RubyGems - ai_root_shield - Versions diffs - 0.4.0 → 1.0.0 - Mend

ai_root_shield 0.4.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +52 -4
data/README.md +191 -14
data/bindings/python/README.md +304 -0
data/bindings/python/ai_root_shield.py +438 -0
data/bindings/python/setup.py +65 -0
data/examples/device_logs/android_safetynet_device.json +148 -0
data/examples/device_logs/ios_jailbroken_device.json +172 -0
data/exe/ai_root_shield +220 -7
data/lib/ai_root_shield/ci_cd/security_test_module.rb +743 -0
data/lib/ai_root_shield/dashboard/web_dashboard.rb +441 -0
data/lib/ai_root_shield/enterprise/alert_system.rb +601 -0
data/lib/ai_root_shield/enterprise/hybrid_detection_engine.rb +650 -0
data/lib/ai_root_shield/enterprise/performance_optimizer.rb +613 -0
data/lib/ai_root_shield/enterprise/policy_manager.rb +637 -0
data/lib/ai_root_shield/integrations/siem_connector.rb +695 -0
data/lib/ai_root_shield/platform/android_security_module.rb +263 -0
data/lib/ai_root_shield/platform/hardware_security_analyzer.rb +452 -0
data/lib/ai_root_shield/platform/ios_security_module.rb +513 -0
data/lib/ai_root_shield/platform/unified_report_generator.rb +613 -0
data/lib/ai_root_shield/version.rb +1 -1
data/lib/ai_root_shield.rb +152 -1
data/security_test_artifacts/security_report.json +124 -0
data/security_test_artifacts/security_results.sarif +16 -0
data/security_test_artifacts/security_tests.xml +3 -0
metadata +20 -1

data/lib/ai_root_shield/enterprise/policy_manager.rb ADDED Viewed

@@ -0,0 +1,637 @@
+# frozen_string_literal: true
+require 'json'
+require 'time'
+module AiRootShield
+  module Enterprise
+    # Enterprise policy manager for industry-specific security profiles
+    class PolicyManager
+      SUPPORTED_INDUSTRIES = %w[fintech healthcare government corporate].freeze
+      POLICY_VERSION = '1.0'
+      attr_reader :current_policy, :industry_type, :compliance_frameworks
+      def initialize(industry_type: nil, custom_policy: nil)
+        @industry_type = industry_type
+        @custom_policy = custom_policy
+        @compliance_frameworks = []
+        @policy_cache = {}
+        @audit_log = []
+        load_policy if industry_type || custom_policy
+      end
+      # Load industry-specific policy profile
+      def load_policy
+        if @custom_policy
+          @current_policy = load_custom_policy(@custom_policy)
+        elsif @industry_type
+          @current_policy = load_industry_policy(@industry_type)
+        else
+          raise ArgumentError, "Either industry_type or custom_policy must be provided"
+        end
+        validate_policy(@current_policy)
+        log_policy_event("Policy loaded", { industry: @industry_type, version: @current_policy[:version] })
+      end
+      # Evaluate device compliance against loaded policy
+      def evaluate_compliance(analysis_results)
+        return { compliant: false, reason: "No policy loaded" } unless @current_policy
+        compliance_result = {
+          compliant: true,
+          policy_version: @current_policy[:version],
+          industry_type: @industry_type,
+          evaluation_timestamp: Time.now.utc.iso8601,
+          violations: [],
+          warnings: [],
+          compliance_score: 100,
+          framework_compliance: {},
+          recommendations: []
+        }
+        # Evaluate security requirements
+        evaluate_security_requirements(analysis_results, compliance_result)
+        # Evaluate compliance frameworks
+        evaluate_compliance_frameworks(analysis_results, compliance_result)
+        # Calculate final compliance score
+        calculate_compliance_score(compliance_result)
+        # Log compliance evaluation
+        log_policy_event("Compliance evaluated", {
+          compliant: compliance_result[:compliant],
+          score: compliance_result[:compliance_score],
+          violations: compliance_result[:violations].length
+        })
+        compliance_result
+      end
+      # Get policy requirements for specific category
+      def get_requirements(category)
+        @current_policy&.dig(:requirements, category.to_sym) || {}
+      end
+      # Get compliance framework requirements
+      def get_framework_requirements(framework)
+        @current_policy&.dig(:compliance_frameworks, framework.to_sym) || {}
+      end
+      # Update policy configuration
+      def update_policy_config(config_updates)
+        return false unless @current_policy
+        @current_policy[:configuration].merge!(config_updates)
+        validate_policy(@current_policy)
+        log_policy_event("Policy configuration updated", config_updates)
+        true
+      end
+      # Get audit log
+      def audit_log
+        @audit_log.dup
+      end
+      # Export policy for sharing/backup
+      def export_policy
+        return nil unless @current_policy
+        {
+          exported_at: Time.now.utc.iso8601,
+          policy: @current_policy,
+          industry_type: @industry_type,
+          audit_log: @audit_log
+        }
+      end
+      private
+      # Load industry-specific policy
+      def load_industry_policy(industry)
+        case industry.to_s.downcase
+        when 'fintech', 'banking'
+          load_fintech_policy
+        when 'healthcare', 'hipaa'
+          load_healthcare_policy
+        when 'government', 'public'
+          load_government_policy
+        when 'corporate', 'enterprise'
+          load_corporate_policy
+        else
+          raise ArgumentError, "Unsupported industry type: #{industry}"
+        end
+      end
+      # Load custom policy from file or hash
+      def load_custom_policy(policy_source)
+        if policy_source.is_a?(String)
+          # Load from file
+          JSON.parse(File.read(policy_source), symbolize_names: true)
+        elsif policy_source.is_a?(Hash)
+          # Use provided hash
+          policy_source.transform_keys(&:to_sym)
+        else
+          raise ArgumentError, "Custom policy must be a file path or hash"
+        end
+      end
+      # Fintech/Banking industry policy
+      def load_fintech_policy
+        {
+          name: "Fintech Security Policy",
+          version: "1.0.0",
+          industry: "fintech",
+          description: "PCI DSS and financial services security requirements",
+          compliance_frameworks: [:pci_dss, :sox, :ffiec, :psd2],
+          requirements: {
+            device_integrity: {
+              root_detection: { required: true, severity: "critical" },
+              emulator_detection: { required: true, severity: "critical" },
+              debugging_detection: { required: true, severity: "high" },
+              hooking_detection: { required: true, severity: "critical" }
+            },
+            network_security: {
+              certificate_pinning: { required: true, severity: "critical" },
+              proxy_detection: { required: true, severity: "high" },
+              vpn_detection: { required: true, severity: "medium" },
+              mitm_detection: { required: true, severity: "critical" }
+            },
+            data_protection: {
+              encryption_required: { required: true, severity: "critical" },
+              keystore_protection: { required: true, severity: "critical" },
+              biometric_authentication: { required: true, severity: "high" },
+              secure_storage: { required: true, severity: "critical" }
+            },
+            compliance: {
+              pci_dss_level: 1,
+              data_retention_days: 90,
+              audit_logging: { required: true, severity: "critical" },
+              incident_response: { required: true, severity: "high" }
+            }
+          },
+          risk_thresholds: {
+            critical: 0,
+            high: 10,
+            medium: 30,
+            low: 50
+          },
+          configuration: {
+            real_time_monitoring: true,
+            automated_blocking: true,
+            alert_escalation: true,
+            compliance_reporting: true
+          }
+        }
+      end
+      # Healthcare/HIPAA industry policy
+      def load_healthcare_policy
+        {
+          name: "Healthcare Security Policy",
+          version: "1.0.0",
+          industry: "healthcare",
+          description: "HIPAA and healthcare data protection requirements",
+          compliance_frameworks: [:hipaa, :hitech, :gdpr, :fda_21cfr11],
+          requirements: {
+            device_integrity: {
+              root_detection: { required: true, severity: "critical" },
+              emulator_detection: { required: true, severity: "high" },
+              debugging_detection: { required: true, severity: "high" },
+              hooking_detection: { required: true, severity: "high" }
+            },
+            network_security: {
+              certificate_pinning: { required: true, severity: "critical" },
+              proxy_detection: { required: true, severity: "medium" },
+              vpn_detection: { required: false, severity: "low" },
+              mitm_detection: { required: true, severity: "critical" }
+            },
+            data_protection: {
+              encryption_required: { required: true, severity: "critical" },
+              keystore_protection: { required: true, severity: "critical" },
+              biometric_authentication: { required: false, severity: "medium" },
+              secure_storage: { required: true, severity: "critical" },
+              phi_protection: { required: true, severity: "critical" }
+            },
+            compliance: {
+              hipaa_compliance: true,
+              data_retention_days: 2555, # 7 years
+              audit_logging: { required: true, severity: "critical" },
+              breach_notification: { required: true, severity: "critical" },
+              access_controls: { required: true, severity: "critical" }
+            }
+          },
+          risk_thresholds: {
+            critical: 0,
+            high: 15,
+            medium: 35,
+            low: 60
+          },
+          configuration: {
+            real_time_monitoring: true,
+            automated_blocking: false, # Healthcare requires human oversight
+            alert_escalation: true,
+            compliance_reporting: true,
+            phi_detection: true
+          }
+        }
+      end
+      # Government/Public sector policy
+      def load_government_policy
+        {
+          name: "Government Security Policy",
+          version: "1.0.0",
+          industry: "government",
+          description: "Government and public sector security requirements",
+          compliance_frameworks: [:fisma, :nist_800_53, :fedramp, :cjis],
+          requirements: {
+            device_integrity: {
+              root_detection: { required: true, severity: "critical" },
+              emulator_detection: { required: true, severity: "critical" },
+              debugging_detection: { required: true, severity: "critical" },
+              hooking_detection: { required: true, severity: "critical" }
+            },
+            network_security: {
+              certificate_pinning: { required: true, severity: "critical" },
+              proxy_detection: { required: true, severity: "critical" },
+              vpn_detection: { required: true, severity: "high" },
+              mitm_detection: { required: true, severity: "critical" }
+            },
+            data_protection: {
+              encryption_required: { required: true, severity: "critical" },
+              keystore_protection: { required: true, severity: "critical" },
+              biometric_authentication: { required: true, severity: "high" },
+              secure_storage: { required: true, severity: "critical" },
+              classified_data_protection: { required: true, severity: "critical" }
+            },
+            compliance: {
+              fisma_level: "high",
+              nist_compliance: true,
+              data_retention_days: 2555, # 7 years
+              audit_logging: { required: true, severity: "critical" },
+              incident_response: { required: true, severity: "critical" },
+              continuous_monitoring: { required: true, severity: "critical" }
+            }
+          },
+          risk_thresholds: {
+            critical: 0,
+            high: 5,
+            medium: 20,
+            low: 40
+          },
+          configuration: {
+            real_time_monitoring: true,
+            automated_blocking: true,
+            alert_escalation: true,
+            compliance_reporting: true,
+            continuous_monitoring: true
+          }
+        }
+      end
+      # Corporate/Enterprise policy
+      def load_corporate_policy
+        {
+          name: "Corporate Security Policy",
+          version: "1.0.0",
+          industry: "corporate",
+          description: "General corporate and enterprise security requirements",
+          compliance_frameworks: [:iso27001, :gdpr, :ccpa, :sox],
+          requirements: {
+            device_integrity: {
+              root_detection: { required: true, severity: "high" },
+              emulator_detection: { required: true, severity: "medium" },
+              debugging_detection: { required: true, severity: "medium" },
+              hooking_detection: { required: true, severity: "high" }
+            },
+            network_security: {
+              certificate_pinning: { required: true, severity: "high" },
+              proxy_detection: { required: true, severity: "medium" },
+              vpn_detection: { required: false, severity: "low" },
+              mitm_detection: { required: true, severity: "high" }
+            },
+            data_protection: {
+              encryption_required: { required: true, severity: "high" },
+              keystore_protection: { required: true, severity: "high" },
+              biometric_authentication: { required: false, severity: "medium" },
+              secure_storage: { required: true, severity: "high" }
+            },
+            compliance: {
+              data_retention_days: 1095, # 3 years
+              audit_logging: { required: true, severity: "high" },
+              incident_response: { required: true, severity: "medium" },
+              privacy_protection: { required: true, severity: "high" }
+            }
+          },
+          risk_thresholds: {
+            critical: 5,
+            high: 25,
+            medium: 50,
+            low: 75
+          },
+          configuration: {
+            real_time_monitoring: true,
+            automated_blocking: false,
+            alert_escalation: true,
+            compliance_reporting: true
+          }
+        }
+      end
+      # Evaluate security requirements
+      def evaluate_security_requirements(analysis_results, compliance_result)
+        requirements = @current_policy[:requirements]
+        requirements.each do |category, category_requirements|
+          category_requirements.each do |requirement, config|
+            next unless config[:required]
+            violation = check_requirement_compliance(requirement, config, analysis_results)
+            if violation
+              compliance_result[:violations] << violation
+              compliance_result[:compliant] = false if config[:severity] == "critical"
+            end
+          end
+        end
+      end
+      # Check individual requirement compliance
+      def check_requirement_compliance(requirement, config, analysis_results)
+        case requirement
+        when :root_detection
+          if analysis_results[:factors]&.include?('ROOT_DETECTED')
+            create_violation(requirement, config, "Root access detected on device")
+          end
+        when :emulator_detection
+          if analysis_results[:factors]&.include?('EMULATOR_DETECTED')
+            create_violation(requirement, config, "Emulator environment detected")
+          end
+        when :debugging_detection
+          if analysis_results[:factors]&.include?('DEBUGGING_DETECTED')
+            create_violation(requirement, config, "Debugging tools detected")
+          end
+        when :hooking_detection
+          if analysis_results[:factors]&.include?('HOOKING_DETECTED')
+            create_violation(requirement, config, "Code hooking/tampering detected")
+          end
+        when :certificate_pinning
+          if analysis_results[:network_analysis]&.dig(:certificate_pinning, :valid) == false
+            create_violation(requirement, config, "Certificate pinning validation failed")
+          end
+        when :proxy_detection
+          if analysis_results[:network_analysis]&.dig(:proxy_detection, :proxy_detected) == true
+            create_violation(requirement, config, "Proxy/VPN connection detected")
+          end
+        end
+      end
+      # Create violation record
+      def create_violation(requirement, config, message)
+        {
+          requirement: requirement,
+          severity: config[:severity],
+          message: message,
+          detected_at: Time.now.utc.iso8601,
+          category: get_requirement_category(requirement)
+        }
+      end
+      # Get requirement category
+      def get_requirement_category(requirement)
+        @current_policy[:requirements].each do |category, requirements|
+          return category if requirements.key?(requirement)
+        end
+        :unknown
+      end
+      # Evaluate compliance frameworks
+      def evaluate_compliance_frameworks(analysis_results, compliance_result)
+        @current_policy[:compliance_frameworks].each do |framework|
+          framework_result = evaluate_framework(framework, analysis_results)
+          compliance_result[:framework_compliance][framework] = framework_result
+        end
+      end
+      # Evaluate specific compliance framework
+      def evaluate_framework(framework, analysis_results)
+        case framework
+        when :pci_dss
+          evaluate_pci_dss_compliance(analysis_results)
+        when :hipaa
+          evaluate_hipaa_compliance(analysis_results)
+        when :fisma
+          evaluate_fisma_compliance(analysis_results)
+        when :iso27001
+          evaluate_iso27001_compliance(analysis_results)
+        else
+          { compliant: true, score: 100, requirements_met: [], requirements_failed: [] }
+        end
+      end
+      # PCI DSS compliance evaluation
+      def evaluate_pci_dss_compliance(analysis_results)
+        requirements_met = []
+        requirements_failed = []
+        # PCI DSS Requirement 2: Do not use vendor-supplied defaults
+        if !analysis_results[:factors]&.include?('DEFAULT_CREDENTIALS')
+          requirements_met << "2.1 - No default credentials detected"
+        else
+          requirements_failed << "2.1 - Default credentials detected"
+        end
+        # PCI DSS Requirement 4: Encrypt transmission of cardholder data
+        if analysis_results[:network_analysis]&.dig(:certificate_pinning, :valid) == true
+          requirements_met << "4.1 - Secure transmission validated"
+        else
+          requirements_failed << "4.1 - Insecure transmission detected"
+        end
+        # PCI DSS Requirement 6: Develop and maintain secure systems
+        if !analysis_results[:factors]&.include?('DEBUGGING_DETECTED')
+          requirements_met << "6.5 - No debugging tools detected"
+        else
+          requirements_failed << "6.5 - Debugging tools detected"
+        end
+        score = (requirements_met.length.to_f / (requirements_met.length + requirements_failed.length) * 100).round
+        {
+          compliant: requirements_failed.empty?,
+          score: score,
+          requirements_met: requirements_met,
+          requirements_failed: requirements_failed
+        }
+      end
+      # HIPAA compliance evaluation
+      def evaluate_hipaa_compliance(analysis_results)
+        requirements_met = []
+        requirements_failed = []
+        # HIPAA Security Rule - Access Control
+        if analysis_results[:factors]&.include?('BIOMETRIC_AUTHENTICATION')
+          requirements_met << "164.312(a)(1) - Access control implemented"
+        else
+          requirements_failed << "164.312(a)(1) - Insufficient access control"
+        end
+        # HIPAA Security Rule - Integrity
+        if !analysis_results[:factors]&.include?('TAMPERING_DETECTED')
+          requirements_met << "164.312(c)(1) - Data integrity maintained"
+        else
+          requirements_failed << "164.312(c)(1) - Data integrity compromised"
+        end
+        # HIPAA Security Rule - Transmission Security
+        if analysis_results[:network_analysis]&.dig(:certificate_pinning, :valid) == true
+          requirements_met << "164.312(e)(1) - Secure transmission"
+        else
+          requirements_failed << "164.312(e)(1) - Insecure transmission"
+        end
+        score = (requirements_met.length.to_f / (requirements_met.length + requirements_failed.length) * 100).round
+        {
+          compliant: requirements_failed.empty?,
+          score: score,
+          requirements_met: requirements_met,
+          requirements_failed: requirements_failed
+        }
+      end
+      # FISMA compliance evaluation
+      def evaluate_fisma_compliance(analysis_results)
+        requirements_met = []
+        requirements_failed = []
+        # NIST 800-53 SI-3: Malicious Code Protection
+        if !analysis_results[:factors]&.include?('MALWARE_DETECTED')
+          requirements_met << "SI-3 - No malicious code detected"
+        else
+          requirements_failed << "SI-3 - Malicious code detected"
+        end
+        # NIST 800-53 SI-4: Information System Monitoring
+        if analysis_results[:rasp_status]&.dig(:active) == true
+          requirements_met << "SI-4 - Real-time monitoring active"
+        else
+          requirements_failed << "SI-4 - Real-time monitoring inactive"
+        end
+        # NIST 800-53 SC-13: Cryptographic Protection
+        if analysis_results[:factors]&.include?('ENCRYPTION_ENABLED')
+          requirements_met << "SC-13 - Cryptographic protection enabled"
+        else
+          requirements_failed << "SC-13 - Insufficient cryptographic protection"
+        end
+        score = (requirements_met.length.to_f / (requirements_met.length + requirements_failed.length) * 100).round
+        {
+          compliant: requirements_failed.empty?,
+          score: score,
+          requirements_met: requirements_met,
+          requirements_failed: requirements_failed
+        }
+      end
+      # ISO 27001 compliance evaluation
+      def evaluate_iso27001_compliance(analysis_results)
+        requirements_met = []
+        requirements_failed = []
+        # A.12.6.1 Management of technical vulnerabilities
+        if !analysis_results[:factors]&.include?('KNOWN_VULNERABILITIES')
+          requirements_met << "A.12.6.1 - No known vulnerabilities detected"
+        else
+          requirements_failed << "A.12.6.1 - Known vulnerabilities detected"
+        end
+        # A.13.1.1 Network controls
+        if analysis_results[:network_analysis]&.dig(:proxy_detection, :proxy_detected) == false
+          requirements_met << "A.13.1.1 - Network controls effective"
+        else
+          requirements_failed << "A.13.1.1 - Network controls bypassed"
+        end
+        # A.18.1.4 Privacy and protection of personally identifiable information
+        if analysis_results[:factors]&.include?('PRIVACY_PROTECTION')
+          requirements_met << "A.18.1.4 - Privacy protection implemented"
+        else
+          requirements_failed << "A.18.1.4 - Insufficient privacy protection"
+        end
+        score = (requirements_met.length.to_f / (requirements_met.length + requirements_failed.length) * 100).round
+        {
+          compliant: requirements_failed.empty?,
+          score: score,
+          requirements_met: requirements_met,
+          requirements_failed: requirements_failed
+        }
+      end
+      # Calculate overall compliance score
+      def calculate_compliance_score(compliance_result)
+        base_score = 100
+        # Deduct points for violations based on severity
+        compliance_result[:violations].each do |violation|
+          case violation[:severity]
+          when 'critical'
+            base_score -= 25
+          when 'high'
+            base_score -= 15
+          when 'medium'
+            base_score -= 10
+          when 'low'
+            base_score -= 5
+          end
+        end
+        # Ensure score doesn't go below 0
+        compliance_result[:compliance_score] = [base_score, 0].max
+        # Set overall compliance based on thresholds
+        thresholds = @current_policy[:risk_thresholds]
+        if compliance_result[:compliance_score] < thresholds[:critical]
+          compliance_result[:compliant] = false
+        end
+      end
+      # Validate policy structure
+      def validate_policy(policy)
+        required_keys = [:name, :version, :industry, :requirements, :risk_thresholds, :configuration]
+        missing_keys = required_keys - policy.keys
+        raise ArgumentError, "Policy missing required keys: #{missing_keys.join(', ')}" unless missing_keys.empty?
+        # Validate risk thresholds
+        threshold_keys = [:critical, :high, :medium, :low]
+        missing_thresholds = threshold_keys - policy[:risk_thresholds].keys
+        raise ArgumentError, "Policy missing risk thresholds: #{missing_thresholds.join(', ')}" unless missing_thresholds.empty?
+      end
+      # Log policy events for audit trail
+      def log_policy_event(event_type, details)
+        @audit_log << {
+          timestamp: Time.now.utc.iso8601,
+          event_type: event_type,
+          details: details,
+          policy_version: @current_policy&.dig(:version),
+          industry_type: @industry_type
+        }
+        # Keep only last 1000 events
+        @audit_log = @audit_log.last(1000) if @audit_log.length > 1000
+      end
+    end
+  end
+end