def __init__(self, designation, port=None, startaddr=None
    ,       primary_ip_addr=None, domain=CMAconsts.globaldomain
    ,       status= '(unknown)', reason='(initialization)', roles=None, key_id=''):
        '''Initialization function for the Drone class.
        We mainly initialize a few attributes from parameters as noted above...

        The first time around we also initialize a couple of class-wide query
        strings for a few queries we know we'll need later.

        We also behave as though we're a dict from the perspective of JSON attributes.
        These discovery strings are converted into pyConfigContext objects and are
        then searchable like dicts themselves - however updating these dicts has
        no direct impact on the underlying JSON strings stored in the database.

        The reason for treating these as a dict is so we can easily change
        the implementation to put JSON strings in separate nodes, or perhaps
        eventually in a separate data store.

        This is necessary because the performance of putting lots of really large
        strings in Neo4j is absolutely horrible. Putting large strings in is dumb
        and what Neo4j does with them is even dumber...
        The result is at least DUMB^2 -not 2*DUMB ;-)
        '''
        SystemNode.__init__(self, domain=domain, designation=designation)
        if roles is None:
            roles = ['host', 'drone']
        self.addrole(roles)
        self._io = CMAdb.io
        self.lastjoin = 'None'
        self.status = status
        self.reason = reason
        self.key_id = key_id
        self.startaddr = str(startaddr)
        self.primary_ip_addr = str(primary_ip_addr)
        self.time_status_ms = int(round(time.time() * 1000))
        self.time_status_iso8601 = time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime())
        if port is not None:
            self.port = int(port)
        else:
            self.port = None

        self.monitors_activated = False

        if Drone.IPownerquery_1 is None:
            Drone.IPownerquery_1 = (Drone.IPownerquery_1_txt
                                    % (CMAconsts.REL_ipowner, CMAconsts.REL_nicowner))
            Drone.OwnedIPsQuery_subtxt = (Drone.OwnedIPsQuery_txt    \
                                          % (CMAconsts.REL_nicowner, CMAconsts.REL_ipowner))
            Drone.OwnedIPsQuery =  Drone.OwnedIPsQuery_subtxt
        self.set_crypto_identity()
        if Store.is_abstract(self) and not CMAdb.store.readonly:
            #print 'Creating BP rules for', self.designation
            from bestpractices import BestPractices
            bprules = CMAdb.io.config['bprulesbydomain']
            rulesetname = bprules[domain] if domain in bprules else bprules[CMAconsts.globaldomain]
            for rule in BestPractices.gen_bp_rules_by_ruleset(CMAdb.store, rulesetname):
                #print >> sys.stderr, 'ADDING RELATED RULE SET for', \
                    #self.designation, rule.bp_class, rule
                CMAdb.store.relate(self, CMAconsts.REL_bprulefor, rule,
                                   properties={'bp_class': rule.bp_class})
def grab_category_scores(store, categories=None, debug=False):
    '''Program to create and return some python Dicts with security scores and totals by category
    and totals by drone/category
    Categories is None or a list of desired categories.
    '''
    cypher = '''START drone=node:Drone('*:*') RETURN drone'''

    BestPractices(CMAdb.io.config, CMAdb.io, store, CMAdb.log, debug=debug)
    dtype_totals = {} # scores organized by (category, discovery-type)
    drone_totals = {} # scores organized by (category, discovery-type, drone)
    rule_totals = {} # scores organized by (category, discovery-type, rule)

