search

CactuseSecurity / firewall-orchestrator

Network Security data repository for automation, reporting and compliance of firewall rules
https://fwo.cactus.de
Apache License 2.0
30 stars 11 forks source link

New module: recertification for generic (non-firewall) rules #2507

Open tpurschke opened 2 months ago

tpurschke commented 2 months ago
  1. Write an import module that is able to get arbitrary configs in JSON (or CSV) format and can parse them (using reg ex definitions?) into rules.
  2. These rules should be displayed and also if possible pinned to an owner.
  3. The owner group than has a menu to recertify the rules.
  4. This should cover all kinds of security relevant configs that can be separated into "rules": loadbalancer, proxy, ... .

See also #2141.

This table contains JSON field names contained in generic.configItem.configLine 

Create table generic.deviceTypeKeyConfig
(
    id SERIAL,
    deviceType INTEGER NOT NULL,    -- type of the device this applies to
    orderKey VARCHAR,               -- key name that allows for ordering config items
    lastUsedKey VARCHAR,            -- field containing info when the config item was last used
                                    --   values must be convertible to a date 
    lastUsedKeyFormat VARCHAR,      -- format of the last used value (linux, time stamp, ...)
    ownerKey VARCHAR,               -- field containing info who owns the config item
                                    --  must be mappable to owner via ext_id or name 
    reportableFields VARCHAR[]      -- fields relevant for reporting (in given order)
);

Create table generic.device
(
    id SERIAL,
    deviceName VARCHAR NOT NULL,    -- name of the device a config line applies to
    deviceType INTEGER              -- points to public.stm_dev_typ, we need device types for each generic device
);

Create table generic.import
(
    id BIGSERIAL,
    importTime TIMESTAMP,       -- time of an import
    deviceId INTEGER NOT NULL,  -- if of the device a config applies to
    config JSONB NOT NULL       -- this contains a full config of a device
                                -- must contain an entry of the form:
                                -- { 'configItems': [<configItem>, ... ] }
);

-- from here we dissect the config into config items (i.e. rules)
Create table generic.configItem
(
    id BIGSERIAL,
    importId BIGINT NOT NULL,   -- refers to generic.import and contains time of the import as well as the device id
    configLine JSONB NOT NULL   -- this contains a single "firewall rule", "proxy rule", ...
);

-- TODO: decide on TIMESTAMP WITH TIMEZONE? -- write importer for generic config - do we need diffs or can we maybe calculate these on demand? -- add indices -- decide if we really want to keep redundant full config in generic.import.config -- need to visualize the data as tables in Blazor as a report and in a recert page

-- fix breaking changes for all other fw platforms but checkpoint -- where to add gateways to FwConfig for routing and interfaces infos?