osecfs-deb: osecfs@2342e6cefd65 (annotated)

ft@0	1	#!/usr/bin/python
ft@0	2
ft@0	3	# ------------------------------------------------------------
ft@0	4	# opensecurity package file
ft@0	5	#
ft@0	6	# Autor: X-Net Services GmbH <office@x-net.at>
ft@0	7	#
ft@0	8	# Copyright 2013-2014 X-Net and AIT Austrian Institute of Technology
ft@0	9	#
ft@0	10	#
ft@0	11	# X-Net Technologies GmbH
ft@0	12	# Elisabethstrasse 1
ft@0	13	# 4020 Linz
ft@0	14	# AUSTRIA
ft@0	15	# https://www.x-net.at
ft@0	16	#
ft@0	17	# AIT Austrian Institute of Technology
ft@0	18	# Donau City Strasse 1
ft@0	19	# 1220 Wien
ft@0	20	# AUSTRIA
ft@0	21	# http://www.ait.ac.at
ft@0	22	#
ft@0	23	#
ft@0	24	# Licensed under the Apache License, Version 2.0 (the "License");
ft@0	25	# you may not use this file except in compliance with the License.
ft@0	26	# You may obtain a copy of the License at
ft@0	27	#
ft@0	28	# http://www.apache.org/licenses/LICENSE-2.0
ft@0	29	#
ft@0	30	# Unless required by applicable law or agreed to in writing, software
ft@0	31	# distributed under the License is distributed on an "AS IS" BASIS,
ft@0	32	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
ft@0	33	# See the License for the specific language governing permissions and
ft@0	34	# limitations under the License.
ft@0	35	# ------------------------------------------------------------
ft@0	36
ft@0	37
ft@0	38	from fuse import Fuse
ft@0	39	import fuse
ft@0	40
ft@0	41	import ConfigParser
ft@0	42
ft@0	43	import sys
ft@0	44
ft@0	45	import logging
ft@0	46	import os
ft@0	47	import errno
ft@0	48	import time
ft@0	49
ft@0	50	from importlib import import_module
ft@0	51
ft@0	52
ft@0	53	import subprocess
ft@0	54
ft@0	55	import urllib3
ft@0	56	import netifaces
ft@0	57	import netaddr
ft@0	58	import hashlib
ft@0	59
ft@0	60
ft@0	61	sys.stderr = open('/var/log/osecfs_error.log', 'a+')
ft@0	62
ft@0	63
ft@0	64	MINOPTS = { "Main" : ["Logfile", "LogLevel", "Mountpoint", "Rootpath", "ScannerPath", "ScannerModuleName", "ScannerClassName", "ScannerConfig", "ReadOnly"]}
ft@0	65
ft@0	66	CONFIG_NOT_READABLE = "Configfile is not readable"
ft@0	67	CONFIG_WRONG = "Something is wrong with the config"
ft@0	68	CONFIG_MISSING = "Section: \"%s\" Option: \"%s\" in configfile is missing"
ft@0	69	SCAN_WRONG_RETURN_VALUE = "The return Value of the malware scanner is wrong. Has to be an dictionary"
ft@0	70	SCAN_RETURN_VALUE_KEY_MISSING = "The dictionary has to include key \"infected\" (True, False) and \"virusname\" (String)"
ft@0	71	VIRUS_FOUND = "Virus found. Access denied"
ft@0	72	NOTIFICATION_CRITICAL = "critical"
ft@0	73	NOTIFICATION_INFO = "info"
ft@0	74	LOG = None
ft@0	75	MalwareScanner = None
ft@0	76	STATUS_CODE_OK = 200
ft@0	77
ft@0	78	SYSTEM_FILE_COMMAND = "file"
ft@0	79	httpPool = urllib3.PoolManager(num_pools = 1, timeout = 3)
ft@0	80
ft@0	81	def checkMinimumOptions (config):
ft@0	82	for section, options in MINOPTS.iteritems ():
ft@0	83	for option in options:
ft@0	84	if (config.has_option(section, option) == False):
ft@0	85	print (CONFIG_MISSING % (section, option))
ft@0	86	exit (129)
ft@0	87
ft@0	88	def printUsage ():
ft@0	89	print ("Usage:")
ft@0	90	print ("%s configfile mountpath ro/rw" % (sys.argv[0]))
ft@0	91	exit (128)
ft@0	92
ft@0	93	def loadConfig ():
