Merge branch 'maintenance' into develop

Sebastian Wagner · Sebastian Wagner · commit 9c154099ae3f · 2021-03-12T17:16:59.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -82,6 +82,8 @@ Update allowed classification fields to 2020-01-28 version (#1409, #1476). Old n
 #### Collectors
 
 #### Parsers
+- `intelmq.bots.parsers.cymru.parser_cap_program`:
+  - Adapt parser to new upstream format for events of category "bruteforce" (PR#1795 by Sebastian Wagner, fixes 1794).
 
 #### Experts
 
@@ -90,13 +92,18 @@ Update allowed classification fields to 2020-01-28 version (#1409, #1476). Old n
 ### Documentation
 - Add missing newlines at end of `docs/_static/intelmq-manager/*.png.license` files (PR#1785 by Sebastian Wagner, fixes #1777).
 - Ecosystem: Revise sections on intelmq-cb-mailgen and fody (PR#1792 by Bernhard Reiter).
+- intelmq-api: Add documentation about necessary write permission for the session database file (PR#1798 by Birger Schacht, fixes intelmq-api#23).
 
 ### Packaging
 
 ### Tests
 - Add missing newlines at end of various test input files (PR#1785 by Sebastian Wagner, fixes #1777).
 
 ### Tools
+- `intelmqsetup`:
+  - Also cover required directory layout and file permissions for `intelmq-api` (PR#1787 by Sebastian Wagner, fixes #1783).
+- `intelmqctl`:
+  - Do not log an error message if logging to file is explicitly disabled, e.g. in calls from `intelmsetup`. The error message would not be useful for the user and is not necessary.
 
 ### Contrib
 
diff --git a/intelmq/bin/intelmqctl.py b/intelmq/bin/intelmqctl.py
@@ -710,7 +710,7 @@ def __init__(self, interactive: bool = False, return_type: str = "python", quiet
 
         try:
             if no_file_logging:
-                raise FileNotFoundError
+                raise FileNotFoundError('Logging to file disabled.')
             logger = utils.log('intelmqctl', log_level=self.logging_level,
                                log_format_stream=utils.LOG_FORMAT_SIMPLE,
                                logging_level_stream=logging_level_stream,
@@ -720,7 +720,8 @@ def __init__(self, interactive: bool = False, return_type: str = "python", quiet
             logger = utils.log('intelmqctl', log_level=self.logging_level, log_path=False,
                                log_format_stream=utils.LOG_FORMAT_SIMPLE,
                                logging_level_stream=logging_level_stream)
-            logger.error('Not logging to file: %s', exc)
+            if not isinstance(exc, FileNotFoundError) and exc.args[0] != 'Logging to file disabled.':
+                logger.error('Not logging to file: %s', exc)
         self.logger = logger
         if defaults_loading_exc:
             self.logger.exception('Loading the defaults configuration failed!',
diff --git a/intelmq/bin/intelmqsetup.py b/intelmq/bin/intelmqsetup.py
@@ -1,75 +1,162 @@
 # -*- coding: utf-8 -*-
 """
-© 2019 Sebastian Wagner <wagner@cert.at>
+© 2019-2021 nic.at GmbH <intelmq-team@cert.at>
 
-SPDX-License-Identifier: AGPL-3.0
+SPDX-License-Identifier: AGPL-3.0-only
 
 Sets up an intelmq environment after installation or upgrade by
  * creating needed directories
  * set intelmq as owner for those
  * providing example configuration files if not already existing
 
+If intelmq-api is installed, the similar steps are performed:
+ * creates needed directories
+ * sets the webserver as group for them
+ * sets group write permissions
+
 Reasoning:
 Pip does not (and cannot) create `/opt/intelmq`/user-given ROOT_DIR, as described in
 https://github.com/certtools/intelmq/issues/819
 """
 import argparse
-import glob
 import os
 import shutil
+import stat
 import sys
 import pkg_resources
 
-from pwd import getpwuid
+from grp import getgrnam
+from pathlib import Path
+from pwd import getpwnam
+from typing import Optional
+
+try:
+    import intelmq_api
+except ImportError:
+    intelmq_api = None
 
