관리-도구
편집 파일: update_components_versions.py
#!/opt/imunify360/venv/bin/python3 """ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>. Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see <https://www.imunify360.com/legal/eula> This script enables the functionality of WAF Ruleset Configurator. AppVersionDetector is used to fill in and update the components_versions database with the information on which CMS is used in each of the passed document roots (or directories therein). If the user has app_specific_rules option enabled we also use this information to disable sets of ModSecurity rules for each directory using tags. """ import argparse import asyncio import json import sys from base64 import b64encode from codecs import encode from subprocess import PIPE, CalledProcessError, run from defence360agent.contracts.config import FileBasedResourceLimits, \ ANTIVIRUS_MODE from defence360agent.utils import resource_limits APP_VERSION_DETECTOR_CMD = [ "/opt/app-version-detector/app-version-detector-wrapper.sh", "--sqlite-db-report=" "/var/lib/cloudlinux-app-version-detector/components_versions.sqlite3", "--stdin-dirs", "--pathes-in-base64", "--scan-depth=2", "--send-stats", ] APP_VERSION_DETECTOR_INTENSITY_KEY = "app_version_detector" LIST_DOCROOTS_CMD = ["imunify360-agent", "list-docroots", "--json"] UPDATE_RULES_CMD = ["imunify360-agent", "rules", "update-app-specific-rules"] async def update(): parser = argparse.ArgumentParser() parser.add_argument( '--update-modsec-rulesets', action='store_true', help='Also change ModSecurity rulesets', ) args = parser.parse_args(sys.argv[1:]) doc_roots = json.loads( run( LIST_DOCROOTS_CMD, stdout=PIPE, stderr=PIPE, check=True ).stdout.decode() )["items"] if not doc_roots: return stdin = b"\n".join( (b",".join([encode(domain, "idna"), b64encode(doc_root.encode())])) for doc_root, domain in doc_roots.items() ) cmd = APP_VERSION_DETECTOR_CMD p = await resource_limits.create_subprocess( cmd, intensity_cpu=FileBasedResourceLimits.CPU, intensity_io=FileBasedResourceLimits.IO, key=APP_VERSION_DETECTOR_INTENSITY_KEY, stdout=PIPE, stderr=PIPE, stdin=PIPE, ) out, err = await p.communicate(input=stdin) if p.returncode != 0: raise CalledProcessError( p.returncode, cmd, output=out, stderr=err ) if args.update_modsec_rulesets and not ANTIVIRUS_MODE: run( UPDATE_RULES_CMD, stdout=PIPE, stderr=PIPE, check=True, ) async def main(): try: await update() except CalledProcessError as e: sys.exit( f"Command {e.cmd} returned non-zero code {e.returncode}," f'\n\t\tStdout: {e.stdout.decode("utf-8", "backslashreplace")},' f'\n\t\tStderr: {e.stderr.decode("utf-8", "backslashreplace")}\n' ) if __name__ == "__main__": asyncio.run(main())