ft@0	94	print ("load config")
ft@0	95
ft@0	96	if (len (sys.argv) < 4):
ft@0	97	printUsage ()
ft@0	98
ft@0	99	configfile = sys.argv[1]
ft@0	100	config = ConfigParser.SafeConfigParser ()
ft@0	101
ft@0	102	if ((os.path.exists (configfile) == False) or (os.path.isfile (configfile) == False) or (os.access (configfile, os.R_OK) == False)):
ft@0	103	print (CONFIG_NOT_READABLE)
ft@0	104	printUsage ()
ft@0	105
ft@0	106	try:
ft@0	107	config.read (sys.argv[1])
ft@0	108	except Exception, e:
ft@0	109	print (CONFIG_WRONG)
ft@0	110	print ("Error: %s" % (e))
ft@0	111
ft@0	112
ft@0	113	config.set("Main", "Mountpoint", sys.argv[2])
ft@0	114	if (sys.argv[3] == "rw"):
ft@0	115	config.set("Main", "ReadOnly", "false")
ft@0	116	else:
ft@0	117	config.set("Main", "ReadOnly", "true")
ft@0	118
ft@0	119	checkMinimumOptions (config)
ft@0	120
ft@0	121	return config
ft@0	122
ft@0	123	def initLog (config):
ft@0	124	print ("init log")
ft@0	125
ft@0	126	global LOG
ft@0	127	logfile = config.get("Main", "Logfile")
ft@0	128
ft@0	129	numeric_level = getattr(logging, config.get("Main", "LogLevel").upper(), None)
ft@0	130	if not isinstance(numeric_level, int):
ft@0	131	raise ValueError('Invalid log level: %s' % loglevel)
ft@0	132
ft@0	133	# ToDo move log level and maybe other things to config file
ft@0	134	logging.basicConfig(
ft@0	135	level = numeric_level,
ft@0	136	format = "%(asctime)s %(name)-12s %(funcName)-15s %(levelname)-8s %(message)s",
ft@0	137	datefmt = "%Y-%m-%d %H:%M:%S",
ft@0	138	filename = logfile,
ft@0	139	filemode = "a+",
ft@0	140	)
ft@0	141	LOG = logging.getLogger("fuse_main")
ft@0	142
ft@0	143
ft@0	144	def fixPath (path):
ft@0	145	return ".%s" % (path)
ft@0	146
ft@0	147	def rootPath (rootpath, path):
ft@0	148	return "%s%s" % (rootpath, path)
ft@0	149
ft@0	150	def flag2mode (flags):
ft@0	151	md = {os.O_RDONLY: 'r', os.O_WRONLY: 'w', os.O_RDWR: 'w+'}
ft@0	152	m = md[flags & (os.O_RDONLY \| os.O_WRONLY \| os.O_RDWR)]
ft@0	153
ft@0	154	# windows sets append even if it would overwrite the whole file (seek 0)
ft@0	155	# so ignore append option
ft@0	156	#if flags \| os.O_APPEND:
ft@0	157	# m = m.replace('w', 'a', 1)
ft@0	158
ft@0	159	return m
ft@0	160
ft@0	161	def scanFile (path, fileobject):
ft@0	162	LOG.debug ("Scan File \"%s\" with malware Scanner" %(path,) )
ft@0	163	return MalwareScanner.scanFile (path, fileobject)
ft@0	164
ft@0	165
ft@0	166	def scanFileClamAV (path):
ft@0	167	infected = False
ft@0	168
ft@0	169	LOG.debug ("Scan File: %s" % (path))
ft@0	170
ft@0	171	result = pyclamav.scanfile (path)
ft@0	172	LOG.debug ("Result of file \"%s\": %s" % (path, result))
ft@0	173	if (result[0] != 0):
ft@0	174	infected = True
ft@0	175
ft@0	176	if (infected == True):
ft@0	177	LOG.error ("Virus found, deny Access %s" % (result,))
ft@0	178
ft@0	179	return infected
ft@0	180
ft@0	181	def whitelistFile (path):
ft@0	182	whitelisted = False;
ft@0	183
ft@0	184	LOG.debug ("Execute \"%s\" command on \"%s\"" %(SYSTEM_FILE_COMMAND, path))
ft@0	185
ft@0	186	result = None
ft@0	187	try:
ft@0	188	result = subprocess.check_output ([SYSTEM_FILE_COMMAND, path]);
ft@0	189	# ToDo replace with real whitelist
ft@0	190	whitelisted = True
ft@0	191	except Exception as e:
ft@0	192	LOG.error ("Call returns with an error!")
