.logger.error(grac_format_exc()) return for printer_name in printers: try: self._conn.deletePrinter(printer_name) self.logger.debug('delete printer({})'.format(printer_name)) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_PRINTER, JSON_RULE_DISALLOW) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, self.data_center) except: self.logger.error(grac_format_exc())
def do_api(self, args, sender=None): """ media api method """ try: msg = json.loads(args) api = GracApi(self) return api.do_api(msg, sender) except: e = grac_format_exc() self.logger.error(e) return args
def get_login_username(self): """ get login username """ try: login_id, _ = catch_user_id() if login_id and login_id[0] == '-': login_id = None except: login_id = None self.logger.error(grac_format_exc()) return login_id
def ip_type(self, ip): """ check ipv4 | ipv6 | domain """ try: ip = ip.split('/')[0] it = ipaddress.ip_address(ip) if isinstance(it, ipaddress.IPv4Address): return 'v4' return 'v6' except: #not checking value self.logger.info(grac_format_exc()) return 'domain'
def get_username_with_uid(self, pid): """ get username with uid of the process that have called api """ try: with open('/proc/{}/status'.format(pid)) as f: for l in f.readlines(): if l.startswith('Uid:'): uid = int(l.split()[1]) return pwd.getpwuid(uid).pw_name except: self.logger.error(grac_format_exc()) return None
def do_task(param, data_center): """ do task """ logger = GracLog.get_logger() try: mode = param[0] if mode == JSON_RULE_DISALLOW: devpath = param[1] #################### WHITE LIST #################### usb_port_blacklist = \ data_center.get_usb_network_port_blacklist() logger.debug( '(UNW MOD) usb_port_blacklist={}'.format(usb_port_blacklist)) if not usb_port_blacklist: logger.info('(UNW MOD) blacklist is empty') return block_usb_regex = re.compile(usb_port_blacklist) if not block_usb_regex.search(devpath): logger.info('(UNW MOD) path={} not in blacklist={}'.format( devpath, usb_port_blacklist)) return ################################################### authorized_path = search_file_reversely('/sys/' + devpath, 'authorized', REVERSE_LOOKUP_LIMIT) with open(authorized_path, 'w') as f: f.write('0') logger.info('mode has changed to {}'.format(mode)) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_USB_NETWORK, mode) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) logger.debug('***** USB NETWORK MODULE disallow {}'.format( param[1])) except: e = grac_format_exc() GracLog.get_logger().error(e) logger.error(e) return GRAC_OK
def do_task(param, data_center): """ do task """ logger = GracLog.get_logger() try: mode = param[0] remove_path = search_file_reversely('/sys/' + param[1], 'remove', REVERSE_LOOKUP_LIMIT) #v2.0 if not os.path.exists(remove_path): logger.error('(wireless) REMOVE NOT FOUND') return with open(remove_path, 'w') as f: f.write('1') if os.path.exists(remove_path): remove_second = '/'.join(remove_path.split('/')[:-2]) + '/remove' if not os.path.exists(remove_second): logger.error('(wireless) FAIL TO REMOVE 1') return else: with open(remove_second, 'w') as sf: sf.write('1') if os.path.exists(remove_path): logger.error('(wireless) FAIL TO REMOVE 2') return with open(META_FILE_PCI_RESCAN, 'a') as f2: f2.write('wireless=>{}'.format(remove_path)) logger.info('mode has changed to {}'.format(mode)) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_WIRELESS, mode) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) write_event_log(SOMANSA, datetime.datetime.now().strftime('%Y%m%d %H:%M:%S'), JSON_RULE_WIRELESS, SOMANSA_STATE_DISALLOW, 'null', 'null', 'null', 'null') except: e = grac_format_exc() logger.error(e) return GRAC_OK
