Esempio n. 1
0
def initialize():
    """Initialize security policy tracking."""
    logger.debug("TrSv", "Initializing security policy tracking")
    # arkOS
    policy = policies.get("arkos", "arkos", 2)
    port = [("tcp", int(config.get("genesis", "port")))]
    pol = SecurityPolicy("arkos", "arkos", "System Management (Genesis/APIs)",
                         "server", port, policy)
    storage.policies[pol.id] = pol

    # uPNP
    policy = policies.get("arkos", "upnp", 1)
    pol = SecurityPolicy("arkos", "upnp", "uPnP Firewall Comms", "server",
                         [("udp", 1900)], policy)
    if config.get("general", "enable_upnp"):
        storage.policies[pol.id] = pol

    # SSHd
    policy = policies.get("arkos", "sshd", 1)
    pol = SecurityPolicy("arkos", "sshd", "SSH", "server", [("tcp", 22)],
                         policy)

    # ACME dummies
    for x in glob.glob("/etc/nginx/sites-enabled/acme-*"):
        acme_name = x.split("/etc/nginx/sites-enabled/acme-")[1]
        pol = SecurityPolicy("acme", acme_name,
                             "{0} (ACME Validation)".format(acme_name),
                             "globe", [('tcp', 80)], 2)
        storage.policies[pol.id] = pol

    for x in policies.get_all("custom"):
        pol = SecurityPolicy("custom", x["id"], x["name"], x["icon"],
                             x["ports"], x["policy"])
        storage.policies[pol.id] = pol
Esempio n. 2
0
def initialize():
    policy = policies.get("arkos", "arkos", 2)
    storage.policies.add("policies", SecurityPolicy("arkos", "arkos",
        "System Management (Genesis/APIs)", "fa fa-desktop",
        [("tcp", int(config.get("genesis", "port")))], policy))
    for x in policies.get_all("custom"):
        storage.policies.add("policies", SecurityPolicy("custom", x["id"],
            x["name"], x["icon"], x["ports"], x["policy"]))
Esempio n. 3
0
def register(type, id, name, icon, ports, addr=None, policy=0, default_policy=2, fw=True):
    if not policy:
        policy = policies.get(type, id, default_policy)
    pget = get(type=type)
    if pget:
        for x in pget:
            if x.id == id:
                storage.policies.remove("policies", x)
    svc = SecurityPolicy(type, id, name, icon, ports, policy, addr)
    svc.save(fw)
Esempio n. 4
0
def refresh_policies():
    svcs = get()
    newpolicies = {}
    for x in policies.get_all():
        if x == "custom":
            newpolicies["custom"] = policies.get_all("custom")
        for y in svcs:
            if x == y.type:
                if not x in newpolicies:
                    newpolicies[x] = {}
                for s in policies.get_all(x):
                    if s == y.id:
                        newpolicies[x][s] = policies.get(x, s)
    policies.config = newpolicies
    policies.save()
Esempio n. 5
0
def refresh_policies():
    """Recreate security policies based on what is stored in config."""
    svcs = get()
    newpolicies = {}
    for x in policies.get_all():
        if x == "custom":
            newpolicies["custom"] = policies.get_all("custom")
        for y in svcs:
            if x == y.type:
                if x not in newpolicies:
                    newpolicies[x] = {}
                for s in policies.get_all(x):
                    if s == y.id:
                        newpolicies[x][s] = policies.get(x, s)
    policies.config = newpolicies
    policies.save()
Esempio n. 6
0
def register(type,
             id,
             name,
             icon,
             ports,
             domain=None,
             policy=0,
             default_policy=2,
             fw=True):
    """
    Register a new security policy with the system.

    The ``ports`` parameter takes tuples of ports to manage, like so:

        ports = [('tcp', 8000), ('udp', 21500)]

    The ``policy`` parameter is an integer with the following meaning:

    0 = Restrict access from all outside hosts. (excludes loopback)
    1 = Restrict access to local networks only.
    2 = Allow access to all networks and ultimately the whole Internet.

    Addresses should be provided for websites, because multiple websites can
    be served from the same port (SNI) as long as the address is different.

    :param str type: Policy type ('website', 'app', etc)
    :param str id: Website or app ID
    :param str name: Display name to use in Security settings pane
    :param str icon: FontAwesome icon class name
    :param list ports: List of port tuples to allow/restrict
    :param str domain: Address (for websites)
    :param int policy: Policy identifier
    :param int default_policy: Application default policy to use on first init
    :param bool fw: Regenerate the firewall after save?
    """
    if not policy:
        policy = policies.get(type, id, default_policy)
    svc = SecurityPolicy(type, id, name, icon, ports, policy, domain)
    svc.save(fw)