+from termstyle import red
 from intelmq import (CONFIG_DIR, DEFAULT_LOGGING_PATH, ROOT_DIR, VAR_RUN_PATH,
                      VAR_STATE_PATH, BOTS_FILE, STATE_FILE_PATH)
 from intelmq.bin.intelmqctl import IntelMQController
 
 
-def intelmqsetup(ownership=True, state_file=STATE_FILE_PATH):
-    if os.geteuid() != 0 and ownership:
-        sys.exit('You need to run this program as root (for setting file ownership)')
+MANAGER_CONFIG_DIR = Path(CONFIG_DIR) / 'manager/'
+FILE_OUTPUT_PATH = Path(VAR_STATE_PATH) / 'file-output/'
 
+
+def basic_checks(skip_ownership):
+    if os.geteuid() != 0 and not skip_ownership:
+        sys.exit(red('You need to run this program as root for setting file ownership!'))
     if not ROOT_DIR:
-        sys.exit('Not a pip-installation of IntelMQ, nothing to initialize.')
-
-    create_dirs = ('%s/file-output' % VAR_STATE_PATH,
-                   VAR_RUN_PATH,
-                   DEFAULT_LOGGING_PATH,
-                   CONFIG_DIR)
-    for create_dir in create_dirs:
-        if not os.path.isdir(create_dir):
-            os.makedirs(create_dir, mode=0o755,
-                        exist_ok=True)
-            print('Created directory %r.' % create_dir)
-
-    example_confs = glob.glob(pkg_resources.resource_filename('intelmq', 'etc/*.conf'))
+        sys.exit(red('Not a pip-installation of IntelMQ, nothing to initialize.'))
+
+    if skip_ownership:
+        return
+    try:
+        getpwnam('intelmq')
+    except KeyError:
+        sys.exit(red("User 'intelmq' does not exist. Please create it and then re-run this program."))
+    try:
+        getgrnam('intelmq')
+    except KeyError:
+        sys.exit(red("Group 'intelmq' does not exist. Please create it and then re-run this program."))
+
+
+def create_directory(directory: str, octal_mode: int):
+    directory = Path(directory)
+    readable_mode = stat.filemode(octal_mode)
+    if not directory.is_dir():
+        directory.mkdir(mode=octal_mode, exist_ok=True, parents=True)
+        print(f'Created directory {directory!s} with permissions {readable_mode}.')
+    else:
+        current_mode = directory.stat().st_mode
+        if current_mode != octal_mode:
+            current_mode_readable = stat.filemode(current_mode)
+            print(f'Fixed wrong permissions of {directory!s}: {current_mode_readable!r} -> {readable_mode!r}.')
+            directory.chmod(octal_mode)
+
+
+def change_owner(file: str, owner=None, group=None, log: bool = True):
+    if owner and Path(file).owner() != owner:
+        if log:
+            print(f'Fixing owner of {file!s}.')
+        shutil.chown(file, user=owner)
+    if group and Path(file).group() != group:
+        if log:
+            print(f'Fixing group of {file!s}.')
+        shutil.chown(file, group=group)
+
+
+def find_webserver_user():
+    candidates = ('www-data', 'wwwrun', 'httpd', 'apache')
+    for candidate in candidates:
+        try:
+            getpwnam(candidate)
+        except KeyError:
+            pass
+        else:
+            print(f'Detected webserver username {candidate!r}.')
+            return candidate
+
+
+def intelmqsetup_core(ownership=True, state_file=STATE_FILE_PATH):
+    create_directory(FILE_OUTPUT_PATH, 0o40755)
+    create_directory(VAR_RUN_PATH, 0o40755)
+    create_directory(DEFAULT_LOGGING_PATH, 0o40755)
+    create_directory(CONFIG_DIR, 0o40775)
+
+    example_confs = Path(pkg_resources.resource_filename('intelmq', 'etc')).glob('*.conf')
     for example_conf in example_confs:
-        fname = os.path.split(example_conf)[-1]
-        if os.path.exists(os.path.join(CONFIG_DIR, fname)):
-            print('Not overwriting existing %r with example.' % fname)
+        fname = Path(example_conf).name
+        destination_file = Path(CONFIG_DIR) / fname
+        if destination_file.exists():
+            print(f'Not overwriting existing {fname!r} with example.')
+            log_ownership_change = True
         else:
             shutil.copy(example_conf, CONFIG_DIR)
-            print('Use example %r.' % fname)
-
-    print('Writing BOTS file.')
-    shutil.copy(pkg_resources.resource_filename('intelmq', 'bots/BOTS'),
-                BOTS_FILE)
+            print(f'Installing example {fname!r} to {CONFIG_DIR}.')
+            log_ownership_change = False  # For installing the new files, we don't need to inform the admin that the permissions have been "fixed"
+        if ownership:
+            change_owner(destination_file, owner='intelmq', group='intelmq', log=log_ownership_change)
+
+    if Path(BOTS_FILE).is_symlink():
+        print('Skip writing BOTS file as it is a link.')
+    else:
+        print('Writing BOTS file.')
+        shutil.copy(pkg_resources.resource_filename('intelmq', 'bots/BOTS'),
+                    BOTS_FILE)
 
