No project description provided
Project description
pins
Find out which firewall security policy is being shadowed and write your own custom checks.
What pins really is?
It is a CLI tool to run a analysis of provided firewall security policies against a predefined series of checks called Scenarios.
It started as a tool to detect shadowing firewall rules. It evolved into a small framework that allows to define different scenario very easily.
[!NOTE] As of today, pins only supports security policies from Palo Alto Firewall (and Panorama).
Installation
You can install using:
# pip
pip install pins
# poetry
poetry add pins
# pipx
pipx install pins
Quick Start
To use pins with Palo Alto firewalls, you'll first
need to export security rules. The simplest way to export security
rules is using curl. First, get API key:
# Linux
API_KEY=$(curl -k -s "https://<FIREWALL-IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>" | grep -o "<key>.*</key>" | sed -e 's/<key>//g' -e 's/<\/key>//g')
# Windows
$API_KEY = (Invoke-RestMethod -SkipCertificateCheck -Uri "https://<FIREWALL-IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>").response.result.key
Then export security rules:
# Linux
curl -k -o policies.xml "https://<FIREWALL-IP>/api/?type=config&action=show&key=$API_KEY&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security"
# Windows
Invoke-RestMethod -SkipCertificateCheck -Uri "https://<FIREWALL-IP>/api/?type=config&action=show&key=$API_KEY&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security" -OutFile policies.xml
[!IMPORTANT] You may need to update the
xpathto match your specific environment.
Once you have your security policies file, from the same directory, run:
pins run shadowing policies.xml
Usage
Once installed, you can run it using pins command:
pins
To list available scenarios:
pins list
To run scenario on your own firewall rules:
pins run shadowing policies.json
To see how it works for yourself, run scenario on example data:
pins run example shadowing
$ pins run example shadowing
Executing Shadowing scenario
Shadowed rules detection complete
Analyzing results...
[rule-example2] Rule is shadowed by: ['rule-example1']
Scenarios
List of currently available scenarios.
Shadowing
Identifies policies that will never be triggered because they're completely hidden behind earlier rules in the processing order.
It checks if all these elements are covered by a preceding rule:
- Same action (allow/deny)
- Same or broader source and destination zones
- Same or broader source and destination addresses
- Same or broader applications
- Same or broader services (ports)
When all conditions match, the later rule is flagged as shadowed.
Shadowing by Value
Advanced version of Shadowing. It analyze the actual IP addresses behind Address Objects and Address Groups.
It identifies shadowing at the precise IP subnet level by resolving Address's name to actual IP address.
Requirements
This scenario needs three input files:
- Security rules file
- Address groups file
- Address objects file
Details
How does it work?
It's pretty straightforward.
flowchart TD
SelectScenario[Select Scenario]
SelectScenario --> LoadRules[Load Security Rules]
LoadRules --> FilterRules[Filter Security Rules]
FilterRules --> RunChecks[Run Checks for each Rule]
RunChecks --> Analyze[Analyze Results]
Analyze --> Report[Create Report]
What Scenarios is?
A scenario is a set of checks that evaluate firewall rules against specific issues or configurations. Each scenario is designed to identify particular problem, such as shadowing rules, rules without logging, or other security policy issues.
What Check is?
A check is simply a function. It takes security policy or policies as an argument, assess whether the policies fulfill a check or not.
Contribution & Development
If you'd like to contribute, follow these steps:
git clone https://github.com/Kanguros/pins
cd pins
poetry install --with=dev
pre-commit install --install-hooks
pre-commit run --all-files
Feel free to open issues or submit pull requests!
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file policy_inspector-0.1.1.tar.gz.
File metadata
- Download URL: policy_inspector-0.1.1.tar.gz
- Upload date:
- Size: 17.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.2 CPython/3.12.3 Linux/6.8.0-1021-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2583e729ce13e51472450b3fb95f1c32106aea2d2105ba215c65432e7aa738ec
|
|
| MD5 |
a61475ef7da276a4ca00c51ab5f72beb
|
|
| BLAKE2b-256 |
591862ede680b6e03892aaad13599642263937e57763f063d4ab681bc4113d91
|
File details
Details for the file policy_inspector-0.1.1-py3-none-any.whl.
File metadata
- Download URL: policy_inspector-0.1.1-py3-none-any.whl
- Upload date:
- Size: 21.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.2 CPython/3.12.3 Linux/6.8.0-1021-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6260b4dadebe872304f8fe5568ffcd6cfe32450d74b9dc076b8001f47277322f
|
|
| MD5 |
85971048c9f204f259f654715eb11b7b
|
|
| BLAKE2b-256 |
901406d077376263155b7fb3ebc73a604d5ea45dbff6a8a4d9eed393a241ac93
|