-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
18 changed files
with
925 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Copyright (c) [2022] SUSE LLC | ||
# | ||
# All Rights Reserved. | ||
# | ||
# This program is free software; you can redistribute it and/or modify it | ||
# under the terms of version 2 of the GNU General Public License as published | ||
# by the Free Software Foundation. | ||
# | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for | ||
# more details. | ||
# | ||
# You should have received a copy of the GNU General Public License along | ||
# with this program; if not, contact SUSE LLC. | ||
# | ||
# To contact SUSE LLC about this file by physical or electronic mail, you may | ||
# find current contact information at www.suse.com. | ||
|
||
require "y2security/clients/security_policy_proposal" | ||
|
||
Y2Security::Clients::SecurityPolicyProposal.new.run |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
# Copyright (c) [2022] SUSE LLC | ||
# | ||
# All Rights Reserved. | ||
# | ||
# This program is free software; you can redistribute it and/or modify it | ||
# under the terms of version 2 of the GNU General Public License as published | ||
# by the Free Software Foundation. | ||
# | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for | ||
# more details. | ||
# | ||
# You should have received a copy of the GNU General Public License along | ||
# with this program; if not, contact SUSE LLC. | ||
# | ||
# To contact SUSE LLC about this file by physical or electronic mail, you may | ||
# find current contact information at www.suse.com. | ||
# | ||
require "installation/proposal_client" | ||
require "y2security/security_policy" | ||
require "y2security/security_policy_issues" | ||
|
||
module Y2Security | ||
module Clients | ||
# Proposal client to enable/disable security policies | ||
class SecurityPolicyProposal < ::Installation::ProposalClient | ||
include Yast::I18n | ||
include Yast::Logger | ||
|
||
LINKS = [ | ||
LINK_ENABLE = "security-policy--enable".freeze, | ||
LINK_DISABLE = "security-policy--disable".freeze | ||
].freeze | ||
|
||
LINK_DIALOG = "security_policy".freeze | ||
|
||
def initialize | ||
super | ||
Yast.import "UI" | ||
Yast.import "HTML" | ||
textdomain "security" | ||
end | ||
|
||
def description | ||
{ | ||
# Proposal title | ||
"rich_text_title" => _("Security Policy"), | ||
# Menu entry label | ||
"menu_title" => _("&Security Policy"), | ||
"id" => LINK_DIALOG | ||
} | ||
end | ||
|
||
def make_proposal(_attrs) | ||
{ | ||
"preformatted_proposal" => preformatted_proposal, | ||
"warning_level" => warning_level, | ||
"links" => LINKS, | ||
"warning" => warning_message | ||
} | ||
end | ||
|
||
def preformatted_proposal | ||
link = if stig_policy.enabled? | ||
_( | ||
"STIG is enabled (<a href=\"%s\">disable</a>)" | ||
) % LINK_DISABLE | ||
else | ||
_( | ||
"STIG is not enabled (<a href=\"%s\">enable</a>)" | ||
) % LINK_ENABLE | ||
end | ||
Yast::HTML.List([link]) | ||
end | ||
|
||
def ask_user(param) | ||
chosen_link = param["chosen_id"] | ||
case chosen_link | ||
when LINK_DISABLE | ||
stig_policy.disable | ||
when LINK_ENABLE | ||
stig_policy.enable | ||
end | ||
|
||
{ "workflow_result" => :again } | ||
end | ||
|
||
private | ||
|
||
def enable_stig | ||
stig_policy.enable | ||
end | ||
|
||
def disable_stig | ||
stig_policy.disable | ||
end | ||
|
||
def warning_message | ||
return nil unless stig_policy.enabled? | ||
|
||
issues = stig_policy.issues | ||
return nil if issues.empty? | ||
|
||
Yast::HTML.List(issues.map(&:message)) | ||
end | ||
|
||
def warning_level | ||
:error | ||
end | ||
|
||
def stig_policy | ||
@stig_policy ||= Y2Security::SecurityPolicy.find(:stig) | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
# Copyright (c) [2022] SUSE LLC | ||
# | ||
# All Rights Reserved. | ||
# | ||
# This program is free software; you can redistribute it and/or modify it | ||
# under the terms of version 2 of the GNU General Public License as published | ||
# by the Free Software Foundation. | ||
# | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for | ||
# more details. | ||
# | ||
# You should have received a copy of the GNU General Public License along | ||
# with this program; if not, contact SUSE LLC. | ||
# | ||
# To contact SUSE LLC about this file by physical or electronic mail, you may | ||
# find current contact information at www.suse.com. | ||
|
||
require "y2security/security_policy_validator" | ||
require "y2security/security_policy_issues" | ||
|
||
module Y2Security | ||
# This class represents a security policy | ||
# | ||
# It offers an API to get the security policies and run validations. | ||
# | ||
# @example Get all known security policies | ||
# SecurityPolicy.all #=> [#<Y2Security::SecurityPolicy...>] | ||
# SecurityPolicy.all.map(&:name) #=> ["STIG"] | ||
# | ||
# @example Run STIG networking validation | ||
# policy = SecurityPolicy.find(:stig) | ||
# policy.validate(:network) | ||
# policy.issues.map(&:to_message) #=> ["Wireless devices are not allowed"] | ||
class SecurityPolicy | ||
