diff --git a/salt/idh/config.sls b/salt/idh/config.sls new file mode 100644 index 000000000..dcde9c8e5 --- /dev/null +++ b/salt/idh/config.sls @@ -0,0 +1,85 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %} +{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} + +include: + - idh.openssh.config + - firewall + +# If True, block IDH Services from accepting connections on Managment IP +{% if RESTRICTIDHSERVICES %} + {% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %} + + {% for service in IDH_SERVICES %} + {% if service in ["smnp","ntp", "tftp"] %} + {% set proto = 'udp' %} + {% else %} + {% set proto = 'tcp' %} + {% endif %} +block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'_x_port'] }} : + iptables.insert: + - table: filter + - chain: INPUT + - jump: DROP + - position: 1 + - proto: {{ proto }} + - dport: {{ OPENCANARYCONFIG[service~'_x_port'] }} + - destination: {{ GLOBALS.node_ip }} + {% endfor %} +{% endif %} + +# Create a config directory +idhconfdir: + file.directory: + - name: /opt/so/conf/idh + - user: 939 + - group: 939 + - makedirs: True + +# Create a log directory +idhlogdir: + file.directory: + - name: /nsm/idh + - user: 939 + - group: 939 + - makedirs: True + +opencanary_config: + file.managed: + - name: /opt/so/conf/idh/opencanary.conf + - source: salt://idh/idh.conf.jinja + - template: jinja + - defaults: + OPENCANARYCONFIG: {{ OPENCANARYCONFIG }} + +idh_sbin: + file.recurse: + - name: /usr/sbin + - source: salt://idh/tools/sbin + - user: 934 + - group: 939 + - file_mode: 755 + +#idh_sbin_jinja: +# file.recurse: +# - name: /usr/sbin +# - source: salt://idh/tools/sbin_jinja +# - user: 939 +# - group: 939 +# - file_mode: 755 +# - template: jinja + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/idh/defaults.yaml b/salt/idh/defaults.yaml index b0c4d6904..a97931801 100644 --- a/salt/idh/defaults.yaml +++ b/salt/idh/defaults.yaml @@ -1,5 +1,6 @@ idh: - restrict_management_ip: false + enabled: False + restrict_management_ip: False openssh: enable: true config: diff --git a/salt/idh/disabled.sls b/salt/idh/disabled.sls new file mode 100644 index 000000000..253dcc3a1 --- /dev/null +++ b/salt/idh/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - idh.sostatus + +so-idh: + docker_container.absent: + - force: True + +so-idh_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-idh$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls new file mode 100644 index 000000000..82bee138b --- /dev/null +++ b/salt/idh/enabled.sls @@ -0,0 +1,39 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - idh.config + - idh.sostatus + +so-idh: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idh:{{ GLOBALS.so_version }} + - name: so-idh + - detach: True + - network_mode: host + - binds: + - /nsm/idh:/var/tmp:rw + - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro + - watch: + - file: opencanary_config + - require: + - file: opencanary_config + +delete_so-idh_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-idh$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 895cd61ac..8f2cea37b 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -3,103 +3,11 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %} -{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} +{% from 'idh/opencanary_config.map.jinja' import IDHMERGED %} include: - - idh.openssh.config - - firewall - -# If True, block IDH Services from accepting connections on Managment IP -{% if RESTRICTIDHSERVICES %} - {% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %} - - {% for service in IDH_SERVICES %} - {% if service in ["smnp","ntp", "tftp"] %} - {% set proto = 'udp' %} - {% else %} - {% set proto = 'tcp' %} - {% endif %} -block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'_x_port'] }} : - iptables.insert: - - table: filter - - chain: INPUT - - jump: DROP - - position: 1 - - proto: {{ proto }} - - dport: {{ OPENCANARYCONFIG[service~'_x_port'] }} - - destination: {{ GLOBALS.node_ip }} - {% endfor %} -{% endif %} - -# Create a config directory -temp: - file.directory: - - name: /opt/so/conf/idh - - user: 939 - - group: 939 - - makedirs: True - -# Create a log directory -configdir: - file.directory: - - name: /nsm/idh - - user: 939 - - group: 939 - - makedirs: True - -opencanary_config: - file.managed: - - name: /opt/so/conf/idh/opencanary.conf - - source: salt://idh/idh.conf.jinja - - template: jinja - - defaults: - OPENCANARYCONFIG: {{ OPENCANARYCONFIG }} - -idh_sbin: - file.recurse: - - name: /usr/sbin - - source: salt://idh/tools/sbin - - user: 934 - - group: 939 - - file_mode: 755 - -#idh_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://idh/tools/sbin_jinja -# - user: 939 -# - group: 939 -# - file_mode: 755 -# - template: jinja - -so-idh: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idh:{{ GLOBALS.so_version }} - - name: so-idh - - detach: True - - network_mode: host - - binds: - - /nsm/idh:/var/tmp:rw - - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro - - watch: - - file: opencanary_config - - require: - - file: opencanary_config - -append_so-idh_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-idh - +{% if IDHMERGED.enabled %} + - idh.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - idh.disabled {% endif %} diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index a8b85adbf..420cc7f79 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -20,6 +20,7 @@ {% set IDH_PORTGROUPS = {} %} {% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %} +{% set IDHMERGED = salt['pillar.get']('idh', IDHCONFIG.idh, merge=True) %} {% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %} {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %} {# update skinlist to skin.list to avoid issues with SOC UI config #} diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index 60d0203f5..f792812e4 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -1,4 +1,7 @@ idh: + enabled: + description: You can enable or disable IDH. + helpLink: idh.html opencanary: config: logger: diff --git a/salt/idh/sostatus.sls b/salt/idh/sostatus.sls new file mode 100644 index 000000000..e5b9da705 --- /dev/null +++ b/salt/idh/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-idh_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-idh + - unless: grep -q so-idh /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index be423ef2b..5bd205015 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -153,6 +153,7 @@ function add_fleet_to_minion() { function add_idh_to_minion() { printf '%s\n'\ "idh:"\ + " enabled: True"\ " restrict_management_ip: $IDH_MGTRESTRICT"\ " services:" >> "$PILLARFILE" IFS=',' read -ra IDH_SERVICES_ARRAY <<< "$IDH_SERVICES"