remove infra.md.example, infra.md is the source of truth

2026-03-03 03:06:13 +08:00
parent 1ad3033cc1
commit a3c6d09350
86 changed files with 17093 additions and 39 deletions
--- a/ayn-antivirus/ayn_antivirus/constants.py
+++ b/ayn-antivirus/ayn_antivirus/constants.py
@@ -0,0 +1,161 @@
+"""Constants for AYN Antivirus."""
+
+import os
+
+# --- Default Paths ---
+DEFAULT_CONFIG_PATHS = [
+    "/etc/ayn-antivirus/config.yaml",
+    os.path.expanduser("~/.ayn-antivirus/config.yaml"),
+]
+DEFAULT_SCAN_PATH = "/"
+DEFAULT_QUARANTINE_PATH = "/var/lib/ayn-antivirus/quarantine"
+DEFAULT_DB_PATH = "/var/lib/ayn-antivirus/signatures.db"
+DEFAULT_LOG_PATH = "/var/log/ayn-antivirus/"
+DEFAULT_YARA_RULES_DIR = os.path.join(os.path.dirname(__file__), "signatures", "yara_rules")
+QUARANTINE_ENCRYPTION_KEY_FILE = "/var/lib/ayn-antivirus/.quarantine.key"
+
+# --- Database ---
+DB_SCHEMA_VERSION = 1
+
+# --- Scan Limits ---
+SCAN_CHUNK_SIZE = 65536  # 64 KB
+MAX_FILE_SIZE = 100 * 1024 * 1024  # 100 MB
+HIGH_CPU_THRESHOLD = 80  # percent
+
+# --- Suspicious File Extensions ---
+SUSPICIOUS_EXTENSIONS = [
+    ".php",
+    ".sh",
+    ".py",
+    ".pl",
+    ".rb",
+    ".js",
+    ".exe",
+    ".elf",
+    ".bin",
+    ".so",
+    ".dll",
+]
+
+# --- Crypto Miner Process Names ---
+CRYPTO_MINER_PROCESS_NAMES = [
+    "xmrig",
+    "minerd",
+    "cpuminer",
+    "ethminer",
+    "claymore",
+    "phoenixminer",
+    "nbminer",
+    "t-rex",
+    "gminer",
+    "lolminer",
+    "bfgminer",
+    "cgminer",
+    "ccminer",
+    "nicehash",
+    "excavator",
+    "nanominer",
+    "teamredminer",
+    "wildrig",
+    "srbminer",
+    "xmr-stak",
+    "randomx",
+    "cryptonight",
+]
+
+# --- Crypto Pool Domains ---
+CRYPTO_POOL_DOMAINS = [
+    "pool.minergate.com",
+    "xmrpool.eu",
+    "nanopool.org",
+    "mining.pool.observer",
+    "supportxmr.com",
+    "pool.hashvault.pro",
+    "moneroocean.stream",
+    "minexmr.com",
+    "herominers.com",
+    "2miners.com",
+    "f2pool.com",
+    "ethermine.org",
+    "unmineable.com",
+    "nicehash.com",
+    "prohashing.com",
+    "zpool.ca",
+    "miningpoolhub.com",
+]
+
+# --- Suspicious Mining Ports ---
+SUSPICIOUS_PORTS = [
+    3333,
+    4444,
+    5555,
+    7777,
+    8888,
+    9999,
+    14433,
+    14444,
+    45560,
+    45700,
+]
+
+# --- Known Rootkit Files ---
+KNOWN_ROOTKIT_FILES = [
+    "/usr/lib/libproc.so",
+    "/usr/lib/libext-2.so",
+    "/usr/lib/libns2.so",
+    "/usr/lib/libpam.so.1",
+    "/dev/shm/.x",
+    "/dev/shm/.r",
+    "/tmp/.ICE-unix/.x",
+    "/tmp/.X11-unix/.x",
+    "/usr/bin/sourcemask",
+    "/usr/bin/sshd2",
+    "/usr/sbin/xntpd",
+    "/etc/cron.d/.hidden",
+    "/var/tmp/.bash_history",
+]
+
+# --- Suspicious Cron Patterns ---
+SUSPICIOUS_CRON_PATTERNS = [
+    r"curl\s+.*\|\s*sh",
+    r"wget\s+.*\|\s*sh",
+    r"curl\s+.*\|\s*bash",
+    r"wget\s+.*\|\s*bash",
+    r"/dev/tcp/",
+    r"base64\s+--decode",
+    r"xmrig",
+    r"minerd",
+    r"cryptonight",
+    r"\bcurl\b.*-o\s*/tmp/",
+    r"\bwget\b.*-O\s*/tmp/",
+    r"nohup\s+.*&",
+    r"/dev/null\s+2>&1",
+]
+
+# --- Malicious Environment Variables ---
+MALICIOUS_ENV_VARS = [
+    "LD_PRELOAD",
+    "LD_LIBRARY_PATH",
+    "LD_AUDIT",
+    "LD_DEBUG",
+    "HISTFILE=/dev/null",
+    "PROMPT_COMMAND",
+    "BASH_ENV",
+    "ENV",
+    "CDPATH",
+]
+
+# ── Dashboard ──────────────────────────────────────────────────────────
+DEFAULT_DASHBOARD_HOST = "0.0.0.0"
+DEFAULT_DASHBOARD_PORT = 7777
+DEFAULT_DASHBOARD_DB_PATH = "/var/lib/ayn-antivirus/dashboard.db"
+DASHBOARD_COLLECTOR_INTERVAL = 10       # seconds between metric samples
+DASHBOARD_REFRESH_INTERVAL = 30         # JS auto-refresh seconds
+DASHBOARD_MAX_THREATS_DISPLAY = 50
+DASHBOARD_MAX_LOG_LINES = 20
+DASHBOARD_SCAN_HISTORY_DAYS = 30
+DASHBOARD_METRIC_RETENTION_HOURS = 168  # 7 days
+
+# Dashboard authentication
+DEFAULT_DASHBOARD_USERNAME = "admin"
+DEFAULT_DASHBOARD_PASSWORD = "ayn@2024"