     if ownership:
         print('Setting intelmq as owner for it\'s directories.')
         for obj in (CONFIG_DIR, DEFAULT_LOGGING_PATH, ROOT_DIR, VAR_RUN_PATH,
-                    VAR_STATE_PATH, VAR_STATE_PATH + 'file-output'):
-            if getpwuid(os.stat(obj).st_uid).pw_name != 'intelmq':
-                shutil.chown(obj, user='intelmq')
+                    VAR_STATE_PATH, FILE_OUTPUT_PATH):
+            change_owner(obj, owner='intelmq')
 
-    print('Calling `intelmqctl upgrade-config to update/create state file')
+    print('Calling `intelmqctl upgrade-config` to update/create state file.')
     controller = IntelMQController(interactive=False, no_file_logging=True,
                                    drop_privileges=False)
     controller.upgrade_conf(state_file=state_file, no_backup=True)
 
 
+def intelmqsetup_api(ownership: bool = True, webserver_user: Optional[str] = None):
+    if ownership:
+        change_owner(CONFIG_DIR, group='intelmq')
+
+    # Manager configuration directory
+    create_directory(MANAGER_CONFIG_DIR, 0o40775)
+    if ownership:
+        change_owner(MANAGER_CONFIG_DIR, group='intelmq')
+
+    intelmq_group = getgrnam('intelmq')
+    webserver_user = webserver_user or find_webserver_user()
+    if webserver_user not in intelmq_group.gr_mem:
+        sys.exit(red(f"Webserver user {webserver_user} is not a member of the 'intelmq' group. "
+                     f"Please add it with: 'usermod -aG intelmq {webserver_user}'."))
+
+    print('Setup of intelmq-api successful.')
+
+
 def main():
     parser = argparse.ArgumentParser("Set's up directories and example "
                                      "configurations for IntelMQ.")
@@ -78,9 +165,17 @@ def main():
     parser.add_argument('--state-file',
                         help='The state file location to use.',
                         default=STATE_FILE_PATH)
+    parser.add_argument('--webserver-user',
+                        help='The webserver to use instead of auto-detection.')
     args = parser.parse_args()
-    intelmqsetup(ownership=not args.skip_ownership,
-                 state_file=args.state_file)
+
+    basic_checks(skip_ownership=args.skip_ownership)
+    intelmqsetup_core(ownership=not args.skip_ownership,
+                      state_file=args.state_file)
+    if intelmq_api:
+        print('Running setup for intelmq-api.')
+        intelmqsetup_api(ownership=not args.skip_ownership,
+                         webserver_user=args.webserver_user)
 
 
 if __name__ == '__main__':
diff --git a/intelmq/bots/parsers/cymru/parser_cap_program.py b/intelmq/bots/parsers/cymru/parser_cap_program.py
@@ -6,8 +6,7 @@
 
 MAPPING_STATIC = {'bot': {
     'classification.type': 'infected-system'},
-    'bruteforce': {
-    'classification.type': 'brute-force'},
+    'bruteforce': {'classification.type': 'brute-force'},
     'controller': {
     'classification.type': 'c2-server'},
     'darknet': {'classification.type': 'scanner',
@@ -33,8 +32,6 @@
                   'classification.identifier': 'conficker',
                   'malware.name': 'conficker'},
 }
-MAPPING_COMMENT = {'bruteforce': ('classification.identifier', 'protocol.application'),
-                   'phishing': ('source.url', )}
 PROTOCOL_MAPPING = {  # TODO: use `getent protocols <number>`, maybe in harmonization
     '1': 'icmp',
     '6': 'tcp',
@@ -229,6 +226,24 @@ def parse_line_old(self, line, report):
         yield event
 
