openstack
/
congress
Code Issues Proposed changes

Merge "add security groups and unsafe traffic policies"

This commit is contained in:
Jenkins 2017-07-25 20:06:36 +00:00 committed by Gerrit Code Review
parent 127b685c5f bd877fe918
commit b279e3bf2e
2 changed files with 132 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
library/security_groups/security_groups.yaml Normal file
View File

@ -0,0 +1,34 @@
---
name: SecurityGroups
description: "Classification of network security groups"
rules:
-
comment: "User should customize this. Define 'secure' security group by name."
rule: secure_sg_names('default')
-
rule: >
secure_sg_ids(sg_id) :-
neutronv2:security_groups(id=sg_id,name=sg_name), secure_sg_names(sg_name)
-
comment: "Ports protected by a 'secure' security group."
rule: >
protected_ports(port_id) :-
neutronv2:security_group_port_bindings(port_id=port_id, security_group_id=sg_id),
secure_sg_ids(sg_id)
-
comment: "Ports not protected by a 'secure' security group."
rule: >
unprotected_ports(sg_id) :-
neutronv2:ports(id=port_id), not protected_ports(port_id)
-
comment: "Servers with at least one unprotected port."
rule: >
unprotected_servers(server_id) :-
nova:servers(id=server_id), neutronv2:ports(id=port_id, device_id=server_id),
unprotected_ports(port_id)
-
comment: "Servers whose every port is protected by a 'secure' security group."
rule: >
protected_servers(server_id) :-
nova:servers(id=server_id),
not unprotected_servers(server_id)

98
library/security_groups/unsafe_traffic.yaml Normal file
View File

@ -0,0 +1,98 @@
---
name: UnsafeTraffic
description: >
Specify blacklisted traffic types.
Identify security groups that allow blacklisted traffic types.
Warn on security groups labeled as secure but allow blacklisted traffic types.
rules:
-
comment: "User should customize this. unsafe_traffic(direction, protocol, port)."
rule: unsafe_traffic('ingress', 'tcp', 22)
-
comment: |
Groups that allow unsafe traffic. Case: all specified. Written as 8 rules due to present
rule language restrictions. The desired meaning is summarized in this single pseudo-rule:
groups_allow_unsafe_traffic(sg_id, rule_id) :-
neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
protocol=rule_protocol, port_range_min=port_min, port_range_max=port_max),
unsafe_traffic(direction, unsafe_protocol, unsafe_port),
(port_min <= unsafe_port OR port_min = 'None'),
(unsafe_port <= port_max OR port_max = 'None'),
(rule_protocol = unsafe_protocol OR rule_protocol = 'None')
rule: >
groups_allows_unsafe_traffic(sg_id, rule_id) :-
neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
protocol=protocol, port_range_min=port_min, port_range_max=port_max),
unsafe_traffic(direction, protocol, unsafe_port),
builtin:lteq(port_min, unsafe_port),
builtin:lteq(unsafe_port, port_max)
-
comment: "Groups that allow unsafe traffic. Case: any protocol"
rule: >
groups_allows_unsafe_traffic(sg_id, rule_id) :-
neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
protocol='None', port_range_min=port_min, port_range_max=port_max),
unsafe_traffic(direction, _, unsafe_port),
builtin:lteq(port_min, unsafe_port),
builtin:lteq(unsafe_port, port_max)
-
comment: "Groups that allow unsafe traffic. Case: no port_min"
rule: >
groups_allows_unsafe_traffic(sg_id, rule_id) :-
neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
protocol=protocol, port_range_min='None', port_range_max=port_max),
unsafe_traffic(direction, _, unsafe_port),
builtin:lteq(unsafe_port, port_max)
-
comment: "Groups that allow unsafe traffic. Case: no port_max"
rule: >
groups_allows_unsafe_traffic(sg_id, rule_id) :-
neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
protocol=protocol, port_range_min=port_min, port_range_max='None'),
unsafe_traffic(direction, protocol, unsafe_port),
builtin:lteq(port_min, unsafe_port)
-
comment: "Groups that allow unsafe traffic. Case: no port_min and no port_max"
rule: >
groups_allows_unsafe_traffic(sg_id, rule_id) :-
neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
protocol=protocol, port_range_min='None', port_range_max='None'),
unsafe_traffic(direction, protocol, unsafe_port)
-
comment: "Groups that allow unsafe traffic. Case: no port_min and any protocol"
rule: >
groups_allows_unsafe_traffic(sg_id, rule_id) :-
neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
protocol='None', port_range_min=port_min, port_range_max=port_max),
unsafe_traffic(direction, _, unsafe_port),
builtin:lteq(port_min, unsafe_port),
builtin:lteq(unsafe_port, port_max)
-
comment: "Groups that allow unsafe traffic. Case: no port_max and any protocol"
rule: >
groups_allows_unsafe_traffic(sg_id, rule_id) :-
neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
protocol='None', port_range_min=port_min, port_range_max='None'),
unsafe_traffic(direction, _, unsafe_port),
builtin:lteq(port_min, unsafe_port)
-
comment: "Groups that allow unsafe traffic. Case: no port_min, no port_max and any protocol"
rule: >
groups_allows_unsafe_traffic(sg_id, rule_id) :-
neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
protocol='None', port_range_min='None', port_range_max='None'),
unsafe_traffic(direction, _, _)
-
comment: "Groups labeled secure but allow unsafe traffic."
rule: >
secure_group_unsafe_traffic(sg_id, rule_id) :-
groups_allows_unsafe_traffic(sg_id, rule_id), SecurityGroups:secure_sg_ids(sg_id)
-
comment: "Warn on groups that allow unsafe traffic."
rule: >
warning(sg_id, rule_id) :- groups_allows_unsafe_traffic(sg_id, rule_id)
-
comment: "Error on groups labeled secure but nonetheless allow unsafe traffic.."
rule: >
error(sg_id, rule_id) :- secure_group_unsafe_traffic(sg_id, rule_id)