ft@0	193	LOG.error (e)
ft@0	194
ft@0	195	LOG.debug ("Type: %s" %(result))
ft@0	196
ft@0	197	return whitelisted
ft@0	198
ft@0	199	def sendDataToRest (urlpath, data):
ft@0	200	netifaces.ifaddresses("eth0")[2][0]["addr"]
ft@0	201
ft@0	202	# Get first address in network (0 = network ip -> 192.168.0.0)
ft@0	203	remote_ip = netaddr.IPNetwork("%s/%s" %(netifaces.ifaddresses("eth0")[2][0]["addr"], netifaces.ifaddresses("eth0")[2][0]["netmask"]))[1]
ft@0	204
ft@0	205	url = ("http://%s:8090//%s" %(remote_ip, urlpath))
ft@0	206
ft@0	207	LOG.debug ("Send data to \"%s\"" %(url, ))
ft@0	208	LOG.debug ("Data: %s" %(data, ))
ft@0	209
ft@0	210	try:
ft@0	211	response = httpPool.request_encode_body("POST", url, fields=data, retries=0)
ft@0	212	except Exception, e:
ft@0	213	LOG.error("Remote host not reachable")
ft@0	214	LOG.error ("Exception: %s" %(e,))
ft@0	215	return
ft@0	216
ft@0	217	if response.status == STATUS_CODE_OK:
ft@0	218	LOG.info("Data sent successfully to rest server")
ft@0	219	return True
ft@0	220	else:
ft@0	221	LOG.error("Server returned errorcode: %s" %(response.status,))
ft@0	222	return False
ft@0	223
ft@0	224
ft@0	225	def sendNotification (type, message):
ft@0	226	data = {"msgtype" : type, "text" : message}
ft@0	227
ft@0	228	if (type == "information"):
ft@0	229	sendDataToRest ("message", data)
ft@0	230	else:
ft@0	231	sendDataToRest ("notification", data)
ft@0	232
ft@0	233	def sendReadOnlyNotification():
ft@0	234	sendNotification("critical", "Filesystem is in read only mode. If you want to export files please initialize an encrypted filesystem.")
ft@0	235
ft@0	236	def sendLogNotPossibleNotification():
ft@0	237	sendNotification("critical", "Send log entry to opensecurity rest server failed.")
ft@0	238
ft@0	239	def sendFileLog(filename, filesize, filehash, hashtype):
ft@0	240	data = {"filename" : filename, "filesize" : "%s" %(filesize,), "filehash" : filehash, "hashtype" : hashtype}
ft@0	241	retval = sendDataToRest ("log", data)
ft@0	242	if (retval == False):
ft@0	243	sendLogNotPossibleNotification()
ft@0	244
ft@0	245	def calcMD5 (path, block_size=256*128, hr=True):
ft@0	246	md5 = hashlib.md5()
ft@0	247	with open(path,'rb') as f:
ft@0	248	for chunk in iter(lambda: f.read(block_size), b''):
ft@0	249	md5.update(chunk)
ft@0	250	if hr:
ft@0	251	return md5.hexdigest()
ft@0	252	return md5.digest()
ft@0	253
ft@0	254	class OsecFS (Fuse):
ft@0	255
ft@0	256	__rootpath = None
ft@0	257
ft@0	258	# default fuse init
ft@0	259	def __init__(self, rootpath, args, *kw):
ft@0	260	self.__rootpath = rootpath
ft@0	261	Fuse.__init__ (self, args, *kw)
ft@0	262	LOG.debug ("Init complete.")