def clipboard_handler(self, *args): """ clipboard handler """ try: #CHECK EXTENSION(screencapture/clipboard) if os.path.exists(EXTENSION_FULLPATH): return data_center = args[2] clipboard_rule = data_center.get_media_state(JSON_RULE_CLIPBOARD) if clipboard_rule == JSON_RULE_ALLOW: return clip = args[0] if clip.wait_is_text_available() and clip.wait_for_text(): Gtk.Clipboard.set_text(clip, "", 0) Gtk.Clipboard.clear(clip) GracLog.get_logger().info('clipboard text blocked') logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_CLIPBOARD, clipboard_rule) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) #, flag=RED_ALERT_ALERTONLY) elif clip.wait_is_image_available() and clip.wait_for_image(): new_pb = gi.repository.GdkPixbuf.Pixbuf() Gtk.Clipboard.set_image(clip, new_pb) Gtk.Clipboard.clear(clip) GracLog.get_logger().info('clipboard image blocked') logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_CLIPBOARD, clipboard_rule) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) #, flag=RED_ALERT_ALERTONLY) elif clip.wait_is_rich_text_available(Gtk.TextBuffer()) \ and clip.wait_for_rich_text(): Gtk.Clipboard.clear(clip) GracLog.get_logger().info('clipboard rich blocked') elif clip.wait_is_uris_available() and clip.wait_for_uris(): Gtk.Clipboard.clear(clip) GracLog.get_logger().info('clipboard uris blocked') except: GracLog.get_logger().error(grac_format_exc())
def synchronize_json_rule_and_device(self): """ json rule의 모드와 장치의 모드가 다를 경우 동기화 """ self.rescan_pci() json_rules = self.data_center.get_json_rules() for k, v in json_rules.items(): try: media_name = k media_type = None for sm in GracSynchronizer.supported_media: if media_name == sm[0]: media_type = sm[1] break else: continue if media_type == MC_TYPE_NOSYNC: continue state = v if isinstance(state, dict): state = state[JSON_RULE_STATE] if media_type != MC_TYPE_ALLOWSYNC and state == JSON_RULE_ALLOW: if media_type == MC_TYPE_BCONFIG: GracSynchronizer.recover_bConfigurationValue( media_name) continue self.logger.debug('evaluating sync_{}()'.format(media_name)) eval( 'GracSynchronizer.sync_{}(state, self.data_center)'.format( media_name)) except: self.logger.error(grac_format_exc())
def do_task(param, data_center): """ do task """ logger = GracLog.get_logger() try: if data_center.sound_mic_inotify: wm = data_center.sound_mic_inotify.WM dev_snd_path = "/dev/snd/" file_list = os.listdir(dev_snd_path) for control_file in file_list: if control_file.find("control") is not -1: idx = control_file.split("controlC") wm.add_watch(dev_snd_path + control_file, pyinotify.IN_ACCESS, rec=True) except: logger.error(grac_format_exc()) return GRAC_OK
def load_json_rules(self): """ load user|default rules file """ default_json_rules_path = self.conf.get( 'MAIN', 'GRAC_DEFAULT_JSON_RULES_PATH') user_json_rules_path = self.conf.get('MAIN', 'GRAC_USER_JSON_RULES_PATH') json_rules_path = None if os.path.exists(user_json_rules_path): json_rules_path = user_json_rules_path try: verify_rule(json_rules_path) m = 'The signature verification of the policy file was successful' self.logger.info('{}: {}'.format(json_rules_path, m)) red_alert2(m, '', JLEVEL_DEFAULT_SHOW, GRMCODE_SIGNATURE_SUCCESS, self, flag=RED_ALERT_JOURNALONLY) except: json_rules_path = default_json_rules_path self.logger.error(grac_format_exc()) m = 'The signature verification of the policy file failed' self.logger.info('{}: {}: opening default'.format( json_rules_path, m)) red_alert2(m, '서명 검증 실패', JLEVEL_DEFAULT_NOTI, GRMCODE_SIGNATURE_FAIL, self) else: json_rules_path = default_json_rules_path with open(json_rules_path) as f: json_rules = json.loads(f.read().strip('\n')) return json_rules
def do_task(param, data_center): """ do task """ logger = GracLog.get_logger() try: mode = param[0] authorized_path = search_file_reversely('/sys/' + param[1], 'authorized', REVERSE_LOOKUP_LIMIT) with open(authorized_path, 'w') as f: f.write('0') logger.info('mode has changed to {}'.format(mode)) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_PRINTER, mode) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) logger.debug('***** PRINTER MODULE disallow {}'.format(param[1])) except: e = grac_format_exc() logger.error(e) return GRAC_OK
def do_task(param, data_center): """ do task """ logger = GracLog.get_logger() if not bluetooth_exists(): logger.error('bluetooth controller not found') return GRAC_OK try: mode = param[0] unique = param[1].strip() if param[1] else param[1] name = param[2].strip() if param[2] else param[2] mac = '' if unique: mac = unique elif name: name = name.upper() delim_cnt = 0 num_cnt = 0 for n in name: if n == '.' or n == ':': delim_cnt += 1 continue if ord(n) >= ord('0') and ord(n) <= ord('9'): num_cnt += 1 continue if ord(n) >= ord('A') and ord(n) <= ord('F'): num_cnt += 1 continue break else: if (delim_cnt == 0 or delim_cnt == 5) and num_cnt == 12: mac = name if not mac: raise Exception('!! bluetooth mac not found') mac = mac.replace('.', ':').strip('\n').upper() for m in data_center.get_bluetooth_whitelist(): if m.upper() == mac: logger.info('mac({}) is in whitelist'.format(mac)) return GRAC_OK p1 = subprocess.Popen( ['echo', '-e', 'disconnect {}\nquit'.format(mac)], stdout=subprocess.PIPE) p2 = subprocess.Popen(['bluetoothctl'], stdin=p1.stdout, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p1.stdout.close() logger.info(p2.communicate()[0].decode('utf8')) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_BLUETOOTH, mode) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) write_event_log(SOMANSA, datetime.datetime.now().strftime('%Y%m%d %H:%M:%S'), JSON_RULE_BLUETOOTH, SOMANSA_STATE_DISALLOW, 'null', 'null', 'null', 'null') except: e = grac_format_exc() logger.error(e) return GRAC_OK
def reload(self): """ reload """ try: json_rules = self.data_center.get_json_rules() network_json = json_rules[JSON_RULE_NETWORK] #ADDING VERSION PROCESS server_version = '1.0' if isinstance(network_json, str): policy_state = network_json else: policy_state = network_json[JSON_RULE_NETWORK_STATE] if 'version' in network_json: server_version = network_json[JSON_RULE_NETWORK_VERSION] if server_version.startswith('2.'): self.now_v2_x(policy_state, network_json) return #flush self.flush_chain() self.flush_chain() #policy to accept self.set_chain_policy(JSON_RULE_NETWORK_ACCEPT) #rules if isinstance(network_json, str) \ or not JSON_RULE_NETWORK_RULES in network_json: self.set_chain_policy(policy_state) return rules_json = network_json[JSON_RULE_NETWORK_RULES] rules_json.reverse() for rule_json in rules_json: ip = rule_json[JSON_RULE_NETWORK_IPADDRESS] if ip: ip = ip.strip() direction_org = rule_json[JSON_RULE_NETWORK_DIRECTION].lower() rule_state = rule_json[JSON_RULE_NETWORK_STATE].lower() directions = None if direction_org == JSON_RULE_NETWORK_ALLBOUND: directions = (JSON_RULE_NETWORK_INBOUND, JSON_RULE_NETWORK_OUTBOUND) else: directions = (direction_org, None) for direction in directions: if not direction: continue #SERVER VERSION 1.0 if server_version.startswith('1.0'): if JSON_RULE_NETWORK_PORTS in rule_json: ports_json = rule_json[JSON_RULE_NETWORK_PORTS] else: ports_json = [] #no ports if len(ports_json) == 0: rule = self.create_rule(rule_state, ip) self.insert_rule(rule, direction, ip, None) continue #ports for port_json in ports_json: rule = self.create_rule(rule_state, ip) protocol = port_json[JSON_RULE_NETWORK_PROTOCOL] rule.protocol = protocol if protocol != 'icmp': src_ports = self.ranged_ports_to_string( port_json[JSON_RULE_NETWORK_SRC_PORT]) dst_ports = self.ranged_ports_to_string( port_json[JSON_RULE_NETWORK_DST_PORT]) if src_ports and len(src_ports) > 0 and src_ports[0]: self.logger.debug('src ports={}'.format(src_ports)) sp_match = iptc.Match(rule, 'multiport') sp_match.sports = src_ports rule.add_match(sp_match) if dst_ports and len(dst_ports) > 0 and dst_ports[0]: self.logger.debug('dst prots={}'.format(dst_ports)) dp_match = iptc.Match(rule, 'multiport') dp_match.dports = dst_ports rule.add_match(dp_match) self.insert_rule(rule, direction, ip, protocol) #SERVER VERSION NOT 1.0 else: protocol = rule_json[JSON_RULE_NETWORK_PROTOCOL].lower() #ICMP HERE if protocol == 'icmp': rule = self.create_rule(rule_state, ip) rule.protocol = protocol self.insert_rule(rule, direction, ip, protocol) continue elif not protocol: rule = self.create_rule(rule_state, ip) self.insert_rule(rule, direction, ip, None) continue src_ports = rule_json[JSON_RULE_NETWORK_SRC_PORTS] dst_ports = rule_json[JSON_RULE_NETWORK_DST_PORTS] #no ports if not src_ports and not dst_ports: rule = self.create_rule(rule_state, ip) rule.protocol = protocol self.insert_rule(rule, direction, ip, None) continue #ports rule = self.create_rule(rule_state, ip) rule.protocol = protocol if src_ports: src_ports = \ self.ranged_ports_to_string(src_ports.split(',')) sp_match = iptc.Match(rule, 'multiport') sp_match.sports = src_ports rule.add_match(sp_match) if dst_ports: dst_ports = \ self.ranged_ports_to_string(dst_ports.split(',')) sp_match = iptc.Match(rule, 'multiport') sp_match.dports = dst_ports rule.add_match(sp_match) self.insert_rule(rule, direction, ip, protocol) self.set_chain_policy(policy_state) except: self.logger.error(grac_format_exc())