     def parse_line_new(self, line, report):
+        """
+        The format is two following:
+        category|address|asn|timestamp|optional_information|asninfo
+        Therefore very similar to CSV, just with the pipe as separator
+        category: the type (resulting in classification.*) and optional_information needs to be parsed differently per category
+        address: source.ip
+        asn: source.asn
+        timestamp: time.source
+        optional_information: needs special care.
+            For some categories it needs parsing, as it contains a mapping of keys to values, whereas the meaning of the keys can differ between the categories
+            For categories in MAPING_COMMENT, this field only contains one value.
+            For the category 'bruteforce' *both* situations apply.
+            Previously, the bruteforce events only had the protocol in the comment,
+            while most other categories had a mapping. Now, the bruteforce categories also uses
+            the type-value syntax. So we need to support both formats, the old and the new.
+            See also https://github.com/certtools/intelmq/issues/1794
+        asninfo: source.as_name
+        """
         category, ip, asn, timestamp, notes, asninfo = line.split('|')
 
         # to detect bogous lines like 'hostname: sub.example.comport: 80'
@@ -252,11 +267,6 @@ def parse_line_new(self, line, report):
         event.add('time.source', timestamp + ' GMT')
         event.add('source.as_name', ', '.join(asninfo_split[:-1]))  # contains CC at the end
         event.add('source.geolocation.cc', asninfo_split[-1])
-        if category in MAPPING_COMMENT:
-            # if the comment is missing, we can't add that information
-            if comment_split:
-                for field in MAPPING_COMMENT[category]:
-                    event.add(field, comment_split[0])
 
         try:
             for key, value in MAPPING_STATIC[category].items():
@@ -266,11 +276,16 @@ def parse_line_new(self, line, report):
         destination_ports = []
 
         for comment in comment_split:
-            if category in MAPPING_COMMENT:
-                break
             if ': ' not in comment:
                 if category == 'proxy':
                     comment = 'proxy_type: %s' % comment
+                elif category == 'bruteforce':  # optional_information can just be 'ssh;'
+                    event.add('classification.identifier', comment)
+                    event.add('protocol.application', comment)
+                    break
+                elif category == 'phishing':
+                    event.add('source.url', comment)
+                    break
                 else:
                     if category == 'bot':
                         try:
diff --git a/intelmq/tests/bots/parsers/cymru/certname_20190327.txt b/intelmq/tests/bots/parsers/cymru/certname_20190327.txt
@@ -33,3 +33,4 @@ scanner|172.16.0.21|64496|2020-07-09 03:40:15|username: pm;|Example AS Name, AT
 darknet|172.16.0.21|64496|2020-10-08 02:21:26|protocol: 47;|Example AS Name, AT
 darknet|172.16.0.21|64496|2020-10-15 09:22:10|protocol: 59;|Example AS Name, AT
 proxy|172.16.0.21|64496|2020-12-14 08:28:01|httpconnect-51915; additional_asns: 212682;|Example AS Name, AT
+bruteforce|172.16.0.21|64496|2021-03-09 00:11:21|destination_port_numbers: 22;port: 16794;protocol: 6;|Example AS Name, AT
diff --git a/intelmq/tests/bots/parsers/cymru/test_cap_program_new.py b/intelmq/tests/bots/parsers/cymru/test_cap_program_new.py
@@ -221,11 +221,17 @@
            'protocol.application': 'httpconnect',
            'source.port': 51915,
            },
+          {'classification.type': 'brute-force',
+           'protocol.transport': 'tcp',
+           'destination.port': 22,
+           'source.port': 16794,
+           'time.source': '2021-03-09T00:11:21+00:00',
+           },
           ]
 
 # The number of events a single line in the raw data produces
 NUM_EVENTS = (1, 1, 1, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-              1, 1, 10, 1, 1, 1, 1, 1, 1, 1, 1)
+              1, 1, 10, 1, 1, 1, 1, 1, 1, 1, 1, 1)
 RAWS = []
 for i, line in enumerate(RAW_LINES[3:]):
     for count in range(NUM_EVENTS[i]):
