Policy refinement engine that deals with the translation from High Level Language to Medium Level Language, the tool is developed in Python.
The tool is divided in three parts:
- refinement.py: It deals with the enrichment phase, it takes an input XML file that contains the HSPL policies and generates thanks to CLIPS expert system an Intermediate.txt file which contains all the necessary Security Capability for each rule that have to be defined for that specif HSPL.
- refinement_no_gui.py: The only difference with refinement.py is that this file doesn't not provide any GUI, and the selection of the devices to configure is made by the program.
- converter.py: It deals with the conversion from Intermediate.txt to the RuleInstance XML file. It takes in input the Intermediate.txt file and generates a RuleInstance file (in RuleInstance directory) for each NSF configured in Intermediate.txt.
- orchestrator.py: It deploys the Flask server. It supports various API in order to provide the functionalities needed to execute the policy refinement.
In order to run the proposed tool, it is required Python version 3.9. That's because there are some functions of some libraries available only for this version.
NOTE: As you can see there is a requirements.txt file provided in the project. If you want to install the libraries by hand, keep in mind that it is needed clipspy. In the code there is: import clips but in order to install the library you should perform python3.9 -m pip install clipspy.
Clone the current repository:
git clone git@github.com:torsec/refinement-engine.git
Move into project folder:
cd refinement-engine
Manually install this library:
sudo apt-get install python3.9-tk
Install all the other requirements:
python3.9 -m pip install -r requirements.txt
Examples of how to use the tool.
To start the Flask server orchestrator.py:
python3.9 orchestrator.py.
To upload the HSPL.xml file that contains the High-Level Security Policy:
curl -X POST -F file=@path/to/HSPL.xml http://localhost:5000/upload.
To upload the company_database.py file that contains the company information:
curl -X POST -F file=@path/to/company_database.py http://localhost:5000/upload_database.
To execute the refinement.py (the one with a GUI) and generate Intermediate.txt from the HSPL.xml file:
curl -X GET http://localhost:5000/refinement.
To execute the refinement_no_gui.py and generate Intermediate.txt from the HSPL.xml file:
curl -X GET http://localhost:5000/refinement_no_gui.
To execute the converter.py and generate the RuleInstance files from Intermediate.txt file:
curl -X GET http://localhost:5000/converter.
To download a single RuleInstance file generated by converter.py:
curl -X GET -O http://localhost:5000/download/RuleInstance_name.xml.
The last two steps can be executed in another way, since converter.py return a JSON containing RuleInstance filenames generated it is possible to do:
The same command as before, but it is possible to redirect the output to a file (let's say configured_NSFs.json):
curl -X GET http://localhost:5000/converter > configured_NSFs.json.
It is possible now to use RuleInstance_downloader.sh, in this way it is possible to download all the RuleInstance files generated by converter.py in one time:
./RuleInstance_downloader.sh configured_NSFs.json.