def now_v2_x(self, policy_state, network_json): """ processing more than v2.x with raw input """ if not isinstance(network_json, str) and JSON_RULE_NETWORK_RULES in network_json: rules = network_json[JSON_RULE_NETWORK_RULES] rules = [(int(rule['seq']), 'MENUAL', rule) for rule in rules] else: rules = [] if not isinstance(network_json, str) and JSON_RULE_NETWORK_RULES_RAW in network_json: rules_law = network_json[JSON_RULE_NETWORK_RULES_RAW] rules_law = [(int(rule_law['seq']), 'RAW', rule_law) for rule_law in rules_law] else: rules_law = [] rules_all = sorted(rules+rules_law, key=lambda i:i[0]) with open(GRAC_IPTABLES_SV_PATH, 'w') as f: f.write('/usr/sbin/iptables-legacy -F\n') f.write('/usr/sbin/iptables-legacy -P INPUT {}\n'.format(policy_state.upper())) f.write('/usr/sbin/iptables-legacy -P OUTPUT {}\n'.format(policy_state.upper())) f.write('/usr/sbin/iptables-legacy -P FORWARD {}\n'.format(policy_state.upper())) for rule in rules_all: try: if rule[1] == 'MENUAL': l = rule[2] direction = l['direction'] protocol = l['protocol'] ipaddress = l['ipaddress'] src_ports = l['src_ports'] dst_ports = l['dst_ports'] state = l['state'] if direction.lower() == 'all': directions = ('INPUT', 'OUTPUT') else: directions = (direction.upper(),) for di in directions: s = '' s += '-A {}'.format(di) s += ' -p {}'.format(protocol) if ipaddress: if di == 'INPUT': s += ' -s {}'.format(ipaddress) else: s += ' -d {}'.format(ipaddress) if src_ports and protocol != 'icmp': if protocol.lower() != 'icmp': s += ' -m multiport' s += ' --sports {}'.format(src_ports) if dst_ports and protocol != 'icmp': if protocol.lower() != 'icmp': s += ' -m multiport' s += ' --dports {}'.format(dst_ports) s += ' -j {}'.format(state.upper()) f.write('/usr/sbin/iptables-legacy ' +s+'\n') else: f.write('/usr/sbin/iptables-legacy ' + rule[2]['cmd']+'\n') except: self.logger.error(grac_format_exc()) p0 = subprocess.Popen( ['/bin/bash', GRAC_IPTABLES_SV_PATH], stdout=subprocess.PIPE, stderr=subprocess.PIPE) pp_out, pp_err = p0.communicate() if pp_err: self.logger.error(pp_err.decode('utf8'))
def do_task(param, data_center): """ do task """ logger = GracLog.get_logger() try: mode = param[0] serial = param[2].strip() if param[2] else '' #whitelist if serial: #param[2]: #serial = param[2].strip('\n') for s in data_center.get_usb_memory_whitelist(): if s == serial: logger.info('serial({}) is in whitelist'.format(serial)) #usb whitelist register signal signal_msg = ['except', '103', 'already in whitelist'] data_center.GRAC.media_usb_info(','.join(signal_msg)) return GRAC_OK #usb whitelist register signal product = param[3].strip() if param[3] else '' vendor = param[4].strip() if param[4] else '' model = param[5].strip() if param[5] else '' user_id, _ = catch_user_id() if not user_id or user_id[0] == '-': signal_msg = ['except', '101', 'not login'] if user_id[0] == '+': signal_msg = ['except', '102', 'local user not supported'] else: signal_msg = [ 'normal', user_id, serial, '', product, '', vendor, model ] data_center.GRAC.media_usb_info(','.join(signal_msg)) else: signal_msg = ['except', '104', 'serial not found'] data_center.GRAC.media_usb_info(','.join(signal_msg)) if mode == JSON_RULE_DISALLOW: devpath = param[1] authorized_path = search_file_reversely('/sys/' + devpath, 'authorized', REVERSE_LOOKUP_LIMIT) with open(authorized_path, 'w') as f: f.write('0') logger.info('mode has changed to {}'.format(mode)) logmsg, notimsg, grmcode = \ make_media_msg(JSON_RULE_USB_MEMORY, mode) red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center) write_event_log( SOMANSA, datetime.datetime.now().strftime('%Y%m%d %H:%M:%S'), JSON_RULE_USB_MEMORY, SOMANSA_STATE_DISALLOW, 'null', 'null', 'null', 'null') logger.debug('***** USB MODULE disallow {}'.format(param[1])) elif mode == JSON_RULE_READONLY: devnode = '/dev/' + param[1] thr = threading.Thread(target=remount_thread, args=(devnode, mode, data_center)) thr.daemon = True thr.start() logger.info('{} mode is changing to {}'.format(devnode, mode)) logger.debug('***** USB MODULE read_only {}'.format(param[1])) except: e = grac_format_exc() GracLog.get_logger().error(e) logger.error(e) return GRAC_OK