Skip to content
This repository has been archived by the owner on Aug 12, 2019. It is now read-only.

Commit

Permalink
Added the ability to create new policies via Manager.policies.create()
Browse files Browse the repository at this point in the history
  • Loading branch information
marknca committed Aug 17, 2016
1 parent 8a89c71 commit 1fe1819
Showing 1 changed file with 144 additions and 2 deletions.
146 changes: 144 additions & 2 deletions deepsecurity/policies.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ def get(self):
if response and response['status'] == 200:
if not type(response['data']) == type([]): response['data'] = [response['data']]
for policy in response['data']:
policy_obj = Policy(self.manager, policy, self.log)
policy_obj = Policy(manager=self.manager, api_response=policy, log_func=self.log)
if policy_obj:
try:
self[policy_obj.id] = policy_obj
Expand All @@ -33,6 +33,115 @@ def get(self):

return len(self)

def create(self, name, parent_profile_id=None,
enable_anti_malware=True,
enable_firewall=False,
enable_intrusion_prevention=True,
enable_integrity_monitoring=True,
enable_log_inspection=True,
description=None
):
"""
Create a new policy
name
- the name of the new policy
parent_profile_id
- the ID of the parent policy
enable_anti_malware
- if True, enable the anti-malware module
- if 'parent_profile_id' is set, the new policy will
inherit this value from the parent
enable_firewall
- if True, enable the firewall module
- if 'parent_profile_id' is set, the new policy will
inherit this value from the parent
enable_intrusion_prevention
- if True, enable the intrusion prevention module
- if 'parent_profile_id' is set, the new policy will
inherit this value from the parent
enable_integrity_monitoring
- if True, enable the integrity monitoring module
- if 'parent_profile_id' is set, the new policy will
inherit this value from the parent
enable_log_inspection
- if True, enable the log inspection module
- if 'parent_profile_id' is set, the new policy will
inherit this value from the parent
description
- the description of the new policy
Returns the ID of the new policy is successful. False if not successful in
creating the new policy
"""
result = None

# set the state for each supported module
anti_malware_state = 'ON' if enable_anti_malware else 'OFF'
firewall_state = 'ON' if enable_firewall else 'OFF'
intrusion_prevention_state = 'ON' if enable_intrusion_prevention else 'OFF'
integrity_monitoring_state = 'ON' if enable_integrity_monitoring else 'OFF'
log_inspection_state = 'ON' if enable_log_inspection else 'OFF'

# inherit all states if a parent policy is specified
if parent_profile_id:
anti_malware_state = 'INHERITED'
firewall_state = 'INHERITED'
intrusion_prevention_state = 'INHERITED'
integrity_monitoring_state = 'INHERITED'
log_inspection_state = 'INHERITED'

call = self.manager._get_request_format(call='securityProfileSave')
call['data'] = { 'sp': {
'DPIRuleIDs': None,
'DPIState': intrusion_prevention_state,
'ID': None,
'antiMalwareManualID': None,
'antiMalwareManualInherit': u'true',
'antiMalwareRealTimeID': None,
'antiMalwareRealTimeInherit': u'true',
'antiMalwareRealTimeScheduleID': None,
'antiMalwareScheduledID': None,
'antiMalwareScheduledInherit': u'true',
'antiMalwareState': anti_malware_state,
'applicationTypeIDs': None,
'description': description,
'firewallRuleIDs': None,
'firewallState': firewall_state,
'integrityRuleIDs': None,
'integrityState': integrity_monitoring_state,
'logInspectionRuleIDs': None,
'logInspectionState': log_inspection_state,
'name': name,
'parentSecurityProfileID': parent_profile_id if parent_profile_id else None,
'recommendationState': None,
'scheduleID': None,
'statefulConfigurationID': None
}
}

response = self.manager._request(call)
if response and response['status'] == 200:
try:
new_policy = Policy(api_response=response['data'], manager=self.manager, log_func=self.log)
if new_policy:
self[new_policy.id] = new_policy
result = new_policy.id
self.log("Added new policy #{}".format(new_policy.id))
except Exception, err:
self.log("Could not create new policy from API response", err=err)
else:
result = False

return result

class Rules(core.CoreDict):
def __init__(self, manager=None):
core.CoreDict.__init__(self)
Expand Down Expand Up @@ -143,6 +252,39 @@ def save(self):

return result

def get_application_control_settings(self):
"""
Get the details for the application control settings for this policy
"""
return self.manager.application_control.get_policy_settings(self.id)

def set_application_control_settings(self, policy_id, lockdown=None, ruleset_id=None, state=None, whitelist_mode=None):
"""
Set the details for the application control settings for this policy
lockdown:
- if set to None, no changes are made
- if set to True, lockdown mode is enabled and anything that's not on the whitelist will be blocked
- if set to False, lockdown mode is disabled and only things on the blacklist will be blocked
ruleset_id:
- if set to None, no changes are made
- the ID of the ruleset to use for this application control policy
state:
- if set to None, no changes are made
- if set to "on", application control is turned on for this policy
- if set to "off", application control is turned off for this policy
- if set to "inherit", the application control state inherited from this policy's parent (if one exists)
whitelist_mode:
- if set to None, no changes are made
- if set to "local-inventory", application control is turned on for this policy
- if set to "shared", application control is turned off for this policy
- if set to "inherit", the application control state inherited from this policy's parent (if one exists)
"""
return self.manager.application_control.set_policy_settings(self.id, lockdown=lockdown, ruleset_id=ruleset_id, state=state, whitelist_mode=whitelist_mode)

class Rule(core.CoreObject):
def __init__(self, manager=None, api_response=None, log_func=None, rule_type=None):
self.manager = manager
Expand All @@ -164,4 +306,4 @@ def _split_items(self):
if getattr(self, 'items') and "\n" in self.items:
self.addresses = self.items.split('\n')
else:
self.addresses.append(self.items.strip())
self.addresses.append(self.items.strip())

0 comments on commit 1fe1819

Please sign in to comment.