ft@0	263	sendNotification("information", "Filesystem successfully mounted.")
ft@0	264
ft@0	265	# defines that our working directory will be the __rootpath
ft@0	266	def fsinit(self):
ft@0	267	os.chdir (self.__rootpath)
ft@0	268
ft@0	269	def getattr(self, path):
ft@0	270	LOG.debug ("*** getattr (%s)" % (fixPath (path)))
ft@0	271	return os.lstat (fixPath (path));
ft@0	272
ft@0	273	def getdir(self, path):
ft@0	274	LOG.debug ("*** getdir (%s)" % (path));
ft@0	275	return os.listdir (fixPath (path))
ft@0	276
ft@0	277	def readdir(self, path, offset):
ft@0	278	LOG.debug ("*** readdir (%s %s)" % (path, offset));
ft@0	279	for e in os.listdir (fixPath (path)):
ft@0	280	yield fuse.Direntry(e)
ft@0	281
ft@0	282	def chmod (self, path, mode):
ft@0	283	LOG.debug ("*** chmod %s %s" % (path, oct(mode)))
ft@0	284	if (config.get("Main", "ReadOnly") == "true"):
ft@0	285	sendReadOnlyNotification()
ft@0	286	return -errno.EACCES
ft@0	287	os.chmod (fixPath (path), mode)
ft@0	288
ft@0	289	def chown (self, path, uid, gid):
ft@0	290	LOG.debug ("*** chown %s %s %s" % (path, uid, gid))
ft@0	291	if (config.get("Main", "ReadOnly") == "true"):
ft@0	292	sendReadOnlyNotification()
ft@0	293	return -errno.EACCES
ft@0	294	os.chown (fixPath (path), uid, gid)
ft@0	295
ft@0	296	def link (self, targetPath, linkPath):
ft@0	297	LOG.debug ("*** link %s %s" % (targetPath, linkPath))
ft@0	298	if (config.get("Main", "ReadOnly") == "true"):
ft@0	299	sendReadOnlyNotification()
ft@0	300	return -errno.EACCES
ft@0	301	os.link (fixPath (targetPath), fixPath (linkPath))
ft@0	302
ft@0	303	def mkdir (self, path, mode):
ft@0	304	LOG.debug ("*** mkdir %s %s" % (path, oct(mode)))
ft@0	305	if (config.get("Main", "ReadOnly") == "true"):
ft@0	306	sendReadOnlyNotification()
ft@0	307	return -errno.EACCES
ft@0	308	os.mkdir (fixPath (path), mode)
ft@0	309
ft@0	310	def mknod (self, path, mode, dev):
ft@0	311	LOG.debug ("*** mknod %s %s %s" % (path, oct (mode), dev))
ft@0	312	if (config.get("Main", "ReadOnly") == "true"):
ft@0	313	sendReadOnlyNotification()
ft@0	314	return -errno.EACCES
ft@0	315	os.mknod (fixPath (path), mode, dev)
ft@0	316
ft@0	317	# to implement virus scan
ft@0	318	def open (self, path, flags):
ft@0	319	LOG.debug ("*** open %s %s" % (path, oct (flags)))
ft@0	320	self.file = os.fdopen (os.open (fixPath (path), flags), flag2mode (flags))
ft@0	321	self.written = False
ft@0	322	self.fd = self.file.fileno ()
ft@0	323
ft@0	324	LOG.debug(self.__rootpath)
ft@0	325	LOG.debug(path)
ft@0	326