    for drone in store.load_cypher_nodes(cypher, Drone):
        designation = drone.designation
        discoverytypes = drone.bp_discoverytypes_list()
        for dtype in discoverytypes:
            dattr = Drone.bp_discoverytype_result_attrname(dtype)
            statuses = getattr(drone, dattr)
            for rule_obj in BestPractices.eval_objects[dtype]:
                rulesobj = rule_obj.fetch_rules(drone, None, dtype)
                _, scores, rulescores = BestPractices.compute_scores(drone, rulesobj, statuses)
                for category in scores:
                    if category not in categories and categories:
                        continue
                    # Accumulate scores by (category, discovery_type)
                    setup_dict2(dtype_totals, category, dtype)
                    dtype_totals[category][dtype] += scores[category]
                    # Accumulate scores by (category, discovery_type, drone)
                    setup_dict3(drone_totals, category, dtype, designation)
                    drone_totals[category][dtype][designation] += scores[category]
                    # Accumulate scores by (category, discovery_type, ruleid)
                    for ruleid in rulescores[category]:
                        setup_dict3(rule_totals, category, dtype, ruleid)
                        rule_totals[category][dtype][ruleid] += rulescores[category][ruleid]

    return dtype_totals, drone_totals, rule_totals
示例#3
0
    def __init__(self, designation, port=None, startaddr=None
    ,       primary_ip_addr=None, domain=CMAconsts.globaldomain
    ,       status= '(unknown)', reason='(initialization)', roles=None, key_id=''):
        '''Initialization function for the Drone class.
        We mainly initialize a few attributes from parameters as noted above...

        The first time around we also initialize a couple of class-wide CypherQuery
        objects for a couple of queries we know we'll need later.
        '''
        SystemNode.__init__(self, domain=domain, designation=designation)
        if roles is None:
            roles = ['host', 'drone']
        self.addrole(roles)
        self._io = CMAdb.io
        self.lastjoin = 'None'
        self.status = status
        self.reason = reason
        self.key_id = key_id
        self.startaddr = str(startaddr)
        self.primary_ip_addr = str(primary_ip_addr)
        self.time_status_ms = int(round(time.time() * 1000))
        self.time_status_iso8601 = time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime())
        if port is not None:
            self.port = int(port)
        else:
            self.port = None

        self.monitors_activated = False

        if Drone.IPownerquery_1 is None:
            Drone.IPownerquery_1 =  neo4j.CypherQuery(CMAdb.cdb.db, Drone.IPownerquery_1_txt
            % (CMAconsts.REL_ipowner, CMAconsts.REL_nicowner))
            Drone.OwnedIPsQuery_subtxt = Drone.OwnedIPsQuery_txt    \
            %       (CMAconsts.REL_nicowner, CMAconsts.REL_ipowner)
            Drone.OwnedIPsQuery =  neo4j.CypherQuery(CMAdb.cdb.db, Drone.OwnedIPsQuery_subtxt)
        self.set_crypto_identity()
        if Store.is_abstract(self) and not CMAdb.store.readonly:
            from bestpractices import BestPractices
            bprules = CMAdb.io.config['bprulesbydomain']
            rulesetname = bprules[domain] if domain in bprules else bprules[CMAconsts.globaldomain]
            for rule in BestPractices.gen_bp_rules_by_ruleset(CMAdb.store, rulesetname):
                CMAdb.store.relate(self, CMAconsts.REL_bprulefor, rule,
                                   properties={'bp_class': rule.bp_class})
示例#4
0
    def execute(store, executor_context, otherargs, flagoptions):
        'Load all best practice files we find in the specified directory.'
        executor_context = executor_context
        flagoptions = flagoptions
        basedon = None

        if len(otherargs) not in (0,2,3):
            return usage()
        elif len(otherargs) >= 2:
            bpdir = otherargs[0]
            rulesetname = otherargs[1]
            if len(otherargs) > 2:
                basedon = otherargs[2]
        else:
            bpdir = BPINSTALL_DIR
            rulesetname = CMAconsts.BASERULESETNAME

        qcount = 0
        for q in BestPractices.load_directory(store, bpdir, rulesetname, basedon):
            qcount += 1
            q = q
        store.commit()
        return 0 if qcount > 0 else 1
    def __init__(self, designation, port=None, startaddr=None
    ,       primary_ip_addr=None, domain=CMAconsts.globaldomain
    ,       status= '(unknown)', reason='(initialization)', roles=None, key_id=''):
        '''Initialization function for the Drone class.
        We mainly initialize a few attributes from parameters as noted above...

        The first time around we also initialize a couple of class-wide query
        strings for a few queries we know we'll need later.

        We also behave as though we're a dict from the perspective of JSON attributes.
        These discovery strings are converted into pyConfigContext objects and are
        then searchable like dicts themselves - however updating these dicts has
        no direct impact on the underlying JSON strings stored in the database.

        The reason for treating these as a dict is so we can easily change
        the implementation to put JSON strings in separate nodes, or perhaps
        eventually in a separate data store.

        This is necessary because the performance of putting lots of really large
        strings in Neo4j is absolutely horrible. Putting large strings in is dumb
        and what Neo4j does with them is even dumber...
        The result is at least DUMB^2 -not 2*DUMB ;-)
        '''
        SystemNode.__init__(self, domain=domain, designation=designation)
        if roles is None:
            roles = ['host', 'drone']
        self.addrole(roles)
        self._io = CMAdb.io
        self.lastjoin = 'None'
        self._active_nic_count = None
        self.status = status
        self.reason = reason
        self.key_id = key_id
        self.startaddr = str(startaddr)
        self.primary_ip_addr = str(primary_ip_addr)
        self.time_status_ms = int(round(time.time() * 1000))
        self.time_status_iso8601 = time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime())
        if port is not None:
            self.port = int(port)
        else:
            self.port = None

        self.monitors_activated = False

        if Drone.IPownerquery_1 is None:
            Drone.IPownerquery_1 = (Drone.IPownerquery_1_txt
                                    % (CMAconsts.REL_ipowner, CMAconsts.REL_nicowner))
            Drone.OwnedIPsQuery_subtxt = (Drone.OwnedIPsQuery_txt    \
                                          % (CMAconsts.REL_nicowner, CMAconsts.REL_ipowner))
            Drone.OwnedIPsQuery =  Drone.OwnedIPsQuery_subtxt
        self.set_crypto_identity()
        if Store.is_abstract(self) and not CMAdb.store.readonly:
            #print 'Creating BP rules for', self.designation
            from bestpractices import BestPractices
            bprules = CMAdb.io.config['bprulesbydomain']
            rulesetname = bprules[domain] if domain in bprules else bprules[CMAconsts.globaldomain]
            for rule in BestPractices.gen_bp_rules_by_ruleset(CMAdb.store, rulesetname):
                #print >> sys.stderr, 'ADDING RELATED RULE SET for', \
                    #self.designation, rule.bp_class, rule
                CMAdb.store.relate(self, CMAconsts.REL_bprulefor, rule,
                                   properties={'bp_class': rule.bp_class})
示例#6
0
def main():
    'Main program for the CMA (Collective Management Authority)'
    py2neo_major_version = int(PY2NEO_VERSION.partition('.')[0])
    if py2neo_major_version not in SUPPORTED_PY2NEO_VERSIONS:
        raise EnvironmentError('py2neo version %s not supported' %
                               PY2NEO_VERSION)
    DefaultPort = 1984
    # VERY Linux-specific - but useful and apparently correct ;-)
    PrimaryIPcmd =   \
    "ip address show primary scope global | grep '^ *inet' | sed -e 's%^ *inet *%%' -e 's%/.*%%'"
    ipfd = os.popen(PrimaryIPcmd, 'r')
    OurAddrStr = ('%s:%d' % (ipfd.readline().rstrip(), DefaultPort))
    ipfd.close()

    parser = optparse.OptionParser(
        prog='CMA',
        version=AssimCtypes.VERSION_STRING,
        description=
        'Collective Management Authority for the Assimilation System',
        usage='cma.py [--bind address:port]')

    parser.add_option(
        '-b',
        '--bind',
        action='store',
        default=None,
        dest='bind',
        metavar='address:port-to-bind-to',
        help='Address:port to listen to - for nanoprobes to connect to')

    parser.add_option(
        '-d',
        '--debug',
        action='store',
        default=0,
        dest='debug',
        help=
        'enable debug for CMA and libraries - value is debug level for C libraries.'
    )

    parser.add_option('-s',
                      '--status',
                      action='store_true',
                      default=False,
                      dest='status',
                      help='Return status of running CMA')

    parser.add_option('-k',
                      '--kill',
                      action='store_true',
                      default=False,
                      dest='kill',
                      help='Shut down running CMA.')

