#901

- Removed bool apply_implicit_rule
- Set default implicit_rule to EXPLICIT DENY
- Added position to ACLs in laydown configs
- Removed apply_implicit_rule from training configs

src/primaite/acl/access_control_list.py

@@ -12,23 +12,16 @@ _LOGGER: Final[logging.Logger] = logging.getLogger(__name__)
 class AccessControlList:
     """Access Control List class."""
 
-    def __init__(self, apply_implicit_rule, implicit_permission, max_acl_rules):
+    def __init__(self, implicit_permission, max_acl_rules):
         """Init."""
-        # Bool option in main_config to decide to use implicit rule or not
-        self.apply_implicit_rule: bool = apply_implicit_rule
         # Implicit ALLOW or DENY firewall spec
-        if self.apply_implicit_rule:
-            self.acl_implicit_permission = implicit_permission
-        else:
-            self.acl_implicit_permission = "NA"
-        # Last rule in the ACL list
-        # Implicit rule
+        self.acl_implicit_permission = implicit_permission
+        # Implicit rule in ACL list
         self.acl_implicit_rule = None
-        if self.apply_implicit_rule:
-            if self.acl_implicit_permission == RulePermissionType.DENY:
-                self.acl_implicit_rule = ACLRule("DENY", "ANY", "ANY", "ANY", "ANY")
-            elif self.acl_implicit_permission == RulePermissionType.ALLOW:
-                self.acl_implicit_rule = ACLRule("ALLOW", "ANY", "ANY", "ANY", "ANY")
+        if self.acl_implicit_permission == RulePermissionType.DENY:
+            self.acl_implicit_rule = ACLRule("DENY", "ANY", "ANY", "ANY", "ANY")
+        elif self.acl_implicit_permission == RulePermissionType.ALLOW:
+            self.acl_implicit_rule = ACLRule("ALLOW", "ANY", "ANY", "ANY", "ANY")
 
         # Maximum number of ACL Rules in ACL
         self.max_acl_rules: int = max_acl_rules
@@ -37,17 +30,8 @@ class AccessControlList:
 
     @property
     def acl(self):
-        """Public access method for private _acl.
-
-        Adds implicit rule to the BACK of the list after ALL the OTHER ACL rules and
-        pads out rest of list (if it is empty) with None.
-        """
-        if self.acl_implicit_rule is not None:
-            acl_list = self._acl + [self.acl_implicit_rule]
-        else:
-            acl_list = self._acl
-
-        return acl_list + [None] * (self.max_acl_rules - len(acl_list))
+        """Public access method for private _acl."""
+        return self._acl + [self.acl_implicit_rule]
 
     def check_address_match(self, _rule: ACLRule, _source_ip_address: str, _dest_ip_address: str) -> bool:
         """Checks for IP address matches.
@@ -136,7 +120,7 @@ class AccessControlList:
         else:
             _LOGGER.info(f"Position {position_index} is an invalid/overwrites implicit firewall rule")
 
-    def remove_rule(self, _permission, _source_ip, _dest_ip, _protocol, _port):
+    def remove_rule(self, _permission: str, _source_ip: str, _dest_ip: str, _protocol: str, _port: str) -> None:
         """
         Removes a rule.
 
@@ -147,17 +131,17 @@ class AccessControlList:
             _protocol: the protocol
             _port: the port
         """
-        # Add check so you cant remove implicit rule
-        rule = ACLRule(_permission, _source_ip, _dest_ip, _protocol, str(_port))
-        # There will not always be something removable since the agent will be trying random things
-        try:
-            self.acl.remove(rule)
-        except Exception:
-            return
+        rule_to_delete = ACLRule(_permission, _source_ip, _dest_ip, _protocol, str(_port))
+        delete_rule_hash = hash(rule_to_delete)
+
+        for index in range(0, len(self._acl)):
+            if isinstance(self._acl[index], ACLRule) and hash(self._acl[index]) == delete_rule_hash:
+                self._acl[index] = None
 
     def remove_all_rules(self):
         """Removes all rules."""
-        self.acl.clear()
+        for i in range(len(self._acl)):
+            self._acl[i] = None
 