# @return [Symbol] Security policy ID | ||
attr_reader :id | ||
# @return [String] Security policy name | ||
attr_reader :name | ||
|
||
class << self | ||
# Returns the list of known security policies | ||
# | ||
# @return [Array<SecurityPolicy>] | ||
def all | ||
@all ||= [STIG] | ||
end | ||
|
||
# Returns the security policy with the given ID | ||
# | ||
# @param id [Symbol] Security policy ID | ||
def find(id) | ||
all.find { |a| a.id == id } | ||
end | ||
|
||
# Returns the enabled policies | ||
# | ||
# @return [Array<SecurityPolicy>] List of enabled security policies | ||
def enabled | ||
all.select(&:enabled?) | ||
end | ||
end | ||
|
||
# @param id [String] Security policy ID (kind of internal identifier) | ||
# @param name [String] Security policy name | ||
def initialize(id, name) | ||
@id = id | ||
@name = name | ||
@enabled = false | ||
end | ||
|
||
# Runs the validation for the given scope | ||
# | ||
# It updates the list of issues with the results from validating | ||
# the given scope. | ||
# | ||
# @example Run validation for the storage settings | ||
# policy = SecurityPolicy.find(:stig) | ||
# policy.validate(:storage) | ||
# policy.issues.map(&:to_message) #=> ["root device should be encrypted"] | ||
# | ||
# @param scope [Symbol] Scope to validate (:network, :storage, :bootloader, etc.) | ||
def validate(scope) | ||
issues.update(validator.issues(scope)) | ||
end | ||
|
||
# Return the list of validation issues | ||
# | ||
# @return [SecurityPolicyIssues] List of validation issues | ||
def issues | ||
@issues ||= SecurityPolicyIssues.new | ||
end | ||
|
||
# Enables the policy | ||
def enable | ||
@enabled = true | ||
end | ||
|
||
# Disables the policy | ||
def disable | ||
@enabled = false | ||
end | ||
|
||
# Determines whether the policy is enabled or not | ||
# | ||
# @return [Boolean] true if it is enabled; false otherwise | ||
def enabled? | ||
@enabled | ||
end | ||
|
||
private | ||
|
||
# Returns the associated validator | ||
# | ||
# @return [SecurityPolicyValidator] | ||
def validator | ||
@validator ||= SecurityPolicyValidator.for(self) | ||
end | ||
|
||
STIG = new(:stig, "STIG") | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Copyright (c) [2022] SUSE LLC | ||
# | ||
# All Rights Reserved. | ||
# | ||
# This program is free software; you can redistribute it and/or modify it | ||
# under the terms of version 2 of the GNU General Public License as published | ||
# by the Free Software Foundation. | ||
# | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for | ||
# more details. | ||
# | ||
# You should have received a copy of the GNU General Public License along | ||
# with this program; if not, contact SUSE LLC. | ||
# | ||
# To contact SUSE LLC about this file by physical or electronic mail, you may | ||
# find current contact information at www.suse.com. | ||
|
||
require "yast" | ||
require "y2issues/list" | ||
require "singleton" | ||
|
||
module Y2Security | ||
# List of security policy issues | ||
class SecurityPolicyIssues < Y2Issues::List | ||
def update(issues) | ||
scopes = issues.map { |i| i.location&.path }.compact | ||
other_issues = @items.reject do |item| | ||
scopes.include?(item.location&.path) | ||
end | ||
|
||
@items = other_issues + issues.to_a | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Copyright (c) [2022] SUSE LLC | ||
# | ||
# All Rights Reserved. | ||
# | ||
# This program is free software; you can redistribute it and/or modify it | ||
# under the terms of version 2 of the GNU General Public License as published | ||
# by the Free Software Foundation. | ||
# | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for | ||
# more details. | ||
# | ||
# You should have received a copy of the GNU General Public License along | ||
# with this program; if not, contact SUSE LLC. | ||
# | ||
# To contact SUSE LLC about this file by physical or electronic mail, you may | ||
# find current contact information at www.suse.com. | ||
|
||
require "yast" | ||
|
||
module Y2Security | ||
# Base class for security policies validators | ||
class SecurityPolicyValidator | ||
class << self | ||
# Returns a validator for the given policy | ||
# | ||
# @param policy [SecurityPolicy] Security policy to build the validator for | ||
def for(policy) | ||
require "y2security/#{policy.id}_validator" | ||
klass = Module.const_get("Y2Security::#{policy.id.capitalize}Validator") | ||
klass.new | ||
rescue LoadError, NameError => e | ||
log.info "Could not load a validator for #{policy}: #{e.message}" | ||
end | ||
end | ||
|
||
# Returns the issues found for the given scope | ||
# | ||
# @param _scope [Symbol] Scope to validate (:network, :storage, :bootloader, etc.) | ||
def issues(_scope); end | ||
end | ||
end |
Oops, something went wrong.