From 097c05b114b91b2fee8e581383bbdd39049cb268 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Sep 2022 13:49:26 -0400 Subject: [PATCH] Cleanup on aisle 4 --- salt/firewall/assigned_hostgroups.map.yaml | 567 --------------------- salt/firewall/hostgroups.yaml | 23 - salt/firewall/portgroups.yaml | 116 ----- 3 files changed, 706 deletions(-) delete mode 100644 salt/firewall/assigned_hostgroups.map.yaml delete mode 100644 salt/firewall/hostgroups.yaml delete mode 100644 salt/firewall/portgroups.yaml diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml deleted file mode 100644 index 7f8c01910..000000000 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ /dev/null @@ -1,567 +0,0 @@ -{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} -{% import_yaml 'firewall/portgroups.yaml' as portgroups %} -{% set portgroups = portgroups.firewall.aliases.ports %} -{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} - -role: - eval: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - heavy_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - syslog: - portgroups: - - {{ portgroups.syslog }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - manager: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - {% if ISAIRGAP is sameas true %} - - {{ portgroups.agrules }} - {% endif %} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - {% if ISAIRGAP is sameas true %} - - {{ portgroups.yum }} - {% endif %} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.beats_5644 }} - heavy_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.beats_5644 }} - self: - portgroups: - - {{ portgroups.syslog}} - syslog: - portgroups: - - {{ portgroups.syslog }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - endgame: - portgroups: - - {{ portgroups.endgame }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - managersearch: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - heavy_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - endgame: - portgroups: - - {{ portgroups.endgame }} - syslog: - portgroups: - - {{ portgroups.syslog }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - standalone: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - - {{ portgroups.yum }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - heavy_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.minio }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - elastic_agent_endpoint: - portgroups: - - {{ portgroups.elastic_agent_control }} - - {{ portgroups.elastic_agent_data }} - endgame: - portgroups: - - {{ portgroups.endgame }} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - syslog: - portgroups: - - {{ portgroups.syslog }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - helixsensor: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} - minion: - portgroups: - - {{ portgroups.acng }} - - {{ portgroups.docker_registry }} - - {{ portgroups.influxdb }} - - {{ portgroups.sensoroni }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - searchnode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - dockernet: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - {% if TRUE_CLUSTER %} - search_node: - portgroups: - - {{ portgroups.elasticsearch_node }} - {% endif %} - self: - portgroups: - - {{ portgroups.syslog}} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - sensor: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - {{ portgroups.syslog}} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - heavynode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - dockernet: - portgroups: - - {{ portgroups.elasticsearch_node }} - - {{ portgroups.elasticsearch_rest }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - self: - portgroups: - - {{ portgroups.syslog}} - strelka_frontend: - portgroups: - - {{ portgroups.strelka_frontend }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - import: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - minion: - portgroups: - - {{ portgroups.docker_registry }} - - {{ portgroups.sensoroni }} - sensor: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - elasticsearch_rest: - portgroups: - - {{ portgroups.elasticsearch_rest }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - minion: - portgroups: - - {{ portgroups.salt_manager }} - - receiver: - chain: - DOCKER-USER: - hostgroups: - sensor: - portgroups: - - {{ portgroups.beats_5644 }} - search_node: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.beats_5644 }} - self: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.syslog}} - - {{ portgroups.beats_5644 }} - syslog: - portgroups: - - {{ portgroups.syslog }} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - beats_endpoint_ssl: - portgroups: - - {{ portgroups.beats_5644 }} - endgame: - portgroups: - - {{ portgroups.endgame }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - idh: - chain: - INPUT: - hostgroups: - anywhere: - portgroups: - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% for service in idh_services %} - - {{ portgroups['idh_'~service] }} - {% endfor %} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} - manager: - portgroups: - - {{ portgroups.ssh }} diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml deleted file mode 100644 index 778912911..000000000 --- a/salt/firewall/hostgroups.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} -firewall: - hostgroups: - anywhere: - ips: - delete: - insert: - - 0.0.0.0/0 - dockernet: - ips: - delete: - insert: - - {{ DNET }}/24 - localhost: - ips: - delete: - insert: - - 127.0.0.1 - self: - ips: - delete: - insert: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} \ No newline at end of file diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml deleted file mode 100644 index a2780270d..000000000 --- a/salt/firewall/portgroups.yaml +++ /dev/null @@ -1,116 +0,0 @@ -{% if grains.role == 'so-idh' %} - {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} - {% from 'idh/openssh/map.jinja' import openssh_map %} - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% set ssh_port = openssh_map.config.port %} -{% else %} - {% set ssh_port = 22 %} -{% endif %} - -firewall: - aliases: - ports: - all: - tcp: - - '0:65535' - udp: - - '0:65535' - acng: - tcp: - - 3142 - agrules: - tcp: - - 7788 - beats_5044: - tcp: - - 5044 - beats_5644: - tcp: - - 5644 - beats_5066: - tcp: - - 5066 - cortex: - tcp: - - 9001 - cortex_es_node: - tcp: - - 9500 - cortex_es_rest: - tcp: - - 9400 - docker_registry: - tcp: - - 5000 - elasticsearch_node: - tcp: - - 9300 - elasticsearch_rest: - tcp: - - 9200 - elastic_agent_control: - tcp: - - 8220 - elastic_agent_data: - tcp: - - 5055 - endgame: - tcp: - - 3765 - influxdb: - tcp: - - 8086 - kibana: - tcp: - - 5601 - minio: - tcp: - - 9595 - mysql: - tcp: - - 3306 - nginx: - tcp: - - 80 - - 443 - playbook: - tcp: - - 3200 - redis: - tcp: - - 6379 - - 9696 - salt_manager: - tcp: - - 4505 - - 4506 - sensoroni: - tcp: - - 443 - ssh: - tcp: - - {{ ssh_port }} - strelka_frontend: - tcp: - - 57314 - syslog: - tcp: - - 514 - udp: - - 514 - yum: - tcp: - - 443 - -{% if idh_services is defined %} - {% for service in idh_services %} - {% if service in ["smnp","ntp", "tftp"] %} - {% set proto = 'udp' %} - {% else %} - {% set proto = 'tcp' %} - {% endif %} - idh_{{service}}: - {{proto}}: - - {{ OPENCANARYCONFIG[service~'.port'] }} - {% endfor %} -{% endif %}