    parser.add_option('-e',
                      '--erasedb',
                      action='store_true',
                      default=False,
                      dest='erasedb',
                      help='Erase Neo4J before starting')

    parser.add_option('-f',
                      '--foreground',
                      action='store_true',
                      default=False,
                      dest='foreground',
                      help='keep the CMA from going into the background')

    parser.add_option('-p',
                      '--pidfile',
                      action='store',
                      default='/var/run/assimilation/cma',
                      dest='pidfile',
                      metavar='pidfile-pathname',
                      help='full pathname of where to locate our pid file')

    parser.add_option('-T',
                      '--trace',
                      action='store_true',
                      default=False,
                      dest='doTrace',
                      help='Trace CMA execution')

    parser.add_option('-u',
                      '--user',
                      action='store',
                      default=CMAUSERID,
                      dest='userid',
                      metavar='userid',
                      help='userid to run the CMA as')

    opt = parser.parse_args()[0]

    from AssimCtypes import daemonize_me, assimilation_openlog, are_we_already_running, \
        kill_pid_service, pidrunningstat_to_status, remove_pid_file, rmpid_and_exit_on_signal

    if opt.status:
        rc = pidrunningstat_to_status(are_we_already_running(
            opt.pidfile, None))
        return rc

    if opt.kill:
        if kill_pid_service(opt.pidfile, 15) < 0:
            print >> sys.stderr, "Unable to stop CMA."
            return 1
        return 0

    opt.debug = int(opt.debug)

    # This doesn't seem to work no matter where I invoke it...
    # But if we don't fork in daemonize_me() ('C' code), it works great...
    #    def cleanup():
    #        remove_pid_file(opt.pidfile)
    #    atexit.register(cleanup)
    #    signal.signal(signal.SIGTERM, lambda sig, stack: sys.exit(0))
    #    signal.signal(signal.SIGINT, lambda sig, stack: sys.exit(0))

    from cmadb import CMAdb
    CMAdb.running_under_docker()
    make_pid_dir(opt.pidfile, opt.userid)
    make_key_dir(CRYPTKEYDIR, opt.userid)
    cryptwarnings = pyCryptCurve25519.initkeys()
    for warn in cryptwarnings:
        print >> sys.stderr, ("WARNING: %s" % warn)
    #print >> sys.stderr, 'All known key ids:'
    keyids = pyCryptFrame.get_key_ids()
    keyids.sort()
    for keyid in keyids:
        if not keyid.startswith(CMA_KEY_PREFIX):
            try:
                # @FIXME This is not an ideal way to associate identities with hosts
                # in a multi-tenant environment
                # @FIXME - don't think I need to do the associate_identity at all any more...
                hostname, notused_post = keyid.split('@@', 1)
                notused_post = notused_post
                pyCryptFrame.associate_identity(hostname, keyid)
            except ValueError:
                pass
        #print >> sys.stderr, '>    %s/%s' % (keyid, pyCryptFrame.get_identity(keyid))

    daemonize_me(opt.foreground, '/', opt.pidfile, 20)

    rmpid_and_exit_on_signal(opt.pidfile, signal.SIGTERM)

