Need banner-based conditional policy selection #293
Comments
|
So, does this mean we'll have more yaml files in |
|
This will have to be two-phase |
|
I could even see having something like this... policies/openssh/6.0.yml And then just load them into the policy engine in the order they should apply. |
|
@agaurav77 and I spoke about this a bit more via Glitter. we talked about having a rule/requirements qualifier to determine if a set of policies is relevant for a given policy application. Example: https://gist.github.com/claudijd/d34df76e0248e190b5a9b7b4412db28d |
|
Based on @claudijd's input, I drafted an initial page on policy expression DSL. Ideally I would love to go towards to the possible extensions to allow maximum flexibility for the end user, but we would work on getting the original conditional based policy expression working first. |
|
Nice idea. So we are talking about sime kind of policy group thing. What about this, ... A policy like file, lets call it condittion file, containing a list of ... lets call it conditions. One of the configuration in the condition could be a reference to another policy file. It could be like this (based on the draft): Rulesets:
- rules:
or:
and:
ssh_version_eq: 2.0
ssh_lib_eq: openssh
and:
ssh_version_eq: 1.34
ssh_lib_eq: dropbear
policy: subdirectory/mozilla_modern.yml
- rules:
or:
and:
ssh_version_eq: 1.0
ssh_lib_eq: openssh
and:
ssh_version_eq: 1.33
ssh_lib_eq: dropbear
policy: subdirectory/mozilla_modern.yml
I am sorry if the yml is not 100% valid. But i guess you get the idea. This would allow you to specify certain rules for the versions of ssh you use. But when a server doesn't not match any ruleset, it failes. This is like one more security check. ;) Just an idea. |
|
Specifying a policy file when a ruleset matches seems like a good idea. I can add this to our list of extensions. We can do this for 0.1.1, thanks for the idea! @gerhard-tinned. Thoughts, @claudijd? This will increase the proposed hierarchy by one more level. Update: added to the wiki, changed format a little. |
|
@agaurav77 works for me |
|
Nice that you like the idea. :) Looking forward to test it. |
|
We went a different route with this. Closing. |
If I'm running two different versions of OpenSSH, let's say 5.3 and 6.x, I have different capabilities available to me. It would be cool if a policy to support some sort of conditional logic that could interpret the banner and apply alternative policies requirements for each.
Right now, the work around is that you would create a policy for 5.3 and create a policy for 6.x and then scan your 5.3 servers with the 5.3 policy and the same respectively for 6.x. This is a bit clunky and we can probably rely on computers to make this distinction.
This almost feels like it could be a set of policies and we could do a first match sort of situation on fitting policy criteria and then have a default fallback policy.
The text was updated successfully, but these errors were encountered: