Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New module: recertification for generic (non-firewall) rules #2507

Open
tpurschke opened this issue Aug 2, 2024 · 0 comments
Open

New module: recertification for generic (non-firewall) rules #2507

tpurschke opened this issue Aug 2, 2024 · 0 comments
Labels
enhancement New feature or request size L large issue
Milestone
feature backlog

Comments

@tpurschke
Copy link
Contributor

tpurschke commented Aug 2, 2024
edited
Loading

  1. Write an import module that is able to get arbitrary configs in JSON (or CSV) format and can parse them (using reg ex definitions?) into rules.
  2. These rules should be displayed and also if possible pinned to an owner.
  3. The owner group than has a menu to recertify the rules.
  4. This should cover all kinds of security relevant configs that can be separated into "rules": loadbalancer, proxy, ... .

See also #2141.

This table contains JSON field names contained in generic.configItem.configLine

Create table generic.deviceTypeKeyConfig
(
	id SERIAL,
	deviceType INTEGER NOT NULL,	-- type of the device this applies to
	orderKey VARCHAR,				-- key name that allows for ordering config items
	lastUsedKey VARCHAR,			-- field containing info when the config item was last used
									--   values must be convertible to a date 
	lastUsedKeyFormat VARCHAR,		-- format of the last used value (linux, time stamp, ...)
	ownerKey VARCHAR,				-- field containing info who owns the config item
									-- 	must be mappable to owner via ext_id or name 
	reportableFields VARCHAR[]		-- fields relevant for reporting (in given order)
);

Create table generic.device
(
	id SERIAL,
	deviceName VARCHAR NOT NULL,	-- name of the device a config line applies to
	deviceType INTEGER				-- points to public.stm_dev_typ, we need device types for each generic device
);

Create table generic.import
(
	id BIGSERIAL,
	importTime TIMESTAMP,		-- time of an import
	deviceId INTEGER NOT NULL,	-- if of the device a config applies to
	config JSONB NOT NULL		-- this contains a full config of a device
								-- must contain an entry of the form:
								-- { 'configItems': [<configItem>, ... ] }
);

-- from here we dissect the config into config items (i.e. rules)
Create table generic.configItem
(
	id BIGSERIAL,
	importId BIGINT NOT NULL,	-- refers to generic.import and contains time of the import as well as the device id
	configLine JSONB NOT NULL	-- this contains a single "firewall rule", "proxy rule", ...
);

-- TODO: decide on TIMESTAMP WITH TIMEZONE?
-- write importer for generic config - do we need diffs or can we maybe calculate these on demand?
-- add indices
-- decide if we really want to keep redundant full config in generic.import.config
-- need to visualize the data as tables in Blazor as a report and in a recert page

-- fix breaking changes for all other fw platforms but checkpoint
-- where to add gateways to FwConfig for routing and interfaces infos?
@tpurschke tpurschke added the enhancement New feature or request label Aug 2, 2024
@tpurschke tpurschke added this to the feature backlog milestone Aug 2, 2024
@tpurschke tpurschke changed the title New importer for generic (non-firewall) rules for recertification New module: recertification for generic (non-firewall) rules Aug 2, 2024
@tpurschke tpurschke added the size L large issue label Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request size L large issue
Projects
Recertification
Status: No status
Milestone
feature backlog
Development

No branches or pull requests
1 participant
@tpurschke