This repository has been archived by the owner on Dec 12, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathsettings.py
224 lines (181 loc) · 7.5 KB
/
settings.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
# Copyright 2017 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS-IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Common Upvote GAE settings."""
import collections
import functools
from upvote.gae.utils import env_utils
from upvote.shared import constants
# The email domain of the users accessing Upvote.
#
# For users authenticating with GMail accounts:
# USER_EMAIL_DOMAIN = 'gmail.com'
# For Foo Inc. employees authenticating with a GSuite-hosted email:
# USER_EMAIL_DOMAIN = 'foo.com'
#
# NOTE: Must be all lowercase.
USER_EMAIL_DOMAIN = 'todo-example-domain.com'
# Whether all new applications will be checked against binary analysis service.
#
# NOTE: This is a relatively high QPS option for the VirusTotal API and will
# likely exceed free-tier levels.
ENABLE_BINARY_ANALYSIS_PRECACHING = False
# Sets the method by which events are associated with users in Upvote.
#
# This configures whether events are associated with the OS user that executed
# the event or with the host owner. Notably, host owners for Santa clients can
# be configured in the settings while the executing user is dependent on the OS
# setup.
#
# See docs for further discussion.
EVENT_CREATION = constants.EVENT_CREATION.HOST_OWNER
# The default execution mode for clients syncing for the first time.
DEFAULT_CLIENT_MODE = {
constants.CLIENT.SANTA: constants.CLIENT_MODE.LOCKDOWN,
}
# If provided, a regex string that matches execution paths (read: not files)
# from which executions will be allowed.
# NOTE: This regex must be written in ICU format. Docs can be found here:
# https://developer.apple.com/documentation/foundation/nsregularexpression
SANTA_DIRECTORY_WHITELIST_REGEX = None
# If provided, a regex string that matches execution paths (read: not files)
# from which executions will be blocked.
# NOTE: This regex must be written in ICU format. Docs can be found here:
# https://developer.apple.com/documentation/foundation/nsregularexpression
SANTA_DIRECTORY_BLACKLIST_REGEX = None
# The maximum number of events that a Santa client will attempt to upload in a
# single request.
SANTA_EVENT_BATCH_SIZE = 100
# The maximum number of rules that Upvote will attempt to send to clients in a
# single request.
SANTA_RULE_BATCH_SIZE = 250
# Whether Upvote will require connecting clients to provide an XSRF token.
SANTA_REQUIRE_XSRF = True
# Whether Santa clients will upload bundles.
#
# See docs for feature details.
SANTA_BUNDLES_ENABLED = True
# The failure mode of Santa client authentication.
#
# NOTE: By default, there is no authentication mechanism implemented for Santa
# clients (See gae/modules/upvote_app/api/santa/auth.py). This setting will only
# have an effect if some authentication procedure is written.
SANTA_CLIENT_VALIDATION = constants.VALIDATION_MODE.FAIL_CLOSED
# A list of email addresses of users that will always have the permissions of
# administrators.
FAILSAFE_ADMINISTRATORS = []