     def get_dictionary_hash(self, _permission, _source_ip, _dest_ip, _protocol, _port):
         """
@@ -188,15 +172,12 @@ class AccessControlList:
         :rtype: Dict[str, ACLRule]
         """
         relevant_rules = {}
-
-        for rule_key, rule_value in self.acl.items():
-            if self.check_address_match(rule_value, _source_ip_address, _dest_ip_address):
-                if (
-                    rule_value.get_protocol() == _protocol or rule_value.get_protocol() == "ANY" or _protocol == "ANY"
-                ) and (
-                    str(rule_value.get_port()) == str(_port) or rule_value.get_port() == "ANY" or str(_port) == "ANY"
+        for rule in self.acl:
+            if self.check_address_match(rule, _source_ip_address, _dest_ip_address):
+                if (rule.get_protocol() == _protocol or rule.get_protocol() == "ANY" or _protocol == "ANY") and (
+                    str(rule.get_port()) == str(_port) or rule.get_port() == "ANY" or str(_port) == "ANY"
                 ):
                     # There's a matching rule.
-                    relevant_rules[rule_key] = rule_value
+                    relevant_rules[self._acl.index(rule)] = rule
 
         return relevant_rules

src/primaite/config/_package_data/lay_down/lay_down_config_1_DDOS_basic.yaml

@@ -163,3 +163,4 @@
   destination: ANY
   protocol: ANY
   port: ANY
+  position: 0

src/primaite/config/_package_data/lay_down/lay_down_config_2_DDOS_basic.yaml

@@ -243,6 +243,7 @@
   destination: 192.168.10.14
   protocol: TCP
   port: 80
+  position: 0
 - item_type: ACL_RULE
   id: '26'
   permission: ALLOW
@@ -250,6 +251,7 @@
   destination: 192.168.10.14
   protocol: TCP
   port: 80
+  position: 1
 - item_type: ACL_RULE
   id: '27'
   permission: ALLOW
@@ -257,6 +259,7 @@
   destination: 192.168.10.14
   protocol: TCP
   port: 80
+  position: 2
 - item_type: ACL_RULE
   id: '28'
   permission: ALLOW
@@ -264,6 +267,7 @@
   destination: 192.168.20.15
   protocol: TCP
   port: 80
+  position: 3
 - item_type: ACL_RULE
   id: '29'
   permission: ALLOW
@@ -271,6 +275,7 @@
   destination: 192.168.10.13
   protocol: TCP
   port: 80
+  position: 4
 - item_type: ACL_RULE
   id: '30'
   permission: DENY
@@ -278,6 +283,7 @@
   destination: 192.168.20.15
   protocol: TCP
   port: 80
+  position: 5
 - item_type: ACL_RULE
   id: '31'
   permission: DENY
@@ -285,6 +291,7 @@
   destination: 192.168.20.15
   protocol: TCP
   port: 80
+  position: 6
 - item_type: ACL_RULE
   id: '32'
   permission: DENY
@@ -292,6 +299,7 @@
   destination: 192.168.20.15
   protocol: TCP
   port: 80
+  position: 7
 - item_type: ACL_RULE
   id: '33'
   permission: DENY
@@ -299,6 +307,7 @@
   destination: 192.168.10.14
   protocol: TCP
   port: 80
+  position: 8
 - item_type: RED_POL
   id: '34'
   start_step: 20

src/primaite/config/_package_data/lay_down/lay_down_config_3_DOS_very_basic.yaml

@@ -111,6 +111,7 @@
   destination: 192.168.1.4
   protocol: TCP
   port: 80
+  position: 0
 - item_type: ACL_RULE
   id: '12'
   permission: ALLOW
@@ -118,6 +119,7 @@
   destination: 192.168.1.4
   protocol: TCP
   port: 80
+  position: 1
 - item_type: ACL_RULE
   id: '13'
   permission: ALLOW
@@ -125,6 +127,7 @@
   destination: 192.168.1.3
   protocol: TCP
   port: 80
+  position: 2
 - item_type: RED_POL
   id: '14'
   start_step: 20

src/primaite/config/_package_data/lay_down/lay_down_config_5_data_manipulation.yaml

@@ -345,6 +345,7 @@
   destination: 192.168.2.10
   protocol: ANY
   port: ANY
+  position: 0
 - item_type: ACL_RULE
   id: '34'
   permission: ALLOW
@@ -352,6 +353,7 @@
   destination: 192.168.2.14
   protocol: ANY
   port: ANY
+  position: 1
 - item_type: ACL_RULE
   id: '35'
   permission: ALLOW
@@ -359,6 +361,7 @@
   destination: 192.168.2.14
   protocol: ANY
   port: ANY
+  position: 2
 - item_type: ACL_RULE
   id: '36'
   permission: ALLOW
@@ -366,6 +369,7 @@
   destination: 192.168.2.10
   protocol: ANY
   port: ANY
+  position: 3
 - item_type: ACL_RULE
   id: '37'
   permission: ALLOW
@@ -373,6 +377,7 @@
   destination: 192.168.10.11
   protocol: ANY
   port: ANY
+  position: 4
 - item_type: ACL_RULE
   id: '38'
   permission: ALLOW
@@ -380,6 +385,7 @@
   destination: 192.168.10.12
   protocol: ANY
   port: ANY
+  position: 5
 - item_type: ACL_RULE
   id: '39'
   permission: ALLOW
@@ -387,6 +393,7 @@
   destination: 192.168.2.14
   protocol: ANY
   port: ANY
+  position: 6
 - item_type: ACL_RULE
   id: '40'
   permission: ALLOW
@@ -394,6 +401,7 @@
   destination: 192.168.2.10
   protocol: ANY
   port: ANY
+  position: 7
 - item_type: ACL_RULE
   id: '41'
   permission: ALLOW
@@ -401,6 +409,7 @@
   destination: 192.168.2.16
   protocol: ANY
   port: ANY
+  position: 8
 - item_type: ACL_RULE
   id: '42'
   permission: ALLOW
@@ -408,6 +417,7 @@
   destination: 192.168.2.16
   protocol: ANY
   port: ANY
+  position: 9
 - item_type: ACL_RULE
   id: '43'
   permission: ALLOW
@@ -415,6 +425,7 @@
   destination: 192.168.2.10
   protocol: ANY
   port: ANY
+  position: 10
 - item_type: ACL_RULE
   id: '44'
   permission: ALLOW
@@ -422,6 +433,7 @@
   destination: 192.168.2.14
   protocol: ANY
   port: ANY
+  position: 11
 - item_type: ACL_RULE
   id: '45'
   permission: ALLOW
@@ -429,6 +441,7 @@
   destination: 192.168.2.16
   protocol: ANY
   port: ANY
+  position: 12
 - item_type: ACL_RULE
   id: '46'
   permission: ALLOW
@@ -436,6 +449,7 @@
   destination: 192.168.1.12
   protocol: ANY
   port: ANY
+  position: 13
 - item_type: ACL_RULE
   id: '47'
   permission: ALLOW
@@ -443,6 +457,7 @@
   destination: 192.168.1.12
   protocol: ANY
   port: ANY
+  position: 14
 - item_type: ACL_RULE
   id: '48'
   permission: ALLOW
@@ -450,6 +465,7 @@
   destination: 192.168.1.12
   protocol: ANY
   port: ANY
+  position: 15
 - item_type: ACL_RULE
   id: '49'
   permission: DENY
@@ -457,6 +473,7 @@
   destination: ANY
   protocol: ANY
   port: ANY
+  position: 16
 - item_type: RED_POL
   id: '50'
   start_step: 50

src/primaite/config/_package_data/training/training_config_main.yaml

@@ -91,8 +91,6 @@ session_type: TRAIN_EVAL
 # The high value for the observation space
 observation_space_high_value: 1000000000
 
-# Choice whether to have an ALLOW or DENY implicit rule or not (TRUE or FALSE)
-apply_implicit_rule: False
 # Implicit ACL firewall rule at end of ACL list to be the default action (ALLOW or DENY)
 implicit_acl_rule: DENY
 # Total number of ACL rules allowed in the environment

src/primaite/config/training_config.py

@@ -99,11 +99,7 @@ class TrainingConfig:
     sb3_output_verbose_level: SB3OutputVerboseLevel = SB3OutputVerboseLevel.NONE
     "Stable Baselines3 learn/eval output verbosity level"
 
-    # Access Control List/Rules
-    apply_implicit_rule: str = True
-    "User choice to have Implicit ALLOW or DENY."
-
-    implicit_acl_rule: RulePermissionType = RulePermissionType.ALLOW
+    implicit_acl_rule: RulePermissionType = RulePermissionType.DENY
     "ALLOW or DENY implicit firewall rule to go at the end of list of ACL list."
 
     max_number_acl_rules: int = 30

src/primaite/environment/primaite_env.py

@@ -123,7 +123,6 @@ class Primaite(Env):
 
         # Create the Access Control List
         self.acl = AccessControlList(
-            self.training_config.apply_implicit_rule,
             self.training_config.implicit_acl_rule,
             self.training_config.max_number_acl_rules,
         )
@@ -1013,6 +1012,7 @@ class Primaite(Env):
         acl_rule_destination = item["destination"]
         acl_rule_protocol = item["protocol"]
         acl_rule_port = item["port"]
+        acl_rule_position = item["position"]
 
         self.acl.add_rule(
             acl_rule_permission,
@@ -1020,7 +1020,7 @@ class Primaite(Env):
             acl_rule_destination,
             acl_rule_protocol,
             acl_rule_port,
-            0,
+            acl_rule_position,
         )
 
     def create_services_list(self, services):