    # Next statement can't appear before daemonize_me() or bind() fails -- not quite sure why...
    assimilation_openlog("cma")
    from packetlistener import PacketListener
    from messagedispatcher import MessageDispatcher
    from dispatchtarget import DispatchTarget
    from monitoring import MonitoringRule
    from AssimCclasses import pyNetAddr, pySignFrame, pyReliableUDP, \
         pyPacketDecoder
    from AssimCtypes import CONFIGNAME_CMAINIT, CONFIGNAME_CMAADDR, CONFIGNAME_CMADISCOVER, \
        CONFIGNAME_CMAFAIL, CONFIGNAME_CMAPORT, CONFIGNAME_OUTSIG, CONFIGNAME_COMPRESSTYPE, \
        CONFIGNAME_COMPRESS, proj_class_incr_debug, LONG_LICENSE_STRING, MONRULEINSTALL_DIR

    if opt.debug:
        print >> sys.stderr, ('Setting debug to %s' % opt.debug)

    for debug in range(opt.debug):
        debug = debug
        print >> sys.stderr, ('Incrementing C-level debug by one.')
        proj_class_incr_debug(None)

    #   Input our monitoring rule templates
    #   They only exist in flat files and in memory - they aren't in the database
    MonitoringRule.load_tree(MONRULEINSTALL_DIR)
    print >> sys.stderr, ('Monitoring rules loaded from %s' %
                          MONRULEINSTALL_DIR)

    execobserver_constraints = {
        'nodetype': [
            'Drone',
            'IPaddrNode',
            'MonitorAction',
            'NICNode',
            'ProcessNode',
            'SystemNode',
        ]
    }
    ForkExecObserver(constraints=execobserver_constraints,
                     scriptdir=NOTIFICATION_SCRIPT_DIR)
    print >> sys.stderr, ('Fork/Event observer dispatching from %s' %
                          NOTIFICATION_SCRIPT_DIR)

    if opt.bind is not None:
        OurAddrStr = opt.bind

    OurAddr = pyNetAddr(OurAddrStr)
    if OurAddr.port() == 0:
        OurAddr.setport(DefaultPort)

    try:
        configinfo = ConfigFile(filename=CMAINITFILE)
    except IOError:
        configinfo = ConfigFile()
    if opt.bind is not None:
        bindaddr = pyNetAddr(opt.bind)
        if bindaddr.port() == 0:
            bindaddr.setport(ConfigFile[CONFIGNAME_CMAPORT])
        configinfo[CONFIGNAME_CMAINIT] = bindaddr
    configinfo[CONFIGNAME_CMADISCOVER] = OurAddr
    configinfo[CONFIGNAME_CMAFAIL] = OurAddr
    configinfo[CONFIGNAME_CMAADDR] = OurAddr
    if (CONFIGNAME_COMPRESSTYPE in configinfo):
        configinfo[CONFIGNAME_COMPRESS]     \
        =   pyCompressFrame(compression_method=configinfo[CONFIGNAME_COMPRESSTYPE])
    configinfo[CONFIGNAME_OUTSIG] = pySignFrame(1)
    config = configinfo.complete_config()

    addr = config[CONFIGNAME_CMAINIT]
    # pylint is confused: addr is a pyNetAddr, not a pyConfigContext
    # pylint: disable=E1101
    if addr.port() == 0:
        addr.setport(DefaultPort)
    ourport = addr.port()
    for elem in (CONFIGNAME_CMAINIT, CONFIGNAME_CMAADDR,
                 CONFIGNAME_CMADISCOVER, CONFIGNAME_CMAFAIL):
        if elem in config:
            config[elem] = pyNetAddr(str(config[elem]), port=ourport)
    io = pyReliableUDP(config, pyPacketDecoder())
    io.setrcvbufsize(
        10 * 1024 *
        1024)  # No harm in asking - it will get us the best we can get...
    io.setsendbufsize(
        1024 * 1024)  # Most of the traffic volume is inbound from discovery
    drop_privileges_permanently(opt.userid)
    try:
        cmainit.CMAinit(io, cleanoutdb=opt.erasedb, debug=(opt.debug > 0))
    except RuntimeError:
        remove_pid_file(opt.pidfile)
        raise
    for warn in cryptwarnings:
        CMAdb.log.warning(warn)
    if CMAdb.cdb.db.neo4j_version[0] not in SUPPORTED_NEO4J_VERSIONS:
        raise EnvironmentError('Neo4j version %s.%s.%s not supported' %
                               CMAdb.cdb.db.neo4j_version)
    CMAdb.log.info('Listening on: %s' % str(config[CONFIGNAME_CMAINIT]))
    CMAdb.log.info('Requesting return packets sent to: %s' % str(OurAddr))
    CMAdb.log.info('Socket input buffer size:  %d' % io.getrcvbufsize())
    CMAdb.log.info('Socket output buffer size: %d' % io.getsendbufsize())
    keyids = pyCryptFrame.get_key_ids()
    keyids.sort()
    for keyid in keyids:
        CMAdb.log.info('KeyId %s Identity %s' %
                       (keyid, pyCryptFrame.get_identity(keyid)))
    if CMAdb.debug:
        CMAdb.log.debug('C-library Debug was set to %s' % opt.debug)
        CMAdb.log.debug('TheOneRing created - id = %s' % CMAdb.TheOneRing)
        CMAdb.log.debug('Config Object sent to nanoprobes: %s' % config)