ft@0	327	retval = scanFile (rootPath(self.__rootpath, path), self.file)
ft@0	328
ft@0	329	#if type(retval) is not dict:
ft@0	330	if (isinstance(retval, dict) == False):
ft@0	331	LOG.error(SCAN_WRONG_RETURN_VALUE)
ft@0	332	self.file.close ()
ft@0	333	return -errno.EACCES
ft@0	334
ft@0	335	if ((retval.has_key("infected") == False) or (retval.has_key("virusname") == False)):
ft@0	336	LOG.error(SCAN_RETURN_VALUE_KEY_MISSING)
ft@0	337	self.file.close ()
ft@0	338	return -errno.EACCES
ft@0	339
ft@0	340
ft@0	341	if (retval.get("infected") == True):
ft@0	342	self.file.close ()
ft@0	343	sendNotification(NOTIFICATION_CRITICAL, "%s\nFile: %s\nVirus: %s" %(VIRUS_FOUND, path, retval.get("virusname")))
ft@0	344	LOG.error("%s" %(VIRUS_FOUND,))
ft@0	345	LOG.error("Virus: %s" %(retval.get("virusname"),))
ft@0	346	return -errno.EACCES
ft@0	347
ft@0	348	whitelisted = whitelistFile (rootPath(self.__rootpath, path))
ft@0	349	if (whitelisted == False):
ft@0	350	self.file.close ()
ft@0	351	sendNotification(NOTIFICATION_CRITICAL, "File not in whitelist. Access denied.")
ft@0	352	return -errno.EACCES
ft@0	353
ft@0	354	def read (self, path, length, offset):
ft@0	355	LOG.debug ("*** read %s %s %s" % (path, length, offset))
ft@0	356	self.file.seek (offset)
ft@0	357	return self.file.read (length)
ft@0	358
ft@0	359	def readlink (self, path):
ft@0	360	LOG.debug ("*** readlink %s" % (path))
ft@0	361	return os.readlink (fixPath (path))
ft@0	362
ft@0	363	def release (self, path, flags):
ft@0	364	LOG.debug ("*** release %s %s" % (path, oct (flags)))
ft@0	365	self.file.flush()
ft@0	366	os.fsync(self.file.fileno())
ft@0	367	self.file.close ()
ft@0	368
ft@0	369	if (self.written == True):
ft@0	370	hashsum = calcMD5(fixPath(path))
ft@0	371	filesize = os.path.getsize(fixPath(path))
ft@0	372	sendFileLog(path, filesize, hashsum, "md5")
ft@0	373
ft@0	374
ft@0	375	def rename (self, oldPath, newPath):
ft@0	376	LOG.debug ("*** rename %s %s %s" % (oldPath, newPath, config.get("Main", "ReadOnly")))
ft@0	377	if (config.get("Main", "ReadOnly") == "true"):
ft@0	378	sendReadOnlyNotification()
ft@0	379	return -errno.EACCES
ft@0	380	os.rename (fixPath (oldPath), fixPath (newPath))
ft@0	381
ft@0	382	def rmdir (self, path):
ft@0	383	LOG.debug ("*** rmdir %s %s" % (path, config.get("Main", "ReadOnly")))
ft@0	384	if (config.get("Main", "ReadOnly") == "true"):
ft@0	385	sendReadOnlyNotification()
ft@0	386	return -errno.EACCES
ft@0	387	os.rmdir (fixPath (path))
ft@0	388
ft@0	389	def statfs (self):
ft@0	390	LOG.debug ("*** statfs")
ft@0	391	return os.statvfs(".")