# The score thresholds beyond which a Blockable will transition to the
# associated state.
#
# Blockables are created with an UNAPPROVED state. If they sink below the BANNED
# threshold (-15 by default), they become banned. If they rise above, say, the
# GLOBALLY_WHITELISTED threshold, they become globally whitelisted.
VOTING_THRESHOLDS = {
constants.STATE.BANNED: -26,
constants.STATE.APPROVED_FOR_LOCAL_WHITELISTING: 5,
constants.STATE.GLOBALLY_WHITELISTED: 50,
}
# The vote weight available to a user with the associated role.
#
# These are generally determined in relation to the VOTING_THRESHOLDS above. For
# instance, the defaults of 5 USER upvotes leading to a local whitelist and 2
# ADMIN upvotes leading to a global whitelist are important relation to
# consider.
#
# See docs for further discussion.
VOTING_WEIGHTS = {
constants.USER_ROLE.UNTRUSTED_USER: 0,
constants.USER_ROLE.USER: 1,
constants.USER_ROLE.TRUSTED_USER: 3,
constants.USER_ROLE.SUPERUSER: 25,
constants.USER_ROLE.SECURITY: 25,
constants.USER_ROLE.ADMINISTRATOR: 25,
}
# Maps elevated-privilege roles to a list of user group names.
#
# These groups are expanded to users (See upvote/gae/shared/common/groups.py)
# and modified with their roles via the /cron/roles/sync cron.
GROUP_ROLE_ASSIGNMENTS = {
constants.USER_ROLE.UNTRUSTED_USER: [],
constants.USER_ROLE.TRUSTED_USER: [],
constants.USER_ROLE.SUPERUSER: [],
constants.USER_ROLE.SECURITY: [],
constants.USER_ROLE.ADMINISTRATOR: ['admin-users'],
}
# A namedtuple for defining critical Rules that must be present in Datastore.
CriticalRule = collections.namedtuple(
'CriticalRule', ['sha256', 'platform', 'rule_type', 'rule_policy'])
CriticalMacOsCertRule = functools.partial( # pylint: disable=invalid-name
CriticalRule,
platform=constants.PLATFORM.MACOS,
rule_type=constants.RULE_TYPE.CERTIFICATE,
rule_policy=constants.RULE_POLICY.WHITELIST)
# Critical Rules that must be present in Datastore.
CRITICAL_RULES = [
# Google Certificate for Chrome
CriticalMacOsCertRule(
'345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5'),
# Apple Software Signing for macOS 10.10, 10.11, 10.12, and 10.13
CriticalMacOsCertRule(
'2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32'),
# Google Certificate for Santa
CriticalMacOsCertRule(
'33b9aee3b089c922952c9240a40a0daa271bebf192cf3f7d964722e8f2170e48'),
]
# These groups mandate a specific client mode for all Santa clients belonging to
# the users in the associated group.
#
# These may be helpful in rolling out lockdown mode to a large fleet.
LOCKDOWN_GROUP = ''
MONITOR_GROUP = ''
# **Bit9-only** The Active Directory domain of Bit9 host users.
#
# Used to determine the users associated with Bit9 events.
AD_DOMAIN = 'TODO-EXAMPLE-DOMAIN'
# **Bit9-only** The hostname of the Active Directory.
#
# Used to construct FQDNs for Bit9 hosts.
#
# NOTE: Must be all lowercase.
AD_HOSTNAME = 'ad.todo-example-domain.com'
# NOTE: Incomplete.
# Sets a static alert (aka "blood bar") for all users of the system to
# communicate abnormal system conditions.
SITE_ALERT = {
'message': '',
'severity': '',
'is_active': False,
}
class ProdEnv(env_utils.DefaultEnv):
"""The production environment namespace."""
NAME = 'Prod'
HOSTNAME = 'XXX-REPLACE-WITH-PROJECT-ID-XXX.appspot.com'
PROJECT_ID = 'XXX-REPLACE-WITH-PROJECT-ID-XXX'
DATASTORE_BACKUP_BUCKET = 'XXX-REPLACE-WITH-PROJECT-ID-XXX'
# The address of the Bit9 frontend server from which the REST API is served.
# The path /api/bit9platform/v1 at this address should display the API docs.
BIT9_REST_URL = 'address-of-my-bit9-frontend-server.com'
# Whether the BigQuery streaming feature is enabled.
#
# BigQuery streaming extracts a number of system events (e.g. Execution event,
# Blockable state change, User vote, etc.) and streams them to tables in
# BigQuery.
#
# See docs for complete setup instructions.
ENABLE_BIGQUERY_STREAMING = False
class LocalEnv(env_utils.DefaultEnv):
"""The Local environment namespace."""
NAME = 'Local'
HOSTNAME = '0.0.0.0:8080'
PROJECT_ID = 'auto'
ENABLE_BIGQUERY_STREAMING = False