    jvmfd = os.popen('java -version 2>&1')
    jvers = jvmfd.readline()
    jvmfd.close()
    disp = MessageDispatcher(DispatchTarget.dispatchtable)
    neovers = CMAdb.cdb.db.neo4j_version
    neoversstring = (('%s.%s.%s' if len(neovers) == 3 else '%s.%s.%s%s') %
                     neovers[0:3])

    CMAdb.log.info('Starting CMA version %s - licensed under %s' %
                   (AssimCtypes.VERSION_STRING, LONG_LICENSE_STRING))
    CMAdb.log.info(
        'Neo4j version %s // py2neo version %s // Python version %s // %s' %
        (('%s.%s.%s' % CMAdb.cdb.db.neo4j_version), str(py2neo.__version__),
         ('%s.%s.%s' % sys.version_info[0:3]), jvers))
    if opt.foreground:
        print >> sys.stderr, (
            'Starting CMA version %s - licensed under %s' %
            (AssimCtypes.VERSION_STRING, LONG_LICENSE_STRING))
        print >> sys.stderr, (
            'Neo4j version %s // py2neo version %s // Python version %s // %s'
            % (neoversstring, PY2NEO_VERSION,
               ('%s.%s.%s' % sys.version_info[0:3]), jvers))
    if len(neovers) > 3:
        CMAdb.log.warning(
            'Neo4j version %s is beta code - results not guaranteed.' %
            str(neovers))

    # Important to note that we don't want PacketListener to create its own 'io' object
    # or it will screw up the ReliableUDP protocol...
    listener = PacketListener(config, disp, io=io)
    mandatory_modules = ['discoverylistener']
    for mandatory in mandatory_modules:
        importlib.import_module(mandatory)
    #pylint is confused here...
    # pylint: disable=E1133
    for optional in config['optional_modules']:
        importlib.import_module(optional)
    if opt.doTrace:
        import trace
        tracer = trace.Trace(count=False, trace=True)
        if CMAdb.debug:
            CMAdb.log.debug('Starting up traced listener.listen(); debug=%d' %
                            opt.debug)
        if opt.foreground:
            print >> sys.stderr, (
                'cma: Starting up traced listener.listen() in foreground; debug=%d'
                % opt.debug)
        tracer.run('listener.listen()')
    else:
        if CMAdb.debug:
            CMAdb.log.debug(
                'Starting up untraced listener.listen(); debug=%d' % opt.debug)
        if opt.foreground:
            print >> sys.stderr, (
                'cma: Starting up untraced listener.listen() in foreground; debug=%d'
                % opt.debug)

        # This is kind of a kludge, we should really look again at
        # at initializition and so on.
        # This module *ought* to be optional.
        # that would involve adding some Drone callbacks for creation of new Drones
        BestPractices(config, io, CMAdb.store, CMAdb.log, opt.debug)
        listener.listen()
    return 0