ft@0	392
ft@0	393	def symlink (self, targetPath, linkPath):
ft@0	394	LOG.debug ("*** symlink %s %s %s" % (targetPath, linkPath, config.get("Main", "ReadOnly")))
ft@0	395	if (config.get("Main", "ReadOnly") == "true"):
ft@0	396	sendReadOnlyNotification()
ft@0	397	return -errno.EACCES
ft@0	398	os.symlink (fixPath (targetPath), fixPath (linkPath))
ft@0	399
ft@0	400	def truncate (self, path, length):
ft@0	401	LOG.debug ("*** truncate %s %s %s" % (path, length, config.get("Main", "ReadOnly")))
ft@0	402	if (config.get("Main", "ReadOnly") == "true"):
ft@0	403	sendReadOnlyNotification()
ft@0	404	return -errno.EACCES
ft@0	405	f = open (fixPath (path), "w+")
ft@0	406	f.truncate (length)
ft@0	407	f.close ()
ft@0	408
ft@0	409	def unlink (self, path):
ft@0	410	LOG.debug ("*** unlink %s %s" % (path, config.get("Main", "ReadOnly")))
ft@0	411	if (config.get("Main", "ReadOnly") == "true"):
ft@0	412	sendReadOnlyNotification()
ft@0	413	return -errno.EACCES
ft@0	414	os.unlink (fixPath (path))
ft@0	415
ft@0	416	def utime (self, path, times):
ft@0	417	LOG.debug ("*** utime %s %s" % (path, times))
ft@0	418	os.utime (fixPath (path), times)
ft@0	419
ft@0	420	def write (self, path, buf, offset):
ft@0	421	#LOG.debug ("*** write %s %s %s %s" % (path, buf, offset, config.get("Main", "ReadOnly")))
ft@0	422	LOG.debug ("*** write %s %s %s %s" % (path, "filecontent", offset, config.get("Main", "ReadOnly")))
ft@0	423	if (config.get("Main", "ReadOnly") == "true"):
ft@0	424	self.file.close()
ft@0	425	sendReadOnlyNotification()
ft@0	426	return -errno.EACCES
ft@0	427	self.file.seek (offset)
ft@0	428	self.file.write (buf)
ft@0	429	self.written = True
ft@0	430	return len (buf)
ft@0	431
ft@0	432	def access (self, path, mode):
ft@0	433	LOG.debug ("*** access %s %s" % (path, oct (mode)))
ft@0	434	if not os.access (fixPath (path), mode):
ft@0	435	return -errno.EACCES
ft@0	436
ft@0	437	def create (self, path, flags, mode):
ft@0	438	LOG.debug ("*** create %s %s %s %s %s" % (fixPath (path), oct (flags), oct (mode), flag2mode (flags), config.get("Main", "ReadOnly")))
ft@0	439	if (config.get("Main", "ReadOnly") == "true"):
ft@0	440	sendReadOnlyNotification()
ft@0	441	return -errno.EACCES
ft@0	442
ft@0	443	self.file = os.fdopen (os.open (fixPath (path), flags), flag2mode(flags))
ft@0	444	self.written = True
ft@0	445	self.fd = self.file.fileno ()
ft@0	446
ft@0	447
ft@0	448	if __name__ == "__main__":
ft@0	449	# Set api version
ft@0	450	fuse.fuse_python_api = (0, 2)
ft@0	451	fuse.feature_assert ('stateful_files', 'has_init')
ft@0	452
ft@0	453	config = loadConfig ()
ft@0	454	initLog (config)
ft@0	455
ft@0	456	#sendNotification("Info", "OsecFS started")
ft@0	457
ft@0	458	# Import the Malware Scanner
ft@0	459	sys.path.append(config.get("Main", "ScannerPath"))
ft@0	460
ft@0	461	MalwareModule = import_module(config.get("Main", "ScannerModuleName"))
ft@0	462	MalwareClass = getattr(MalwareModule, config.get("Main", "ScannerClassName"))
ft@0	463
ft@0	464	MalwareScanner = MalwareClass (config.get("Main", "ScannerConfig"));
ft@0	465
ft@0	466	osecfs = OsecFS (config.get ("Main", "Rootpath"))
ft@0	467	osecfs.flags = 0
ft@0	468	osecfs.multithreaded = 0
ft@0	469
ft@0	470	fuse_args = [sys.argv[0], config.get ("Main", "Mountpoint")];
ft@0	471	osecfs.main (fuse_args)

author	ft
	Tue, 04 Nov 2014 17:44:32 +0100
changeset 0	2342e6cefd65
permissions	-rwxr-xr-x