diff --git a/deepsecurity/policies.py b/deepsecurity/policies.py index 1f1bbcf..0632fa8 100644 --- a/deepsecurity/policies.py +++ b/deepsecurity/policies.py @@ -23,7 +23,7 @@ def get(self): if response and response['status'] == 200: if not type(response['data']) == type([]): response['data'] = [response['data']] for policy in response['data']: - policy_obj = Policy(self.manager, policy, self.log) + policy_obj = Policy(manager=self.manager, api_response=policy, log_func=self.log) if policy_obj: try: self[policy_obj.id] = policy_obj @@ -33,6 +33,115 @@ def get(self): return len(self) + def create(self, name, parent_profile_id=None, + enable_anti_malware=True, + enable_firewall=False, + enable_intrusion_prevention=True, + enable_integrity_monitoring=True, + enable_log_inspection=True, + description=None + ): + """ + Create a new policy + + name + - the name of the new policy + + parent_profile_id + - the ID of the parent policy + + enable_anti_malware + - if True, enable the anti-malware module + - if 'parent_profile_id' is set, the new policy will + inherit this value from the parent + + enable_firewall + - if True, enable the firewall module + - if 'parent_profile_id' is set, the new policy will + inherit this value from the parent + + enable_intrusion_prevention + - if True, enable the intrusion prevention module + - if 'parent_profile_id' is set, the new policy will + inherit this value from the parent + + enable_integrity_monitoring + - if True, enable the integrity monitoring module + - if 'parent_profile_id' is set, the new policy will + inherit this value from the parent + + enable_log_inspection + - if True, enable the log inspection module + - if 'parent_profile_id' is set, the new policy will + inherit this value from the parent + + description + - the description of the new policy + + Returns the ID of the new policy is successful. False if not successful in + creating the new policy + """ + result = None + + # set the state for each supported module + anti_malware_state = 'ON' if enable_anti_malware else 'OFF' + firewall_state = 'ON' if enable_firewall else 'OFF' + intrusion_prevention_state = 'ON' if enable_intrusion_prevention else 'OFF' + integrity_monitoring_state = 'ON' if enable_integrity_monitoring else 'OFF' + log_inspection_state = 'ON' if enable_log_inspection else 'OFF' + + # inherit all states if a parent policy is specified + if parent_profile_id: + anti_malware_state = 'INHERITED' + firewall_state = 'INHERITED' + intrusion_prevention_state = 'INHERITED' + integrity_monitoring_state = 'INHERITED' + log_inspection_state = 'INHERITED' + + call = self.manager._get_request_format(call='securityProfileSave') + call['data'] = { 'sp': { + 'DPIRuleIDs': None, + 'DPIState': intrusion_prevention_state, + 'ID': None, + 'antiMalwareManualID': None, + 'antiMalwareManualInherit': u'true', + 'antiMalwareRealTimeID': None, + 'antiMalwareRealTimeInherit': u'true', + 'antiMalwareRealTimeScheduleID': None, + 'antiMalwareScheduledID': None, + 'antiMalwareScheduledInherit': u'true', + 'antiMalwareState': anti_malware_state, + 'applicationTypeIDs': None, + 'description': description, + 'firewallRuleIDs': None, + 'firewallState': firewall_state, + 'integrityRuleIDs': None, + 'integrityState': integrity_monitoring_state, + 'logInspectionRuleIDs': None, + 'logInspectionState': log_inspection_state, + 'name': name, + 'parentSecurityProfileID': parent_profile_id if parent_profile_id else None, + 'recommendationState': None, + 'scheduleID': None, + 'statefulConfigurationID': None + } + } + + response = self.manager._request(call) + if response and response['status'] == 200: + try: + new_policy = Policy(api_response=response['data'], manager=self.manager, log_func=self.log) + if new_policy: + self[new_policy.id] = new_policy + result = new_policy.id + self.log("Added new policy #{}".format(new_policy.id)) + except Exception, err: + self.log("Could not create new policy from API response", err=err) + else: + result = False + + return result + class Rules(core.CoreDict): def __init__(self, manager=None): core.CoreDict.__init__(self) @@ -143,6 +252,39 @@ def save(self): return result + def get_application_control_settings(self): + """ + Get the details for the application control settings for this policy + """ + return self.manager.application_control.get_policy_settings(self.id) + + def set_application_control_settings(self, policy_id, lockdown=None, ruleset_id=None, state=None, whitelist_mode=None): + """ + Set the details for the application control settings for this policy + + lockdown: + - if set to None, no changes are made + - if set to True, lockdown mode is enabled and anything that's not on the whitelist will be blocked + - if set to False, lockdown mode is disabled and only things on the blacklist will be blocked + + ruleset_id: + - if set to None, no changes are made + - the ID of the ruleset to use for this application control policy + + state: + - if set to None, no changes are made + - if set to "on", application control is turned on for this policy + - if set to "off", application control is turned off for this policy + - if set to "inherit", the application control state inherited from this policy's parent (if one exists) + + whitelist_mode: + - if set to None, no changes are made + - if set to "local-inventory", application control is turned on for this policy + - if set to "shared", application control is turned off for this policy + - if set to "inherit", the application control state inherited from this policy's parent (if one exists) + """ + return self.manager.application_control.set_policy_settings(self.id, lockdown=lockdown, ruleset_id=ruleset_id, state=state, whitelist_mode=whitelist_mode) + class Rule(core.CoreObject): def __init__(self, manager=None, api_response=None, log_func=None, rule_type=None): self.manager = manager @@ -164,4 +306,4 @@ def _split_items(self): if getattr(self, 'items') and "\n" in self.items: self.addresses = self.items.split('\n') else: - self.addresses.append(self.items.strip()) \ No newline at end of file + self.addresses.append(self.items.strip()) \ No newline at end of file